Macro-based malware attacks are as tenacious as dandelions. Just when you think they are gone for good, they keep popping up. These days, they are popping up in the form of bogus shipping notices, supposedly from the United Parcel Service (UPS) or United States Postal Service (USPS), according to Webroot.

Macros: The Good, the Bad, and the Ugly

For more than a decade, cybercriminals have been trying to steal banking credentials and other personal information using small scripts called macros. Microsoft Word and Microsoft Excel users sometimes create macros to automate repetitive tasks, such as formatting data in a spreadsheet cell a certain way or entering a return address in correspondence. As such, macros are useful tools. However, cybercriminals often use Word macros to carry out malware attacks.

After the first series of macro-based malware attacks, Microsoft implemented several security measures in Office 2003. One of the most important changes was disabling macros by default, which current Office versions continue to do. But this has not deterred cybercriminals. Instead, it has compelled them to create more devious attacks.

For example, cybercriminals devised a macro-based malware attack in 2015 that netted them more than $40 million from U.S. and U.K. victims. In this attack, cybercriminals used phishing emails to lure the recipients into opening a Microsoft Word file that contained a macro. If the recipients allowed the macro to run, it downloaded malicious code. Then, when the recipients logged in to their online bank accounts, this code created HTML fields requiring personal information. The cybercriminals collected this information and used it to steal money from the victims’ bank accounts.

A Healthy Dose of Skepticism Needed

A little knowledge and a lot of skepticism can help you avoid becoming a victim. Macro-based malware attacks usually start with an email. If you receive an email that contains an attached Word file, be wary. If the email is from an unknown sender, do not open the file unless you have to as part of your job (e.g., you are involved in hiring employees, so you receive resumes from job applicants). You also need to be wary of attached Word files that appear to be from people you know or organizations you do business with. The email might have been sent from a cybercriminal masquerading as that person or organization.

If you open the file, check to see if Word displays the security warning “Macros have been disabled” accompanied by the “Enable Content” option. If you see this message, it means the file contains a macro. Do not click the “Enable Content” option, as it will allow the file’s macro to run. At this point, it is best to close and delete the file since it is probably part of a malware attack. Unless you regularly use macros in your files at work, receiving a legitimate file that contains a macro is rare, according to Webroot.

Other Security Measures to Take

Unfortunately, you cannot assume that your anti-malware software will immediately detect a problem with the Word file in question. In this type of attack, the macros often do not contain the actual malware. Instead, they contain commands that will download the malware if you enable the macro to run. Despite this, it is still important to use anti-malware software. It can detect any malicious code that does make it onto your computer. It is also important to install application and operating system updates so that known problems and vulnerabilities are fixed.

In addition, you might want to change the macro security setting in Word. By default, it is set to “Disable all macros with notification”. Changing this setting to “Disable all macros without notification” will disable the use of macros and remove the prompt to enable them. That way, you eliminate the possibility of inadvertently enabling them. To change the macro security setting in Word 2016, follow these steps:

  1. Click “Options” on the File tab.
  2. In the Word Options dialog box, select “Trust Center” from the menu on the left.
  3. Click the “Trust Center Settings” button.
  4. In the Trust Center dialog box, select “Macro Settings” from the menu on the left.
  5. Choose the “Disable all macros without notification” option.
  6. Click “OK” in the Trust Center dialog box.
  7. Click “OK” in the Word Options dialog box.

Contact us for more advice on how to prevent macro-based malware attacks and other types of malware infections.