If you receive a “support Greta Thunberg” email this holiday season, you might want to proceed with considerable caution. Cybersecurity researchers at Proofpoint have warned that there is an active campaign that is using interest in the environmental campaigner to spread a malicious strain of malware that threatens to put recipients at risk. The threat is carried in a Microsoft Word attachment entitled “Support Greta Thunberg.doc.” Suffice to say, if you receive such an attachment, do not open it.
The purpose of the campaign is to deliver Emotet, a banking trojan that targets Windows computers—its goal to steal financial credentials and even plant additional malware. According to the U.S. government, “Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial governments, and the private and public sectors.” Proofpoint has warned on Emotet before, and found in its “Q3 Threat Report” that the malware was the dominant player in among banking trojan, in of themselves the most significant risk to users—Emotet was such a threat that it represented “almost 12% of all malicious mail in Q3.”
The holiday season is a good time to be using good causes to target unsuspecting users, and Thunberg is especially newsworthy given the recent focus on climate change campaigns and her own winning of Time Magazine’s “Person of the Year.” The fraudulent emails cite a holiday season demonstration on Christmas Eve, with recipients urged to demonstrate instead of shop—even those not minded to come out in support are encouraged to open the document to find details on time and place.
As befits Thunberg’s support base and level of media interest, the campaign is global in nature. Proofpoint have identified emails in multiple languages targeting users in a dozen countries around the world, covering the U.S., Europe and Asia.
Proofpoint also warns that the malware campaign seems to target students disproportionately: “We saw more .edu domains attacked than domains associated with any specific country—this makes sense given the strong support Thunberg has among students and young people.” It is also the holidays. Many students will be home, perhaps using family computers, they will certainly be more unlikely to be less guarded against email malware campaigns than other groups.
It is unsurprising that this has happened—malware campaigns are socially engineered, relying on individual areas of interest to lure a target into clicking a link or opening an attachment. Nowadays, this is how almost all malware makes its way onto infected computers. Thunberg has such universal appeal and interest, that this can be thought of as social engineering on a massive scale.
“This campaign serves as a reminder that attackers won’t hesitate to target people’s best intentions during this holiday season,” Proopoint says. “Attackers choose their lures carefully—a reliable barometer of public interest and awareness.”