How Low Will They Go? This Low!Posted on October 28, 2014 at 03:23 PM
I'm trolling through some archived spam today and encountered what is one of the most despicable malware lures I've seen. Because the crook is attempting to emulate a British public health organization, it would horrify someone from the UK more than from other countries:
From: " National Institute for Health and Care Excellence" <firstname.lastname@example.org>
Subject: Blood Test Results Email
Dear [email address removed]
We have been sent a sample of your blood analysis for further research.
During the complete blood count (CBC) we have revealed that white blood
cells is very low, and unfortunately we have a suspicion of a cancer.
Wite Blood cells 1200 Low
Hemoglobin 12 Normal
Platelets 19000 Low
We suggest you to print out your CBC test results and interpretations in
attachment below and visit your family doctor as soon as possible
Dr. Avery Ernie
Copyright 2013 National Institute for Health and Care Excellence. All
Attachment: test results 114AF-1.zip
Of course the only disease associated with this email is the malware infection caused by opening the attachment—a certain death sentence for your PC and security.
The Right Kind of FearPosted on October 27, 2014 at 11:20 PM
It starts innocently enough. An email arrives:
From: email account security <email@example.com>
Subject: Mail Account Full, Upgrade To Receive Incoming Mails
The message body consists of a warning that would certainly get the attention of any Windows user who relies on email for personal—and more importantly—business communication:
Dear Email Account User,
Your Email Account has exceeded it's storage Limit,
Most incoming messages may be placed on pending due to our recent Upgrade.
Verify your Email account immediately to get your Account Storage Upgraded.
if not verified within 24 hours, we shall delete all your Email Account incoming messages.
Click here to Upgrade your email account storage now.
2014 Microsoft Security.
Suddenly the implication is that Microsoft runs your email (talk about Big Brother), and its security department is getting ready to cut you off.
If you don't know to roll the cursor atop the link (or tap and hold on a touch screen) to see the URL associated with that link (a Thai business news website), or if URLs are mysterious gobbledygook to you, you may be so concerned that you click the link, perhaps in mini-panic. I was curious to see what the link's destination page did. Only after checking the source code of the page in an absolutely safe environment, I determined that the page consisted of a simple form (no redirection, or object or image loading going on, as usually happens). Here's the page:
If you supply the username and password and then click the Login button, your credentials pass through a program on the highjacked server, which passes that information along to an unknown Bad Guy. Web page copyright notice aside, there is no such organization called Global Internet Administration (and I felt very silly even typing that phrase into Google to confirm my suspicions).
So, what does the Bad Guy get in return? Of course he already has your email address, otherwise you wouldn't have received the message in the first place. But he doesn't know if your address—among the millions to which this message was sent—is still an active address and monitored by a human until you respond via the form. He also gets the Golden Key—your password—to your account at your email account domain. The most valuable domains in this case are the ones belonging to businesses (rather than the big ISPs like comcast.net). The smaller the company, the more valuable the credentials because if you use your computer for other corporate network activity, you probably use the same credentials to access the network. That's all an above-average cracker needs to rip his or her way through your company's computing systems. You just laid a Welcome mat before an unlocked door to the server room, offering access to financial accounts, trade secrets, and other users on the network (and thus their computers, contact lists, and so on).
I'm convinced that repeated newsworthy tales of computer security breeches have not hit home to the typical corporate computer user—despite having had multiple credit cards forcibly replaced in the past couple of years due to "hacks". And I'm not just talking about low-level computer-phobic employees. Top executives are perhaps even more vulnerable due to beliefs of invincibility or the false notion that the IT department offers 100% protection against attacks.
Rather than do the "right thing" upon receiving a message like the one above—contacting the IT or tech support desk to find out if the message is legitimate—users would rather bypass the hassle and try to handle it themselves. But unless such users are technically equipped to examine the 95% of the iceberg lurking below the surface before acting, the security of the company network is doomed.
At the same time, I understand that hounding IT for each and every attempted intrusion might engender its own terror. A condescending support tech who makes the user feel stupid for not summarily deleting such messages does just as much harm by encouraging users to poke around further, usually to a point that leads to successful phishing or malware installation. All it takes is a sigh or sarcastic tone from the support tech to discourage future requests for help. In truth, the user should be lauded as a hero whose actions become a teachable moment not only for him or herself, but for the rest of the staff.
Ultimately, I want users to be more concerned—nay, frightened—about the consequences of clicking that link or opening that attachment rather than the bogus threats or fake business opportunities and phony overseas purchase orders arriving in unsolicited email messages. The bomb starts ticking when the message lands in the inbox; acting on anything in the message leads to instant explosion.
That's the message that must get through to every internet-connected user on the planet.
Fake Adobe Creative Cloud InvoicePosted on October 20, 2014 at 10:40 AM
Received this scary (as in Halloween-scary) malware delivery that purports to come from Adobe (From: Adobe Billing; Subject: Adobe Invoice):
The attachment in my copy was a file named adb-102288-invoice.zip. If you get the same message, the number part of the file name will most likely be randomized, so don't expect a perfect name match.
What freaks me out about this mailing is that the .zip file passed through VirusTotal with a perfectly clean score. But woe be unto the person who opens that file. That warning should go for both Mac and Windows users (and perhaps even Android). The malware file has most likely been processed through known Bad Guy services that make just enough modifications to such files to eliminate (for a short time) the possibility of being filtered by antivirus incoming email checkers, yet still delivering the damaging part of the malware. Once the file has passed into recipients' inboxes...well, consider an army of undead, crawling through your computer and your company networks to suck brains.
If you try to be careful and check attachments against services such as VirusTotal, it's clear that such vigilance is not enough. Your suspicion radar dial must be turned up to eleven. In this case that would lead you to inspect the header of the email, where it clearly shows the email originated from a block of IP addresses in Morocco—not exactly in Adobe's backyard.
Incidentally, here is a genuine invoice payment notice from Adobe for Creative Cloud:
There is no attachment. Even so, I'm not a fan of the use of links to reach your account information. I'd rather they instruct recipients to log into https://accounts.adobe.com manually or via previously set browser bookmarks.