A company in the hospitality industry received a number of emails looking like this:
The sender's address is redacted in the screenshot, but originally it was a legitimate email address belonging to another legitimate hotel in a different country.
This means there may already be companies who are victims to this phishing campaign, since it is likely that compromised devices are used to forward the email to other targets.
What's up with the Google Drive link?
If you have clicked the link in the email, you will immediately begin to download a compressed archive (zip) file, which is just above 102 MB. A pretty big file, indeed – but with today's connection speeds, it still only takes a matter of seconds to receive.
Open the zip file ("doctor opinions.zip"), and you will find that it contains a folder "to pacient" with two actual medical information videos in it.
In addition, there is a program file, however containing ".pdf" in its filename, to mask the fact that it is a software program file containing a virus:
Google Drive will of course try to scan and block files which are virus infected. However, there are a few limitations to how well their virus scanner works:
- Files larger than 25 MB (25 000 KB) may be excluded from scans
- Files contained inside zip files which are 300 MB like here may be skipped
- Password protected files are usually not possible to open automatically
Even though the password is explicitly written in the email, very few antivirus scanners are clever enough to understand that it should be used for opening an attachment.
But service-minded people who are only looking to help, may of course find it very natural to proceed with opening the supposed doctor's opinion file.
It may be difficult to understand all the technical details of what is going on here, but it is nonetheless important to be aware of exactly how cynical cybercriminals may be.