We've told you before how hackers like to disguise malicious program files as harmless documents, images or music files, and how to spot them. However, hackers can also use regular files to cause problems, specifically Word documents.
Using a specially crafted Word document, such as ones from the Microsoft Word Intruder exploit tool, a hacker can crash Word and open a hole to slip in a ransomware virus or data-stealing Trojan. That's why you should never open attachments from unsolicited emails, even if they appear harmless.
For businesses it's even worse. Using the "Hawkeye" version of this attack, some hackers have been stealing hundreds of thousands of dollars from companies.
The way "Hawkeye" works is that a hacker creates or buys a Word file designed to crash unpatched computers. Then they choose what kind of virus they want to use and add it to the file. In the case of "Hawkeye," it's a keylogger.
The hacker then sends the Word file to the employees at businesses in a general industry. Typically, the email will say the Word document contains an order or quote request so it gets to an employee who deals with finances.
Once an employee opens and runs the Word document, the keylogger installs. Then the hacker waits for the employee to log in to their company email account and steals the username and password.
The hacker logs in to the email account themselves and waits for the company to send out an invoice to a high-value client. Then the hacker sends out their own follow-up email from that email address telling the client that the account number for the payment has changed.
The new account is one the hacker set up, so when the company's client pays, the money goes straight to the hacker. Depending on the industry and client, this payout could be upwards of $1 million.
In analyzing the Hawkeye attack, security experts found that hackers started with a few thousand scam emails and ended up with only a handful of successful scores. However, because they were so high-value it makes the scam worthwhile.
The other takeaway is that thanks to tools and services available on the black market, even low-skilled hackers working alone or with friend can launch this attack.
To protect your business from this attack, there are a few things you need to do.
Make sure that your computer and its programs are installing regular security updates. This attack only works against versions of Word that aren't fully up to date.
If your email service has two-factor authentication, enable it. This means that even if a hacker gets the password they can't log in without a second form of ID, like a code sent to a smartphone.
Train your employees and yourself not to open attachments from unsolicited email. Either make potential clients fill out a Web form for quotes, or have them send it through email, not with attachments.
Train your clients not to send important changes like new banking account numbers though email, or just from one email. Important information like that should be given over the phone, or some other procedure should be in place to have changes verified before they are made.
For companies on the other side, always double-check with the company by phone when major details like payment procedures change.