Microsoft fixes Word bug used to steal banking info

Microsoft Word Dridex Trojan

Multiple reports over the past few days have highlighted a serious security flaw in Microsoft Word which allows hackers to steal banking info. The zero-day vulnerability apparently affects all versions of the program, leaving million of users at risk.

Security firm Proofpoint claims that the bug was being used in a large-scale email campaign that was distributing the Dridex banking trojan. The effort seems to be the first to take advantage of the Microsoft vulnerability and has already been sent to millions of victims mostly in Australia.

The emails sent by attackers contained a Microsoft Word RTF (Rich Text Format) document and were sent by addresses using the recipient’s domain name. The subject line in most cases was ‘Scan Data’ and the attachments were named something like ‘Scan_123456.doc’ or ‘Scan_123456.pdf,’ with only the number sequence varying.

Also See: Microsoft’s spamming Windows 10 users with OneDrive ads in File Explorer

Once a person clicks on the attachment, the exploit carries out a series of actions that result in the installation of Dridex botnet ID 7500. They would have to click on ‘Enable Editing’ before this can be done thanks to Microsoft Word’s ‘Protected View’ safety net for documents downloaded from the web or emails.

Still, people usually enable editing when prompted, so Protected View isn’t as useful as it could be to stop the hack from happening. Microsoft has now patched the zero-day vulnerability via a software update. It’s advising users to exercise caution when opening unknown files and downloading content from untrusted sources.