We've told you before how hackers like to disguise malicious program files as harmless documents, images or music files, and how to spot them. However, hackers can also use regular files to cause problems, specifically Word documents.
Using a specially crafted Word document, such as ones from the Microsoft Word Intruder exploit tool, a hacker can crash Word and open a hole to slip in a ransomware virus or data-stealing Trojan. That's why you should never open attachments from unsolicited emails, even if they appear harmless.
For businesses it's even worse. Using the "Hawkeye" version of this attack, some hackers have been stealing hundreds of thousands of dollars from companies.
The way "Hawkeye" works is that a hacker creates or buys a Word file designed to crash unpatched computers. Then they choose what kind of virus they want to use and add it to the file. In the case of "Hawkeye," it's a keylogger.
The hacker then sends the Word file to the employees at businesses in a general industry. Typically, the email will say the Word document contains an order or quote request so it gets to an employee who deals with finances.
Once an employee opens and runs the Word document, the keylogger installs. Then the hacker waits for the employee to log in to their company email account and steals the username and password.
The hacker logs in to the email account themselves and waits for the company to send out an invoice to a high-value client. Then the hacker sends out their own follow-up email from that email address telling the client that the account number for the payment has changed.
The new account is one the hacker set up, so when the company's client pays, the money goes straight to the hacker. Depending on the industry and client, this payout could be upwards of $1 million.
In analyzing the Hawkeye attack, security experts found that hackers started with a few thousand scam emails and ended up with only a handful of successful scores. However, because they were so high-value it makes the scam worthwhile.
The other takeaway is that thanks to tools and services available on the black market, even low-skilled hackers working alone or with friend can launch this attack.