{"id":85258,"date":"2018-09-06T11:00:09","date_gmt":"2018-09-06T18:00:09","guid":{"rendered":"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/?p=85258"},"modified":"2023-08-10T14:14:36","modified_gmt":"2023-08-10T21:14:36","slug":"small-businesses-targeted-by-highly-localized-ursnif-campaign","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/09\/06\/small-businesses-targeted-by-highly-localized-ursnif-campaign\/","title":{"rendered":"Small businesses targeted by highly localized Ursnif campaign"},"content":{"rendered":"

Cyber thieves are continuously looking for new ways to get people to click on a bad link, open a malicious file, or install a poisoned update in order to steal valuable data. In the past, they cast as wide a net as possible to increase the pool of potential victims. But attacks that create a lot of noise are often easier to spot and stop. Cyber thieves are catching on that we are watching them, so they are trying something different. Now we\u2019re seeing a growing trend of small-scale, localized attacks that use specially crafted social engineering to stay under the radar and compromise more victims.<\/p>\n

In social engineering attacks, is less really more?<\/em><\/p>\n

A new malware campaign puts that to the test by targeting home users and small businesses in specific US cities. This was a focused, highly localized attack that aimed to steal sensitive info from just under 200 targets. Macro-laced documents masqueraded as statements from legitimate businesses. The documents are then distributed via email to target victims in cities where the businesses are located.<\/p>\n

With Windows Defender AV\u2019s next gen defense, however, the size of the attack doesn\u2019t really matter.<\/em><\/p>\n

Several cloud-based machine learning algorithms detected and blocked the malicious documents at the onset, stopping the attack and protecting customers from what would have been the payload, info-stealing malware Ursnif<\/a>.<\/p>\n

The map below shows the location of the targets.<\/p>\n

\"\"Figure 1. Geographic distribution of target victims<\/em><\/p>\n

Highly localized social engineering attack<\/h2>\n

Here\u2019s how the attack played out: Malicious, macro-enabled documents were delivered as email attachments to target small businesses and users. Each document had a file name that spoofed a legitimate business name and masqueraded as a statement from that business. In total, we saw 21 unique document file names used in this campaign.<\/p>\n

The attackers sent these emails to intended victims in the city or general geographic area where the businesses are located. For example, the attachment named Dolan_Care_Statement.doc<\/em> was sent almost exclusively to targets in Missouri. The document file name spoofs a known establishment in St. Louis. While we do not believe the establishment itself was affected or targeted by this attack, the document purports to be from the said establishment when it\u2019s really not.<\/p>\n

The intended effect is for recipients to get documents from local, very familiar business or service providers. It\u2019s part of the social engineering scheme to increase likelihood that recipients will think the document is legitimate and take the bait, when in reality it is a malicious document.<\/p>\n\n\n\n\n\n\n\n\n\n
Most common lure document file names<\/strong><\/td>\nTop target cities<\/strong><\/td>\n<\/tr>\n
Dockery_FloorCovering_Statement<\/td>\nJohnson City, TN
\nKingsport, TN
\nKnoxville, TN<\/td>\n<\/tr>\n
Dolan_Care_Statement<\/td>\nSt. Louis, MO
\nChesterfield, MO
\nLee\u2019s Summit, MO<\/td>\n<\/tr>\n
DMS_Statement<\/td>\nOmaha, NE
\nWynot, NE
\nNorwalk, OH<\/td>\n<\/tr>\n
Dmo_Statement<\/td>\nNew Braunfels, TX
\nSeguin, TX
\nSan Antonio, TX<\/td>\n<\/tr>\n
DJACC_Statement<\/td>\nMiami, FL
\nFlagler Beach, FL
\nNiles, MI<\/td>\n<\/tr>\n
Donovan_Construction_Statement<\/td>\nAlexandria, VA
\nMclean, VA
\nManassas, VA<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Table 1. Top target cities of most common document file names<\/em><\/p>\n

When recipients open the document, they are shown a message that tricks the person into enabling the macro.<\/p>\n

\"DocumentFigure 2. Document tricks victim into enabling the macro<\/em><\/p>\n

As is typical in social engineering attacks, this is not true. If the recipient does enable the macro, no content is shown. Instead the following process is launched to deobfuscate a PowerShell command.<\/p>\n

\"Process<\/p>\n

Figure 3. Process to deobfuscate PowerShell<\/em><\/p>\n

\"PowerShell<\/p>\n

Figure 4. PowerShell command<\/em><\/p>\n

The PowerShell script connects to any of 12 different URLs that all deliver the payload.<\/p>\n

\"Deobfuscated<\/p>\n

Figure 5. Deobfuscated PowerShell command<\/em><\/p>\n

The payload is Ursnif, info-stealing malware. When run, Ursnif steals information about infected devices, as well as sensitive information like passwords. Notably, this infection sequence (i.e., cmd.exe<\/em> process deobfuscates a PowerShell that in turn downloads the payload) is a common method used by other info-stealing malware like Emotet and Trickbot.<\/p>\n

How machine learning stopped this small-scale, localized attack<\/h2>\n

As the malware campaign got under way, four different cloud-based machine learning models gave the verdict that the documents were malicious. These four models are among a diverse set of models<\/a> that help ensure we catch a wide range of new and emerging threats. Different models have different areas of expertise; they use different algorithms and are trained on their unique set of features.<\/p>\n

One of the models that gave the malicious verdict is a generic model designed to detect non-portable executable (PE) threats. We have found that models like this are effective in catching social engineering attacks<\/a>, which typically use non-PE files like scripts and, as is the case for this campaign, macro-laced documents.<\/p>\n

The said non-PE model is a simple averaged perceptron algorithm that uses various features, including expert features, fuzzy hashes of various file sections, and contextual data. The simplicity of the model makes it fast, enabling it to give split-second verdicts before suspicious files could execute. Our analysis into this specific model showed that the expert features and fuzzy hashes had the biggest impact in the model\u2019s verdict and the eventual blocking of the attack.<\/p>\n

\"ImpactFigure 6. Impact of features used by one ML model that detected the attack<\/em><\/p>\n

Next-generation protection against malware campaigns regardless of size<\/h2>\n

Machine learning and artificial intelligence power Windows Defender Antivirus<\/a> to detect and stop new and emerging attacks before they can wreak havoc. Every day, we protect customers from millions of distinct, first-seen malware. Our layered approach to intelligent, cloud-based protection employs a diverse set of machine learning models designed to catch the wide range of threats: from massive malware campaigns to small-scale, localized attacks.<\/p>\n

The latter is a growing trend, and we continue to watch the threat landscape to keep machine learning effective against attacks. In a recent blog post, we discussed how we continue to harden machine learning defenses<\/a>.<\/p>\n

Windows Defender AV delivers the next-gen protection capabilities in the Windows Defender Advanced Threat Protection (Windows Defender ATP<\/a>). Windows Defender ATP integrates attack surface reduction, next-gen protection, endpoint detection and response (EDR), automatic investigation and response, security posture, and advanced hunting capabilities. .<\/p>\n

Because of this integration, antivirus detections, such as those related to this campaign, are surfaced in Windows Defender Security Center. Using EDR capabilities, security operations teams can then investigate and respond to the incident. Attack surface reduction rules also block this campaign, and these detections are likewise surfaced in Windows Defender ATP.\u00a0To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, sign up for a free trial<\/a><\/strong>.<\/p>\n

Across the whole Microsoft 365 threat protection<\/a>, detections and other security signals are shared among Office 365 ATP, Windows Defender ATP, and Azure ATP. In this Ursnif campaign, the antivirus detection also enables the blocking of related emails in Office 365. This demonstrates how signal sharing and orchestration of remediation across solutions in Microsoft 365 results in better integrated threat protection.<\/p>\n

 <\/p>\n

 <\/p>\n

Bhavna Soman<\/em><\/strong>
\nWindows Defender Research<\/em><\/p>\n

 <\/p>\n

<\/h2>\n

Indicators of compromise (IOCs)<\/h2>\n

Infector:<\/p>\n

Hashes
\n407a6c99581f428634f9d3b9ec4b79f79c29c79fdea5ea5e97ab3d280b2481a1
\n77bee1e5c383733efe9d79173ac1de83e8accabe0f2c2408ed3ffa561d46ffd7
\ne9426252473c88d6a6c5031fef610a803bce3090b868d9a29a38ce6fa5a4800a
\nf8de4ebcfb8aa7c7b84841efd9a5bcd0935c8c3ee8acf910b3f096a5e8039b1f<\/p>\n

File names
\nCSC_Statement.doc
\nDBC_Statement.doc
\nDDG_Statement.doc
\nDJACC_Statement.doc
\nDKDS_Statement.doc
\nDMII_Statement.doc
\ndmo_statement.doc
\nDMS_Statement.doc
\nDockery_Floorcovering_Statement.doc
\nDocktail_Bar_Statement.doc
\ndoe_statement.doc
\nDolan_Care_Statement.doc
\nDonovan_Construction_Statement.doc
\nDonovan_Engineering_Statement.doc
\nDSD_Statement.doc
\ndsh_statement.doc
\nrealty_group_statement.doc
\nstatement.doc
\ntri-lakes_motors_statement.doc
\nTSC_Statement.doc
\nUCP_Statement.doc<\/p>\n

Payload (Ursnif)<\/p>\n

Hashes
\n31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f
\nbd23a2eec4f94c07f4083455f022e4d58de0c2863fa6fa19d8f65bfe16fa19aa
\n75f31c9015e0f03f24808dca12dd90f4dfbbbd7e0a5626971c4056a07ea1b2b9
\n070d70d39f310d7b8842f645d3ba2d44b2f6a3d7347a95b3a47d34c8e955885d
\n15743d098267ce48e934ed0910bc299292754d02432ea775957c631170778d71<\/p>\n

URLs
\nhxxp:\/\/vezopilan[.]com\/tst\/index[.]php?l=soho6[.]tkn
\nhxxp:\/\/cimoselin[.]com\/tst\/index[.]php?l=soho2[.]tkn
\nhxxp:\/\/cimoselin[.]com\/tst\/index[.]php?l=soho4[.]tkn
\nhxxp:\/\/vedoriska[.]com\/tst\/index[.]php?l=soho6[.]tkn
\nhxxp:\/\/baberonto[.]com\/tst\/index[.]php?l=soho3[.]tkn<\/p>\n

hxxp:\/\/hertifical[.]com\/tst\/index[.]php?l=soho8[.]tkn
\nhxxp:\/\/hertifical[.]com\/tst\/index[.]php?l=soho6[.]tkn
\nhxxp:\/\/condizer[.]com\/tst\/index[.]php?l=soho1[.]tkn
\nhxxp:\/\/vezeronu[.]com\/tst\/index[.]php?l=soho2[.]tkn
\nhxxp:\/\/vezeronu[.]com\/tst\/index[.]php?l=soho5[.]tkn<\/p>\n

hxxp:\/\/zedrevo[.]com\/tst\/index[.]php?l=soho8[.]tkn
\nhxxp:\/\/zedrevo[.]com\/tst\/index[.]php?l=soho10[.]tkn<\/p>\n

*Note: The first four domains above are all registered in Russia and are hosted on the IP address 185[.]212[.]44[.]114. The other domains follow the same URL pattern and are also pushing Ursnif, but no registration info is available.<\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

\"\"<\/a><\/p>\n

\n

Talk to us<\/strong><\/h4>\n

Questions, concerns, or insights on this story? Join discussions at the Microsoft community<\/a> and Windows Defender Security Intelligence<\/a>.<\/p>\n

Follow us on Twitter @WDSecurity<\/a> and Facebook Windows Defender Security Intelligence<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

In social engineering attacks, is less really more? A new malware campaign puts that to the test by targeting home users and small businesses in specific US cities. This was a focused, highly localized attack that aimed to steal sensitive info from just under 200 targets. Macro-laced documents masqueraded as statements from legitimate businesses. The documents are then distributed via email to target victims in cities where the businesses are located.
\nWith Windows Defender AV\u2019s next gen defense, however, the size of the attack doesn\u2019t really matter. Several cloud-based machine learning algorithms detected and blocked the malicious documents at the onset, stopping the attack and protecting customers from what would have been the payload, info-stealing malware Ursnif.<\/p>\n","protected":false},"author":61,"featured_media":85315,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3663],"topic":[3674,3686,3687],"products":[],"threat-intelligence":[3727],"tags":[3817],"coauthors":[1968],"class_list":["post-85258","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-research","topic-incident-response","topic-small-and-medium-business","topic-threat-intelligence","threat-intelligence-attacker-techniques-tools-and-infrastructure","tag-trickbot"],"yoast_head":"\nSmall businesses targeted by highly localized Ursnif campaign | Microsoft Security Blog<\/title>\n<meta name=\"description\" content=\"In social engineering attacks, is less really more? A new malware campaign puts that to the test by targeting home users and small businesses in specific US cities. This was a focused, highly localized attack that aimed to steal sensitive info from just under 200 targets.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/09\/06\/small-businesses-targeted-by-highly-localized-ursnif-campaign\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Small businesses targeted by highly localized Ursnif campaign | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"In social engineering attacks, is less really more? A new malware campaign puts that to the test by targeting home users and small businesses in specific US cities. This was a focused, highly localized attack that aimed to steal sensitive info from just under 200 targets.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/09\/06\/small-businesses-targeted-by-highly-localized-ursnif-campaign\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2018-09-06T18:00:09+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-08-10T21:14:36+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/09\/Fig1-map4.png\" \/>\n\t<meta property=\"og:image:width\" content=\"800\" \/>\n\t<meta property=\"og:image:height\" content=\"588\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Microsoft Defender Security Research Team\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Defender Security Research Team\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/09\/06\/small-businesses-targeted-by-highly-localized-ursnif-campaign\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/09\/06\/small-businesses-targeted-by-highly-localized-ursnif-campaign\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/windows-defender-research\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Defender Security Research Team\"}],\"headline\":\"Small businesses targeted by highly localized Ursnif campaign\",\"datePublished\":\"2018-09-06T18:00:09+00:00\",\"dateModified\":\"2023-08-10T21:14:36+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/09\/06\/small-businesses-targeted-by-highly-localized-ursnif-campaign\/\"},\"wordCount\":1550,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/09\/06\/small-businesses-targeted-by-highly-localized-ursnif-campaign\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/09\/Fig1-map4.png\",\"keywords\":[\"Trickbot\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/09\/06\/small-businesses-targeted-by-highly-localized-ursnif-campaign\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/09\/06\/small-businesses-targeted-by-highly-localized-ursnif-campaign\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/09\/06\/small-businesses-targeted-by-highly-localized-ursnif-campaign\/\",\"name\":\"Small businesses targeted by highly localized Ursnif campaign | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/09\/06\/small-businesses-targeted-by-highly-localized-ursnif-campaign\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/09\/06\/small-businesses-targeted-by-highly-localized-ursnif-campaign\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/09\/Fig1-map4.png\",\"datePublished\":\"2018-09-06T18:00:09+00:00\",\"dateModified\":\"2023-08-10T21:14:36+00:00\",\"description\":\"In social engineering attacks, is less really more? A new malware campaign puts that to the test by targeting home users and small businesses in specific US cities. This was a focused, highly localized attack that aimed to steal sensitive info from just under 200 targets.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/09\/06\/small-businesses-targeted-by-highly-localized-ursnif-campaign\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/09\/06\/small-businesses-targeted-by-highly-localized-ursnif-campaign\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/09\/06\/small-businesses-targeted-by-highly-localized-ursnif-campaign\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/09\/Fig1-map4.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/09\/Fig1-map4.png\",\"width\":800,\"height\":588,\"caption\":\"Geographic distribution of target victims\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/09\/06\/small-businesses-targeted-by-highly-localized-ursnif-campaign\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Small businesses targeted by highly localized Ursnif campaign\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Small businesses targeted by highly localized Ursnif campaign | Microsoft Security Blog","description":"In social engineering attacks, is less really more? A new malware campaign puts that to the test by targeting home users and small businesses in specific US cities. This was a focused, highly localized attack that aimed to steal sensitive info from just under 200 targets.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/09\/06\/small-businesses-targeted-by-highly-localized-ursnif-campaign\/","og_locale":"en_US","og_type":"article","og_title":"Small businesses targeted by highly localized Ursnif campaign | Microsoft Security Blog","og_description":"In social engineering attacks, is less really more? A new malware campaign puts that to the test by targeting home users and small businesses in specific US cities. This was a focused, highly localized attack that aimed to steal sensitive info from just under 200 targets.","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/09\/06\/small-businesses-targeted-by-highly-localized-ursnif-campaign\/","og_site_name":"Microsoft Security Blog","article_published_time":"2018-09-06T18:00:09+00:00","article_modified_time":"2023-08-10T21:14:36+00:00","og_image":[{"width":800,"height":588,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/09\/Fig1-map4.png","type":"image\/png"}],"author":"Microsoft Defender Security Research Team","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Microsoft Defender Security Research Team","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/09\/06\/small-businesses-targeted-by-highly-localized-ursnif-campaign\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/09\/06\/small-businesses-targeted-by-highly-localized-ursnif-campaign\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/windows-defender-research\/","@type":"Person","@name":"Microsoft Defender Security Research Team"}],"headline":"Small businesses targeted by highly localized Ursnif campaign","datePublished":"2018-09-06T18:00:09+00:00","dateModified":"2023-08-10T21:14:36+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/09\/06\/small-businesses-targeted-by-highly-localized-ursnif-campaign\/"},"wordCount":1550,"commentCount":0,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/09\/06\/small-businesses-targeted-by-highly-localized-ursnif-campaign\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/09\/Fig1-map4.png","keywords":["Trickbot"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/09\/06\/small-businesses-targeted-by-highly-localized-ursnif-campaign\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/09\/06\/small-businesses-targeted-by-highly-localized-ursnif-campaign\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/09\/06\/small-businesses-targeted-by-highly-localized-ursnif-campaign\/","name":"Small businesses targeted by highly localized Ursnif campaign | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/09\/06\/small-businesses-targeted-by-highly-localized-ursnif-campaign\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/09\/06\/small-businesses-targeted-by-highly-localized-ursnif-campaign\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/09\/Fig1-map4.png","datePublished":"2018-09-06T18:00:09+00:00","dateModified":"2023-08-10T21:14:36+00:00","description":"In social engineering attacks, is less really more? A new malware campaign puts that to the test by targeting home users and small businesses in specific US cities. This was a focused, highly localized attack that aimed to steal sensitive info from just under 200 targets.","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/09\/06\/small-businesses-targeted-by-highly-localized-ursnif-campaign\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/09\/06\/small-businesses-targeted-by-highly-localized-ursnif-campaign\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/09\/06\/small-businesses-targeted-by-highly-localized-ursnif-campaign\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/09\/Fig1-map4.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/09\/Fig1-map4.png","width":800,"height":588,"caption":"Geographic distribution of target victims"},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/09\/06\/small-businesses-targeted-by-highly-localized-ursnif-campaign\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"Small businesses targeted by highly localized Ursnif campaign"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/85258"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/61"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=85258"}],"version-history":[{"count":0,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/85258\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/85315"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=85258"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=85258"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=85258"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=85258"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=85258"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=85258"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=85258"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}