ACE and Chubb are now one.
ACE has acquired Chubb, creating a global insurance leader
that will operate under the renowned Chubb name.
Learn More Not Now

Employers Beware Of Malware Trojan Stealing Contact Lists Using A Word Document

A new type of Ursnif Trojan malware steals users' email contacts in order to conduct a targeted spear-phishing campaign.

The Trojan malware sends out legitimate-looking emails to an infected organization's contacts. The malware is able to reply to real emails sent to compromised accounts. The reply includes a Word attachment that contains a malicious macro that downloads the malware onto the recipient's device if opened. Once the document is closed, the macro launches and executes the payload. It then uses the email recipient's computer to send out more phishing emails to his or her contacts.

Once a computer is infected, the Trojan can steal a wealth of personal data, including banking and credit card information. Hackers can also use Ursnif to launch man-in-the-middle browser attacks or use keylogging and screenshots to steal passwords and other sensitive data.

Ursnif is sophisticated and difficult to detect and analyze. Ursnif has been known to target the financial industry in the past, but this variant is targeting more industries. Jessica Davis "Trojan malware steals contacts for targeted spear phishing attacks," (Nov. 10, 2017).


Because Ursnif is capable of tricking security software and hiding its presence, it is extremely dangerous once it has infected an organization’s computer system.

A Trojan is a type of malware that disguises itself as legitimate software or attachments—like the Greek-made horse that fooled the Trojans into thinking it was a gift and not an attack. In this case, the Trojan is a Word document. 

Once a user downloads the Trojan, the malware gives hackers total access to the device. Cybercriminals can then steal your organization’s sensitive data, spy on your activities, or delete your files.

Ursnif delivers the Trojan through a phishing email. Phishing email campaigns send users emails that look legitimate, and, in the case of Ursnif, even come as a reply from someone you know or even trust. By combining a Trojan and a phishing campaign, the Ursnif malware is able to both take over computers and propagate itself by sending out more emails to take over more computers.

The best way to prevent Ursnif and similar malware is to be extremely careful when opening email attachments. You cannot assume that an attachment is safe just because it came from someone you know. Because hackers can steal email contact lists, an email from a friend could still be phishing. Do not open any attachment that you are not expecting…even if it is from someone you know. If you receive an attachment from a coworker, friend, or family member that you are not expecting, call him or her and ask what it is before downloading it.

Finally, your opinion is important to us. Please complete the opinion survey:


Log-in to access Training Modules, Article Archives, Model Policies and more!

Latest Numbers

Unemployment Rate

4.1% in Jan 2018

Payroll Employment

+200,000(p) in Jan 2018

Average Hourly Earnings

+$0.09(p) in Jan 2018

Employment Cost Index (ECI)

+0.6% in 4th Qtr of 2017


-0.1% in 4th Qtr of 2017

Source: Department of Labor

Chubb Offers for Employment Practices Liability (EPL) Insured:

Loss Prevention Reimbursement Credit

HR Acuity On-Demand

Best Practice Minute

Available presentations

What's New

Games, Porn, And "AdultSwine" Malware

Cybersecurity experts find AdultSwine malware on 60 gaming apps. Learn how to delete an infected app and protect yourself from future malware. Read More

Ann Curry And Gretchen Carlson: How Their Sexual Harassment Charges Show The Demise Of Employer Sexual Harassment Defenses

Jack McCalmon, Esq. examines how sexual harassment charges in 2012 and in 2017 differ and how this affects employer defenses today. Read More

SSL-Enabled Does Not Mean "Malware Safe"

Cybercriminals created a fake, SSL-enabled website to trick users into downloading a "security patch" that actually contained malware. Learn how to spot a phishing site. Read More