Two companies mFinanse (part of mBank) and PKO Leasing (part of PKO BP) were affected in a cyberattack. Hackers gained access to mailboxes of a few employees in both companies and gathered the content of their messages (sensitive personal data) and client email addresses. Then they sent malicious emails to the clients and using the previously stolen correspondence made them seem like legitimate answers from the employees. Each message contained a Word attachment entitled:
Projekt_umowy 0391310451 23 09 2019.doc
The attachments are malicious and if macros are enabled when opening them, Emotet Trojan will be downloaded. It then will steal banking login credentials and install other malware, also ransomware.
Although the malware is now recognised by Gmail and more than half of AVs, caution is recommended when opening any emails. In the case of this attack, the best indicator of the danger was the real sender email - the messages were not sent from hacked mailboxes of mFinanse and PKO Leasing employees.