Microsoft has warned busy holiday shoppers to watch out for a new phishing campaign that uses fake credit card reports to infect devices with the deadly Cerber ransomware. Microsoft security researchers published a new post on the Malware Protection Center blog warning users that scam emails have been doing the rounds that claim to be notifying customers about fake pending charges on their credit cards.
The email urges users to follow the instructions in the attached Word document in order to avoid the charges. The document includes step-by-step instructions to allow an attached macro downloader that, if enabled, will infect the user's device with the Cerber ransomware and immediately begins to encrypt their files.
"By stating that the recipient is being billed, the attack emails can trick unsuspecting users into opening the malicious document without consideration for their safety," the researchers wrote. "Once the macro is allowed to run, it downloads and launches Cerber, a known ransomware. Cerber victims, recipients who don't have robust anti-malware, are bound to learn a potentially pricey lesson in computing safety."
Once the victim pays the ransom, he or she will receive a decryption key to unlock the encrypted files.
The researchers note that the fraudulent emails are fraught with errors and inconsistencies that users can look out for to avoid falling for such scams. For instance, legitimate notification emails from MasterCard and other credit card companies will not ask users to enable macros, Microsoft notes.
In the email, the local name of the victim's email address is used to personalise the email that could alert a careful user about a possible phishing attempt. These scam emails are also sent from an email address that is not related to the credit card company or bank.
"The email itself is crude and shows almost no attempt to feign legitimacy," the researchers noted. "It contains some typographical errors, such as the missing number between the dollar sign and the comma in our sample. Also, users who are careful enough will likely notice that the sender address does not match the signatory."
As one of the largest ransomware campaigns in the world, Cerber ransomware currently runs over 160 active campaigns around the world and generates total annual projected revenue of about $2.3m, a report from security firm Check Point found.
Experts have warned that cybercriminals often look to exploit the holiday season rush to target unsuspecting users with malicious cyberattacks and phishing schemes. Amazon recently alerted its customers about an "authentic-looking" phishing scam campaign that attempts to swipe the personal and bank details of customers in the US, the UK and Australia.