In a new kind of attack, cybercriminals are infecting computers with a banking Trojan simply by fooling users into hovering over a link embedded in a malicious PowerPoint file.
Attackers are sending malicious PowerPoint Show (PPS) or Open XML Slide Show (PPSX) to users via spam emails. These files only open in slideshow modes and are different from the normal PowerPoint files (PPT and PPTX). When the targeted user downloads and opens such a file, a slide containing the below hyperlink gets displayed.
If the user hovers their mouse over this link, it tries to execute a code which installs a banking Trojan on the computer. Users who have the ‘Protected View‘feature turned ON (newer versions of Windows), receive a security warning (fig 2) with ‘Enable’, ‘Enable All’, and ‘Disable’ options. Clicking on ‘Enable’ or ‘Enable All’ executes the malicious code which ultimately infects the computer with the Trojan. Clicking on ‘Disable’ will stop the infection from getting executed.
Therefore, users with older versions of Windows or those who do not have the ‘Protected View’ ON are the most vulnerable to this infection. Simply hovering over the link will have their computer infected without any notice.
Once installed, this banking Trojan can allow the attacker control the infected computer remotely, access stored information and perform a host of other malicious activities