New social engineering tricks used in email malware scams
It appears that no matter how many cyber criminals get busted, or botnet command and control servers are taken offline, there is always another scam waiting to take their place. So it is in the case of email scams leading to malware attack kits.
The words and phrases in the subjects and message bodies used by scammers over the last few years has been morphing. We still see some of the old topics being used; recycled is a better word. But, new subjects and message bodies are being developed by clever copy writers who are employed by malware distributors. I want to share some of the recent social engineering topics and hook lines that I have seen in spam/scam emails that are detected by MailWasher Pro and subsequently reported to SpamCop.
The most recent scam is one I don't recall ever seeing before. It seems to target business owners who might hire accounting firms to take care of their books and taxes. It is a very clever scam, leading to huge exploit kit, containing over 18,000 bytes of JavaScript codes. Included are over 2 dozen script tags, most of which probe your browser and computer for exploitable plug-ins, like Java, Flash, Adobe Reader and Internet Explorer's ActiveX. If the victim's browser has any of the vulnerable versions of these plug-ins installed, silent exploits take place, resulting in the PC becoming a zombie in a spam and attack botnet. They are also treated to a free installation of a bank account stealing Trojan and maybe even a free scan from a fake anti-virus scanner that demands money to remove the fake detections and the barrage of warnings it fires at you.
Here then are the subjects and message contents of some email scams I analyzed today.
Scam #1:
Received: from [86.98.158.206] (helo=bba81994.alshamil.net.ae)
Date: Tue, 24 Apr 2012 05:31:55 +0400
From: "Adonia Fitzgerald"
Subject: Are you tired of severe taxes?
We can help you optimize your accounting so that your expenditures on taxes reduce by two times minimum. Our professional employees will attach best efforts so that no legal expert could find a fault. Furthermore, we undertake to submit your paperwork to the Tax Service. Due to our broad experience in this field and large turnover, we have our own contacts in this institution which makes it easier for us to submit statements and brings their review to naught. Please, find attached the list of our services and the price list.We will be glad to cooperate with you!
<a href="h**p://cyclosgazelec-lr.fr/ZD7NERn1/index.html?2YK1JF1=MD514XFTP1&GJT=IM137AHQ&WWK87AD=ZOFW5MD1LKCXYO4&JYPQJ18=C7I058V8WM35P6GO8FFH5&VFQKC=GPK0888WYHLWHC9KM69S4MCL0&FGL=VO3VR841&D18FL=RB9UK2KXPP&">our services.doc 726kb</a>
Best regards
Adonia Fitzgerald
Fingerprint: c3e1de1d-4b650000
I have deactivated the link above, for your safety. Trust me when I tell you that the link led to a compromised website, into which a folder named ZD7NERn1 was injected, along with a single file in that folder, named index.html. The contents of that index file consisted of two JavaScript "includes," both of which contained the same JavaScript code to redirect the victim's browser to another intermediate server, which passes the request to the actual malware server hosting the exploit kit.
Scam #2:
Received: from [189.31.234.75] (helo=brasiltelecom.net.br)
Date: Mon, 23 Apr 2012 11:50:59 -0300
From: "American Express"
Subject: Fraud Protection Alert
Fraud Protection Alert Fraud Protection Alert.Cardholder, For your security, we regularly monitor accounts for possible fraudulent activity. Please review the attempted charge below which occurred within minutes of the timestamp of this message.Transaction Date: 04/23/12
Merchant: TIGERDIRECT
Amount: 5153.88 Currency: USD
Case Number: 13680
Please verify these attempted charges using our <a href="h**p://mikroteksoft.com/akAYd6dn/index.html">Secure Online Chat</a> or please log in to <a href="h**p://mikroteksoft.com/akAYd6dn/index.html">www.americanexpress.com/case/</a> to dispute it.
If we've already spoken to you about this matter, please disregard this message. No further action is required.Thank you for your Cardmembership. Sincerely, American Express Account Security Fraud Prevention Network For your security:
...snip...
This scam leads to the same exploit kit as the previous one.
As an email recipient, you can protect your computer from being exploited by such attack kits by combining user smarts with computer security programs. Do not allow the weakest link to reside between the keyboard and chair! Smarten up Trainee! Learn how to spot fake links in email or website messages. The simplest way to do this is by hovering your pointer, without clicking, over any links in an email that has you concerned. All email clients (desktop email program, or browser based email reader/composer) have a means of showing or hiding what is known as a "Status Bar." Use you email client's View options to display a Status Bar. If you do email with your main web browser, it will either have a View option for a Status Bar, or will automatically create one when you hover over any link.
Once you figure out how to see the Status Bar, hovering over links will reveal the actual URL (usually a domain name or IP address) to which the coding points. If you see links such as thee above examples, while the text I highlighted in bold says something else (e.g. "our services.doc" or "www.americanexpress.com"), do not click on the link!
All email clients and browser based email systems will have some way of displaying the complete incoming "headers." The Headers reveal the actual sending domains. Note the headers in my second example. The Received from line shows that the message was sent from brasiltelecom.net.br (Brazil). It would make no sense for the US based American Express company to use a home telecom service in Brazil to send important announcements to their customers. They own their own servers and email systems, located in the good old US of A! That's where Internet Street Smarts comes into play. Learn to display and review your incoming email headers! Find your email display options and activate the one to show the complete headers.
In closing, I use and recommend MailWasher Pro to detect and delete spam and scams, before they are downloaded to my Windows Live Mail desktop email client. Some scams contain active scripting which could be triggered by opening a rigged email message in your reader. MailWasher protects you from this by displaying the contents in safe, plain text. I also write custom spam filters for use with MailWasher Pro. Feel free to use them with your paid copy of MailWasher Pro. I update the filters every week, and sometimes on a daily basis.
One final thought: You must keep a legitimate anti-malware program operating and updated on all of your computers! This includes Macs, which were recently targeted by the Java exploiting Flashback Trojan, which is still infecting over 600,000 Mac computers. I use and recommend Trend Micro security programs. They all come with the Trend Smart Protection Network, which blocks access to infected pages and malware servers.