BleepingComputer obtained a copy of an email which, besides all of the above, shares a “bank statement” that serves as “proof” of the erroneous transaction.
However, the bank statement ultimately leads to the deployment of the Vidar infostealer. There are also other methods that lead to the same endgame, including a fake Google Drive link with files such as “bank_statement.scr”.
Vidar is an infamous trojan that’s capable of stealing all kinds of sensitive information from the target endpoint, browser cookies, browser history, saved passwords, cryptocurrency wallets, text files, Authy two-factor authentication information, and more. Vidar is also capable of grabbing screenshots, too.
Once the trojan collects sensitive data, it will create a folder containing all the information and upload it to a remote server, for the attacker’s convenience. After that, the contents of the folder will be deleted, leaving only an empty folder as proof of the exfiltration.
Usually, the threat actors would do one of two things with the stolen data: use it for stage two attacks (deploying ransomware, engaging in extortion, identity theft, wire fraud, or similar), or sell it on the black market for someone else to exploit.
If you received an email such as this one which proved to be a fake, make sure to scan your computer with antivirus programs and endpoint security solutions to remove any possible malware or trojans. If the programs find evidence of compromise, it’s pivotal you change your passwords, especially those associated with money.
- Check out our list of the best VPN services to keep you safe