« Dropbox Malware Lure | Main | Bogus Quotation/Purchase Order Malware Emails »

February 18, 2015

To observe how online crooks gain access to business computing systems (for so-called hacking activities that expose millions of customer accounts), look no further than a malware-laced email blasting its way across the Internet today. Here is an example:

From: nycserv@finance.nyc.gov
Subject: Thank you for your payment

This is confirmation that your payment on Wed, 18 Feb 2015 16:24:50 +0000 for USD 7900.00 has been
accepted by the NYC Department of Finance. Your Credit Card statement will show
an entry from Parking Fines NYCGOV. Please read the attachment and save it in case
you have any questions about the items that you have paid.

Name: sol [removed to protect the innocent]

Payment Date: Wed, 18 Feb 2015 16:24:50 +0000

Receipt Number: WWW31356651

Payment Amount: USD 7900.00

Credit Card: Visa

Account ending in: 5792

Your payment was for the following items:

Agency Item Amount
------------------------------ -------------------- ---------------
PVO 1160025162 USD 3000.00
PVO 7247746580 USD 4500.00
DOF Convenience Fee USD 400.00

Thank you for using New York City's website to process your payment.
Please do not reply to this email. You may contact us by visiting
http://nycserv.nyc.gov/NYCServWeb/ContactUs.html if you have questions
or need further assistance.

[attachment.zip]

Getting the email past anti-virus detection on incoming mail servers is the first challenge. But that's really not much of a challenge these days. Crooks have tools that slightly modify each instance of the attachment so that typical anti-virus checkers (which look for patterns of previous, known viruses) don't stop the delivery of the attachment. The attachment.zip file in the above email was detected by only 7 of 50 anti-virus systems, with a huge number of name brand products not seeing any problem with the file, and sending it on its way to recipients.

With the file safely delivered to the inbox, the crook has one more goal: To trick the recipient into opening the attachment. This is where so-called "social engineering" takes over. With any luck, the fable being told in the message will get the recipient mad or concerned enough to automatically trigger the double-click action to open the file without any critical thinking. In this case, the recipient probably won't notice that the Visa card doesn't have the same last four digits of his or her card mentioned in the email message. In any case, nobody wants an errant charge for $7900 to be their responsibility, especially for parking tickets in a city they may have never visited. Nor would the uncritical recipient wonder how the NYC Department of Finance would find his or her email address, when the possible information they could have from the parking tickets would be the mailing address of the vehicle owner or renter.

[I also highly recommend getting to know a little about email headers so you could see that this email message—despite its claim as being "from" finance.nyc.gov—actually originated from a DSL account in the Netherlands. Not exactly the data processing outsourcing center of the universe.]

Double clicking one of these malware loader email attachments is a one-way trip down a very dangerous alley. Analyses of the malware found on computers of some of the biggest successful hack attacks have demonstrated that the crooks are exceedingly patient. Once they have a foothold, they'll quietly rummage around not only your computer, but any network(s) to which you connect. They'll do this for months until they have captured sufficient knowledge of where vital information is stored and the login credentials needed to steal that information.

Oh, and you Macintosh users out there—that includes me—don't be so smug that your system is hacker proof. THERE IS NO SUCH THING! I simply steer clear of any attachment I wasn't expecting and won't click on a link in an email message without first confirming that the link destination is safe.

Paranoid?

You bet.

Safe?

Safer than most.

It seems paradoxical to me that the most difficult part of teaching computer users how to be safe from email-borne malware attacks is getting them in the habit of not acting on suspicious stuff in the messages. You'd think the world is full of lazy people, but they're actually overachievers when it comes to clicking and double clicking email message content.

Crooks know this, too. Which is why we're doomed.