The “HawkEye” attack by cyber criminals

Even if you’ve heard of it before, it’s still worth reminding yourself how the scam works, which is something like this:

1. Buy booby-trapped documents that use the Microsoft Word Intruder (MWI) exploit tool. If opened on an unpatched version of Windows, these documents automatically install chosen malware on the victim’s computer, with no user clicks required.

2. Buy a commercially-available keylogger and configure the booby-trapped files to download and install it. (This case used the now-defunct Hawkeye keylogger.)

3. Pick a broad industry sector, e.g. leather and leather products.

4. Send a small number of scam emails (typically a few thousand in total) pretending to be quotation requests or payment information, each containing a booby-trapped MWI document.

5. Infect victims with the keylogger and wait until they type in their email passwords.

6. Use the stolen email passwords to watch their inboxes, until you see that a customer has been invoiced and is about to pay.

7. Email the customer from the hijacked account, instructing the customer to use a new account number for future payments.

8. Take the money yourself and quickly move it where it can’t easily be found or recovered.

Just one or two criminals, working unaided, and with enough patience to go after a small number of high-value victims, could easily operate a scam of this sort.

What to do?

1. Patch promptly. The booby-trapped documents in this attack relied on a security hole that had been patched years before.

2. Keep your security software up-to-date. A good anti-virus can block attacks like this at several points, and you win if you can stop any one of them, starting with the original inbound email.

3. Beware of unsolicited attachments. This can be hard if your job is business development and the email is a Request For Quotation, but avoid opening just any old document.

4. Consider using a stripped-down document viewer. Microsoft’s own Word Viewer, for example, is usually much less vulnerable than Word itelf because it’s much simpler. (It doesn’t support macros, either, which protects against Locky-type attacks, too.)

5. If your email software supports it, use 2FA. That’s short for two-factor authentication, those one-time codes that come up on your phone on a special security token. With 2FA, just stealing your email password isn’t enough on its own.

6. Have a two-person process for important transactions. Paying large invoices and changing remittance advice shouldn’t be too easy. Require separate approval from a supervisor, so you always get a second opinion when large sums are at stake.