Visa Payment Systems Intelligence recently announced that cybercriminals are threatening the payments ecosystem by leveraging a vulnerable Microsoft Dynamic Data Exchange protocol in phishing campaigns. This phishing attack relies on the Dynamic Data Exchange (DDE) protocol for infection instead of the usual malicious macros or an exploit kit.
This exploit is related to the Microsoft Security Advisory 4053440 issued on November 8, 2017. It provides guidance on securing Microsoft applications when processing Dynamic Data Exchange (DDE) fields. The DDE protocol enables messages to be sent between Microsoft applications and uses shared data to be sent between applications. According to the advisory, malicious cyber actors could leverage the DDE protocol when delivering specially crafted files to users through phishing and web-based downloads.
FortiGuard Labs has issued three IPS signatures that defend our customers against these attacks:
Additionally, our FortiClient agent also successfully defends against these attacks with the following application protection signatures:
As always, the FortiGuard Labs team recommends that in addition to employing the protections provided by our security solutions that customers actively patch or replace vulnerable systems. We also strongly recommend that users exercise caution when opening suspicious files.