PEC mail with virus: how to recognize it to defend yourself

Even PEC are used to spread viruses, but to a much lesser extent than traditional mailboxes. Here's how to recognize dangerous messages.

Hackers have found a new way to spread computer viruses: PEC. And they've also learned to write emails in excellent Italian, without gross errors, to make certified email messages more credible.

In less than two months, since the beginning of 2021, the Computer Emergency Response Team (CERT) of the Agenzia per l'Italia Digitale, which reports directly to the Presidency of the Council of Ministers, has already intercepted two PEC email campaigns through which the sLoad virus was transmitted. In addition to the fact that the hackers have chosen the PEC as a method of dissemination of malware, and to the fact that the message is very credible for the average user, should be reported also the technique used to hide the virus to antivirus software: it was in fact used the technique of "double ZIP".

PEC email with virus: how it is made

The last infected PEC email intercepted by CERT is apparently the classic business email with the subject of an invoice to be paid. The message received by the user states: "We are sending, attached to this email, a copy in pdf format of the electronic invoice transmitted through the interchange service according to the modalities foreseen by the law".

Then the message continues with the usual declarations for electronic invoices: "This message is directed exclusively to its addressee and may contain information of a confidential nature. Anyone who has received it by mistake is requested to immediately inform the sender and destroy the copy received. Any other use is forbidden".

We are light years away, then, from the classic phishing email written with the automatic translator: there are no grammar mistakes, there are no calls for urgent action, there is only a message that seems completely credible.

The double ZIP technique

Although the text of the PEC speaks of a PDF invoice, however, the attachment is in ZIP format. Inside it, there is a second ZIP and, finally, inside the second ZIP there is a VBS file and an XML file.

It is inside these two files that the real virus is located: sLoad, a malware whose main purpose is to download other viruses, usually banking trojans that steal the credentials to the online bank account, to allow hackers to make transfers on our behalf.

Is PEC safe?

The CERT-AGID has recently reiterated that, compared to traditional email boxes, PEC ones are much safer: the amount of viruses transmitted through PEC is still infinitely lower.

But it is growing, as is the use of PEC. For this reason you should never lower your guard and you must, even with the PEC, follow the two golden rules: never download attachments and never click on links if you are not 100% sure of the sender and the content of the message.