October 11, 2012
We are now 1/3 the way into October and there is no letup in the volume of malware infested email scams flooding our inboxes. When I refer to malware delivered via email, most of it is in the form of links to compromised websites that are hosting the Blackhole Exploit Kit and other similar badware.
Because of blogs like this one, many computer users are wary of clicking on links in unexpected emails. This is especially so if they have taken my advice and read the destination URL in the status bar of your email client, while hovering without clicking on links. The hovering typically causes the bottom status bar to (appear and) display the actual URL in any hidden HTML codes. This will contradict any fake anchor text, or the spoofed company's domain name, in of most spam emails that are written to trick unwary users into clicking without thinking it through.
For example, if an email claims to be from CNN Breaking News, yet, when you hover over the links the status bar shows something like the following, it is a spoofed link, probably leading to an exploit attack kit:
h**p://strange-domain.de/FME2kA9/index.html.
"Index.html" is a favorite file name for the Blackhole purveyors. A few use the variation index32.html, while another poisoned link template uses the destination file name: "forwarding.htm."
In order to attack the more cautious email readers who don't blindly click on links, some scams pack their malicious codes into attachments that the reader is encouraged to open. One usually sees these malware laden attachments in the emails that pretend to contain a (sometimes forwarded) scan from an HP ScanJet; like this example from earlier tonight: (Subject) Re: Fwd: Scan from a HP ScanJet #14191476. That email contained an attachment named: "HP_Document.zip" that when opened would exploit some vulnerable, unpatched software you might have installed (like an outdated version of Adobe Reader, Acrobat, or Flash), launching an exploit attack on the user's computer.
A third method of exploitation is by embedding hostile scripting and invisible iframes into .htm attachments. Recipients are then urged by the spammers to open those files in Internet Explorer. Doing so launches all of the Blackhole or Phoenix exploit codes that are normally served from remote, compromised websites, or hostile malware servers.
What senders or subjects are currently being spoofed in scams hitting inboxes with malware links or attachments?
Last week the majority of email malware scams were spoofing ADP payment processors, eFax. Earlier this week they began spoofing Intuit, with phony QuickBooks updates. On October 10 the first scams were fake Sprint bills, followed by bogus LinkedIn notices, using the subject: "(Name) is now part of your network. Keep connecting..." - followed by a flood of scams pretending to be from the Chase Bank, with subjects like: "Chase: Your credit cars account" (sic) - and from Chase.Alert, "Credit card report."
The very latest email scams involve the old but still effective Scan from an HP ScanJet come on, with the payload in an attached file.
Since last Friday, there have also been several PayPal phishing scams, a few fake CNN Breaking News alerts, plus a bunch spoofing UPS deliveries and bills. All either contained links to various remote malware serving locations, or attachments containing the payloads.
The cyber criminals behind these scams are going all out to try to draft as many computers into spam and attack botnets as is possible in the shortest amount of time. Most of the infected PCs will also have a bank account stealing Trojan installed (e.g. Cridex or ZeuS), to empty their bank accounts, or steal their credit card details, or their identities, before the Christmas shopping season begins. Others will deliver "Ransomeware" that locks their computer and encrypts its documents until a ransom is paid by MoneyPak.
How to protect your computer and yourself from these email-borne threats
First and foremost, keep modern, fully automatic (updates and scans), up-to-date anti- virus and anti-malware security programs running at all times. I use Trend Micro Titanium, as well as a fully licensed copy of Malwarebytes Anti-Malware on all of my PCs.
Second, whether you use a browser, or a standalone desktop email client (e.g. Windows Live Mail, Microsoft Outlook or Outlook Express, or Mozilla Thunderbird), make sure that it is capable of revealing the actual destination of links in a status bar, whenever you hover your pointer over them without clicking. Most desktop email clients have a fixed status bar that is on the bottom of an email window, when you "open" an email message from the Inbox, or other custom folders.
Web browsers (e.g. Internet Explorer, Chrome, Firefox, etc.) used to have status bars on the bottom that you could turn on or off. Now, sadly, most don't offer a permanently visible status bar. Instead, the above listed companies offer a hidden status bar that can appear when you hover over a link, reveal the actual URL, then disappear after you click.
I prefer to not leave matters to chance, so I also run a spam filter, named MailWasher Pro, before my desktop email application (Windows Live Mail). MailWasher Pro is an advanced spam and email threat detection program. It utilizes a combination of methods for identifying and dealing with unwanted email of all kinds. The method I like the best is the user configurable spam filter rules. When I see a new type of email scam, or an old one that fools my existing filters, I either add a new condition to an existing filter, or create a brand new one, then upload an entire set of my filters to my website for public use. You can read about and download my MailWasher Pro Filters here.
Finally, If you use Firefox, you can install the NoScript Add-on. By default, NoScript blocks the rendering of JavaScript, Java, Flash and several other active technologies that can be misused to harm a computer. If you browse with Google Chrome, there is an extension named "ScriptNo" available for it, which works in a similar manner to NoScript (but not currently as effectively). Since it is highly unlikely that you will have whitelisted the various compromised websites used in malware links, they will be blocked from running hostile codes against your browser (because of NoScript being enabled and blocking scripting by default).
The Blackhole exploit kit relies 100% upon JavaScript being enabled to run its probes for vulnerable software on a PC it is attacking. Assuming JavaScript is enabled, it then tests to see if you have an exploitable version of the Java plug-in installed and enabled. If not, it moves along to look for old versions of Adobe Reader, Acrobat, Shockwave and Flash Player. It may also check to see if the PC has not had certain Windows Updates applied that patched zero day exploits released this year.
Last, but not least, if you use a current version of any Trend Micro security programs, they include blocking of known hostile, or suspicious web pages. You cannot accidentally open a web page blocked by the Trend Smart Protection Network.
back to top ^