LKA Warns Of “Invoice Fraud” Emails That Deploy Ransomware When Opened

The State Criminal Police Office or Landeskriminalamt (LKA) in Rhineland-Palatinate issued a state-wide warning regarding fraudulent emails. They covered several types of email fraud in the announcement, including ransomware from the darknet and the classic email phishing schemes. The announcement also served as a guide on detecting these emails—the LKA warned that they often appear to come from someone unexpected or seemingly harmless. Additionally, a newer category of email fraud appeared in the LKA’s announcement: invoice fraud.

Invoice fraud ndr.de explained, occurred when a threat actor sent fictitious invoices to a victim. The invoices looked and seemed real for several reasons. The victim either expected a bill from the company or recognized the bill as something standard, like “tax consultants,” one source said. Such invoices additionally appeared genuine based on the official letterhead and contact details that nearly identically matched those of the real company. According to researchers, the only incorrect information on these fake invoices is the phone number. “The telephone numbers are wrong to make callbacks impossible,” another source explained.

The invoice fraud continued beyond the implications in the name, however. In addition to scam money from unsuspecting victims, the invoice fraud emails serve as a medium for ransomware. Investigators in Mecklenburg-Vorpommern and Lower Saxony explained that the feigned legitimacy of the emails makes the victim feel safe enough to open them. Once opened, the authorities announced, the email deployed a “malicious program” on the victim’s computer. The LKA encouraged users of email services to use caution when reading their email and just to delete anything that appeared suspicious. If someone’s machine fell victim to malware, the individual would likely need to pay a “sort of ransom” to unlock the machine. Usually, the ransom is paid via Bitcoin on the darknet, the LKA announced.

At the time of the announcement, the majority of such emails came from “Rolf Drescher,” the LKA said. Although that name and email apply to a genuine identity and advertisement, the hackers used it to distribute various forms of malware. “The sender could change in the future,” they said. The emails from the fraudulent “Rolf Drescher,” so far, contained two attachments. One, a PDF. That PDF has not infected anyone yet. However, this is not the case with other attachment—an Excel spreadsheet file. Once opened, the spreadsheet infects computers with ransomware. The LKA urged companies to require a daily backup of their employee’s desktops and laptops. Especially those with Windows installed. Sometimes the ransomware lands on Macintosh computers—often in the form of an FBI threat.

Officials explained, in two simple steps, what one must do after a malware infection.

From the “What can I do when I open the link?” section:

If you received such an email and the already opened the link, you should disconnect the computer from the Internet. In a first step, the infected computer should be searched with an updated anti-virus program. One Problem: anti-virus programs do not always detect the malware. If in doubt, you should ask an expert to clean the infected computer. In a second step, affected users should change all access data and passwords used on the Internet. The change should not be from the infected computer, but from a second device. This prevents affected users from gaining access to other web portals, shops, or banking apps.

The LKA concluded by announcing that any suspicious email should not be opened. Instead, if in doubt, the user should delete the email. Additionally, users need to keep their operating systems updated, along with anti-virus programs.