Information security

Warning about phishing emails with Pikabot malware

Phishing radar: Warning of new phishing emails with Pikabot malware

New, malicious phishing emails containing so-called Pikabot malware are currently spreading. Most of the malicious emails are intercepted by our security systems.

Characteristics of these phishing mails can be

1. sender address: the sender name imitates a person you know, but the actual mail address is a completely different mail address with no reference to the communication partner.

2. subject: There are usually double letters in the original subject or umlauts are missing.

3. supposed reminder mail: The content of the mail suggests that the mail recipient has not yet had time to view the mail. The text in the mails then reads something like:
Have you had a moment to view the document I forwarded the day before?
Have you had the opportunity to examine the documents I sent you last day?
I sent you a file yesterday. Did you get it to you?
I sent a file your way the day before. Can you receive it?
I forwarded a material to you the day before. Did it come to you? etc.pp....

4. expected action: In the mail you are usually asked out of context to download or open a file.

5. stolen communication: The mails refer to previous, stolen communication with a person you know. The procedure is called thread hijacking. However, umlauts are usually missing in the quoted texts. It is also often impossible to trace when the last communication with the original contact person took place.

The following features mean that automated categorization by our security systems is not possible in all cases:

  • Subject is not consistent
  • Sending addresses are usually different
  • Text is not uniform
  • Malware is sometimes sent as an attachment (encrypted ZIP archive), sometimes with links to websites from where the malicious code is then downloaded; the respective files are also randomized

Measures implemented and recommendations

Zip has currently been blocked as an attachment and can therefore no longer be used in emails. The mail gateway filters and rules have been adjusted as far as possible. Please check incoming emails particularly carefully and above all be careful before opening email attachments or clicking on links!Please send suspicious emails as attachments to: antivirus@rptu.de.

Found on e.g.: https: //blog.fernuni-hagen.de/zdi/2023/12/20/warnung-vor-neuen-phishingmails-mit-pikabot-malware/