Before responding to any email invitation for an event, it's crucial to confirm its authenticity, as you might not be genuinely invited. Malwarebytes Labs has uncovered a new scam where cybercriminals are utilizing fake party invites to deceive users into downloading a remote access tool (RAT), which grants them complete control over the compromised devices. Although this particular scheme appears to be concentrated in the UK, similar approaches could easily proliferate.
Malicious Invites Contain an Installer
The scam initiates with an email invitation that seems harmless and carries a casual "Save the Date" tone, possibly appearing to be from a friend or acquaintance. Within the message, there's a link labeled "View Invitation" for further event details. Clicking this link leads to a landing page with a striking "You're Invited" headline and a button to download your invitation. However, no further action is necessary; your browser will automatically initiate the download of a .msi file, which is not a genuine invitation but rather an installer.
This .msi file quietly installs the ScreenConnect Client, a legitimate IT support application that allows remote access to the user's computer. Once the connection is established, attackers can view your screen, manipulate your mouse and keyboard, and transfer files--regardless of whether you restart your device. All of this occurs in the background without any clear signs that a remote access tool has been installed and is operational, leaving victims unaware of the threat.
Recognizing Remote Access Red Flags
As highlighted by Malwarebytes, the effectiveness of this scheme stems from its exploitation of typical human behavior in a seemingly low-risk scenario: engaging with an event invitation. Notably, the initial message lacks urgency or pressure. Instead, the landing page employs phrases like "a friend has sent you an invitation" and "I opened mine and it was so easy," which serve as social proof, nudging users towards the desired action.
Always remain vigilant regarding unsolicited invitations arriving via standard email that include links to external sites, as well as any messages encouraging you to download or install software. Nowadays, invitations are typically sent through applications and digital platforms like Partiful, Paperless Post, Evite, or Apple Invites, which are generally more reliable than random emails containing hyperlinked text. If you have doubts about the validity of an invite, confirm with the sender through a different communication channel prior to clicking or downloading anything.
While victims of this scam might not immediately recognize that a RAT has infiltrated their device, there are certain warning signs to watch for, such as unexpected cursor movements or windows opening and closing independently. You can inspect your device for a file named "RSVPPartyInvitationCard.msi" or a service labeled ScreenConnect Client with additional random characters in its title.
If you have inadvertently downloaded ScreenConnect from a fraudulent invitation, Malwarebytes advises disconnecting from the internet and promptly uninstalling the application. Conduct a security scan to check your device for malware and change critical passwords using a separate device.