Hackers Drop Malware Using a Spreadsheet Called 'The Worst 25 Passwords'
Back in the day, scams were all about social engineering – confidence artists needed to convince their victims, to woo them in a particular way in order to part them from their cash. Things are somewhat different nowadays - duping people into giving you their hard-earned money or precious personal details usually requires quite a bit more technical sophistication. In this regard, the efforts of malware artists are an undeniable proof ingenuity of the human species, if not its kinder or more ethical nature. Cybercrooks have found, and continue to find, vectors of attack undreamed of by any expert or any of their victims, and the sophistication of their code is always improving.
However, just because they are showing a higher level of technical sophistication, this does not mean that technical know-how is the only weapon in a cybercriminals' arsenal. Misdirection and guile remain as important to their "craft" as said underhanded tactics have always been. Case in point – the "The Worst 25 Passwords of 2017" malware.
By their design, most con attempts, and online attacks, in general, rely on the victim's ignorance or lack of sophistication – which may well be considered a vice, nowadays, seeing as how necessary knowledge of the dangers of the Internet is. The "Worst passwords" malware, however, plays on a potential victim's hubris to get past said user's defenses.
No matter how you look at it, it is a brilliant bit of social engineering – circulating an Excel spreadsheet that purports to contain "The Worst 25 Passwords of 2017". That sort of list is certainly worth a look and a laugh - however while it gives people the opportunity for gloating and schadenfreude, it also contains a malware that brute-forces its way into the victim's online accounts. The malware then allows the hackers to log into said accounts and start spamming the victim's contacts with messages with other malicious attachments.
And the real kicker? The documents that the hackers used as a vector of attack in multiple such instances actually warned of the dangers of cyber-security weaknesses and urged people to use stronger passwords and a reliable anti-malware solution.
All in all, this particular type of cyber-attack was as ingenious as it was ironic. Although it did not affect, or even target, a huge amount of internet users, it is an abject lesson on the matter of trust and online security. The moral of the story is simple – when it comes to the Internet, do not let your guard down – even to laugh at other people's deficiencies.