Cyberthreats by Malware

1. 00:02In our OpenHPI course "Cyberthreats by Malware" now we consider Emotet.
2. 00:07Emotet, that is the message in the news over the past years, Emotet has produced
3. 00:13headlines in various fields
4. 00:17and reported about surf results.
5. 00:22Emotet attacks account for 7 percent of malware infections globally,
6. 00:29based on is this Check Point's Global Threat Index
7. 00:34from December 2020. So it's really a very common
8. 00:39attack this Emotet.
9. 00:43So far emotet has managed to infect various institutions
10. 00:49around the world and this was a reason of these
11. 00:54headlines because so many important institutions were infected.
12. 01:01So in the last year the infection of many cities around
13. 01:05the world, many cities in the US, cities in Germany
14. 01:09for example Potsdam or government departments in different
15. 01:15countries for example, department of justice
16. 01:18in a Quebec in Canada or National Centre of Public Health in Lithuania.
17. 01:26So really important institutions not only home users with eventually not
18. 01:35not professionally configured systems know the attacker want to attack
19. 01:40such important universities,
20. 01:42important institutions in Germany, for
21. 01:46example the university Gießen and then around the world other
22. 01:52cities, companies, websites
23. 01:55as mentioned 7 percent of all the attacks.
24. 02:00What is the malware that is misused here for emotet attacks?
25. 02:07This malware can be classified as a virus,
26. 02:11because it needs interaction from the user
27. 02:14to infect the system and spread over.
28. 02:19Usually it spreads via emails, emails with malicious
29. 02:25attachments, or links to malicious website,
30. 02:32to malicious URLs. And when the user opens this attachment, when
31. 02:39the user follows a link
32. 02:42to the website, then the user gets infected.
33. 02:47It has to be actively accessed/ opened by the user, this is like
34. 02:53in case of virus the user has to do something and before this malware
35. 02:59could start to do its work.
36. 03:03What kind of actions
37. 03:05are taken by emotet?
38. 03:07In regard to the actions taken by this malware, emotet could not be
39. 03:14specifically classified. So in the way it
40. 03:19gets started is virus, but in its action it has many
41. 03:24components from different types of malware.
42. 03:28It serves as a staging malware and will thus be used by deliver
43. 03:33further kinds of malware to the target system. So
44. 03:39part of this infection is to install more and more other malware component,
45. 03:47and this could vary from trojans, ransomware, scareware, keylogger,.
46. 03:55So emoete is able to to
47. 03:59work with all these components, take care to get this component.
48. 04:04And this makes it so dangerous compared to usual spam email,
49. 04:11because emotet spam emails are dangerous because they appear
50. 04:17to be very very realistic. So the
51. 04:22cybercriminals take care that it's not
52. 04:26immediately detected as a spam email, it looks very realistic.
53. 04:32Then after the infection, emotet collects data from the user's email account,
54. 04:40the contacts with whom the user communicates, the content which
55. 04:47are the current the user is discussing, is communicating about,
56. 04:52this can be received from the email subject, from the email contents,
57. 04:57and from the data from that collected data.
58. 05:02Then the user an information is sent, the spam email is created
59. 05:10to the user that emotet then uses such kind of
60. 05:15detailed information
61. 05:17to send further emails, like in the sphere of phishing from
62. 05:22the infected email accounts to other users, for example emotet
63. 05:27gets the information here out of the contact list of the email
64. 05:33with whom the user is contacting, so the next user
65. 05:37gets exactly with this background information
66. 05:41an infected email from a trusted email \ and he opens
67. 05:50the attached document or follows a link, then although this system of this
68. 05:55neighbor is infected.
69. 05:57The spam emails from the emotet therefore look very realistic, so many people
70. 06:04trust it because in this way it is prepared to know specific information
71. 06:12which people think no one else could know only my colleague or
72. 06:17my family member. So here are
73. 06:21some examples of emotet.
74. 06:25There is the hijacked users email account,
75. 06:29this is used as sender of the email.
76. 06:33So someone is spoofing you, remember this is an attack method
77. 06:38to work with such a stored sender address,
78. 06:43in that case when the email system of a user is
79. 06:48spied out, his or her email address is used to send
80. 06:55the infected email to another user who is in contact with
81. 07:02this user which is already
82. 07:05infected. Then the subject of the previous email, so although this
83. 07:11looks very trustworthy, no one else would know that the mail was sent
84. 07:16here in that case some
85. 07:20things that need to be done in HPI. Then
86. 07:24most important for the attackers, the malicious link.
87. 07:30The malicious link to open something, to open the attached
88. 07:34document or to get a special information, and in the moment the user
89. 07:39follows this links, this is the actions that needed
90. 07:43to get infected. Then here there is email signature from the hijacked user,
91. 07:50also this looks very realistic, and then comes the content
92. 07:56from previous messages in the conversations those people
93. 08:02thinks that is a new message and it's a real message it's not
94. 08:06detected that is a message from the attacker.
95. 08:11Here are some other emotet
96. 08:14examples, so Amazon order, or something from DHL, a message
97. 08:21which says we deliver you
98. 08:24this and there is a link, the malicious link
99. 08:28which leads to the infection of the system .Or here are all information,
100. 08:35there are sender numbers and the links,
101. 08:41all of the buttons, if these are used, if the links
102. 08:46are activated then all these are links in the emotet mails
103. 08:53which
104. 08:56lead to the malicious target and
105. 09:00cause the infection of the system.
106. 09:06So it's very realistic, so people follow this, people
107. 09:10click this link and then also their system is
108. 09:14infected, so this makes emotet so dangerous.
109. 09:20How you can recognise such a phishing email?
110. 09:25You should be very careful, you should be suspicious of mails
111. 09:31that you do not expect.
112. 09:35Then if there is a personal salutation,
113. 09:40missing so it's only starts the mail with "Hello" or "Dear customer",
114. 09:46this could be a hint that this is not coming from a claimed
115. 09:53sender and it is an infected message.
116. 09:56Or wrong languages languages, for example you use Amazon that's
117. 10:03English but the received email is in German language because the
118. 10:11attacker put together the pieces they got from the former emails and
119. 10:17how they want to
120. 10:22design their mail as something as an order for amazon authors.
121. 10:27Then typos, typos or wrong information, misinformations,
122. 10:32these are
123. 10:37typical things in such a phishing mail, if it's
124. 10:42not correctly designed.
125. 10:48Or another way you can detect this phishing email is the
126. 10:53parent sender address is not consistent with the real technical sender.
127. 11:01So it is possible with an email that there is a field
128. 11:04that misses sendr address, but you can see that
129. 11:10this is a only fake, because behind you can also see the real sender address
130. 11:19Then strange link targets, this is
131. 11:25eventually the most obvious
132. 11:29point which helps you to detect that this is an emotet phishing
133. 11:34email and not a real one.
134. 11:37When you move the pointer over a link,
135. 11:41over an image button in the email and wait for the tooltip,
136. 11:47when the tooltip appears it will contain the real link target.
137. 11:55And if you see there is a difference between the real link target and
138. 12:00the displayed link, then definitely you should not click
139. 12:05because this is the most
140. 12:09obvious way that this is a
141. 12:12spam mail, phishing mail from an attacker and not the real one.
142. 12:16So i repeat move with your mouse to the
143. 12:23link and wait and then the tooltip shows you
144. 12:28the real link which is
145. 12:32integrated in the document. And if there's a difference between
146. 12:38the real link which is implemented in the document and the
147. 12:44shown link then you can be sure that is an attack
148. 12:51email, the cybercriminals want to force you to click and to get infected
149. 12:58with emotet.

To enable the transcript, please select a language in the video player settings menu.