Language switcher

You are here

Malware e-mails imitating the Health Board spread online

Last night, the Computer Emergency Response Team of the Information System Authority (CERT-EE) was notified that fake e-mails containing malware and copying the official information of the Health Board are being sent by hackers.

People have received an e-mail with the grammatically erroneous title ‘Tervis hoiuministeeriumi poolt heaks kiidetud teade COVID-19 viiruse levikus’. Please delete the e-mail and do not open the links provided therein.

At the end of the e-mail, there is a link to a file titled ‘Eeskiri.7z’ – do not click on it. By clicking on the link, a file containing malware will be downloaded to your computer, i.e. your computer will be infected with malware. ‘However, if a computer user has already clicked on the link, downloaded the linked file, and opened it, there is a very good chance that their computer has already been infected with the malware, which may still go undetected by anti-virus programs,’ said Tõnu Tammer, Executive Director of CERT-EE. According to Tammer, clicking on the link opens a seemingly ordinary prevention poster, but the poster also comes with malware. ‘Persons who have received the e-mail, opened the link, and seen the poster now have malware installed on their computer. If that is the case, the computer should not be used until it has been cleaned and it is certain that malware has been removed from the computer. Be sure to change the passwords that have been stored in your browser (Chrome, Edge, Firefox, etc.). If you have also saved bank card information in your browser, notify your bank and order a new card, if necessary, as the criminals may use your bank card,’ said Tammer.

According to Tammer, one should always check who the sender is before opening e-mails. ‘Fake e-mails are usually sent from an e-mail address that mimics the e-mail address of a well-known company or organisation, but is actually not affiliated with the company. Make sure that the name in the title and the name of the sender match. Even minor inconsistencies should trigger caution,’ said Tammer. The sender of the e-mail in question was euroapteek(at)protonmail.com, meaning the criminals tried to imitate a well-known pharmacy in Estonia.

He added that CERT-EE also reported the malware to developers of anti-virus software. ‘However, developers of anti-virus software need some time to fully identify the behaviour pattern of the malware included in these letters and provide protection against it with their products. For now, users must exercise caution themselves,’ said Tammer. ‘People should always be mindful of what links they click, because criminals are getting better at hiding malware. Although the e-mail contains grammatical errors, the overall quality is quite good and the poster in the downloadable file looks trustworthy. We therefore ask you to stay vigilant. If the recipient cannot see the web address of a link, we would never recommend clicking on it,’ Tammer concluded.

If you clicked on a link, downloaded the file containing malware to your computer, opened it, and saw the aforementioned poster, please send the information to cert@cert.ee. You can read about the basics of cybersecurity from the official blog of the Information System Authority at https://blog.ria.ee/kuberturvalisuse-abc/

The attachment includes a screenshot of both the e-mail and the poster that contained the malware.
 

Seiko Kuik
Press Officer
5851 7028
seiko.kuik@ria.ee

More news on the same subject

07.04.2020

Salary account fraud on the rise

CERT-EE reports an increase in the number of instances of salary account fraud wherein the employee sends a letter to the HR manager requesting that their salary be transferred to a new bank account starting from the following month. In reality, however, this request is sent by cybercriminals, who take the money.

23.03.2020

Fraudulent calls in English are on the rise

CERT-EE has been notified of telephone calls in English in which people are asked about the security of their computer and to grant the caller access it. Disconnect these calls immediately!