Wiz's Computer and Website Security Blog

October 23, 2012;

Spam email containing malware in attachments is nothing new to most of us Netizens who have been online long enough to have our email accounts harvested by spammers. Most of the time we have to take a close look at the content of any email message to see if it might be a scam, even if it comes from a sender whose name or company we recognize. Not so with the spam message I received around midnight Oct 22, 2012.

Most of us have received email scams spoofing UPS, or FedEx, other courier services and some can be pretty convincing. But I have to rate this message with a BIG FAIL! You have to read this mangled English text that I found inside a scam spoofing both UPS AND FedEx.


From: "ups" <[email protected]>
Subject: Your Package FE N75985662

Body text:
fedex.com|Ship|Track|Manage|Office/Print Services (missing hyperlinks, just text!)

We apologize, but it seem so, that we not can deliver your package. One of our trucks is burned tonight. In attachment you can find a form for insurance. Please fill it out and send it us urgent, because we must told amount of damage to the Insurance company.

If you looked at the From field in your email client, it would clearly claim to be from "ups" and "[email protected]." Note the Subject, which contains an alleged shipping code beginning with "FE" - belonging to FedEx, not UPS! This shows confusion on the part of the spammer who composed the template for the spam run.

The message, when opened, is missing some of the images it tried to steal from the FedEx servers. But, the best giveaway that this is a scam is the horrible English grammar in the hook text. It is so poorly worded that a 10 year old should see it as a scam. Check out these badly worded phrases:

1. but it seem so...
2. One of our trucks is burned...
3. In attachment...
4. send it us urgent...
5. we must told amount of damage...

The attachment in this case was a Zipfile named "Fedex_ID99278-3P.zip" - containing a malware backdoor installer and Trojan loader, called "W32.Cridex" by Symantec.

For your own safety, when you receive email messages, note the Sender's name, email address and domain, subject and body text. If the message claims to come from a company, the names should be consistent in all of these areas. No matter what language it was composed in, the grammar should be correct and businesslike. No actual company with a known brand name will ever send out an email with such horrible use of language/grammar as the above example.

Always keep an anti-malware or anti-virus program active on all of your computers and smart phones/tablets that connect to the Internet. But, you are the first line of defense against scams. Use the common sense God granted to you when reading email messages! Many spammers and scammers are located in distant Countries and English is not their first language. Some may even use dictionaries to translate templates composed by other spammers, who are usually located in Eastern Europe. Poor grammar and spelling is a dead giveaway that the message is a scam of some kind.

Posted by Wiz at 11:54 PM | Permalink

back to top ^

October 17, 2012

Malware purveyors are busy this week, distributing email scams containing either links to, or attachments containing malware. Thus far, since Monday this week, I have seen several company brands being spoofed to try to fool recipients into clicking on links leading to the Blackhole or Phoenix exploit kits.

These exploit kits are professionally written to take advantage of vulnerabilities in commonly deployed software that interacts with web browsers or email clients. The primary target is Java technology, which is now owned and maintained by Oracle.

Typically, the first round of scams arrive on Monday mornings and spoof business brands such as Intuit, or UPS, or USPS, or scans from an HP ScanJet, or fake invoices, or bogus schedules for company meetings. All of the above arrived in my inbox on Monday and Tuesday. On Wednesday, the brands being spoofed are UPS, LinkedIn and Facebook. They follow particular scam patterns that give them away to people who are aware and use caution before clicking on links.

The Tell-Tale Patterns

The LinkedIn Scams

So far, the scams targeting LinkedIn members all have the following commonalities:
Note: I use the pipe symbol | to separate different senders, subjects or items.

1. From Name: LinkedIn.Invitations
2. From account@domain: all were non-linkedin.com domains (e.g. [email protected])
3. Subjects: Invitation | New invitation is waiting for your response
4. Salutation: Hi [email address],
5. Body text hook-line: [Name] sent you an invitation to connect [number] days ago. How would you like to respond?
6. Links: All contain 5 (five) links, none of which are actually to linkedin.com. Of the 5 links, some or all may be duplicates.
7. Link Structure: All of the links have a URL containing a folder which has a name comprised of 6 to 8 random numbers and or letters, of mixed case, a forward slash and a file named index.html. (e.g. /3aJcXKiK/index.html)

The UPS Scams

1. From Name: UPS Service | UPS Support
2. From account@domain: (errors|activity|customer.shipments)@upss.com
3. Subjects: Delivery problem # Error ID2186 | UPS shipment status ID#0799 | Failure to deliver ID#59189
4. Salutation: none
5. Body text hook-line: Italian Job actor John Clive dies | Video: Extra: Robbie Walters interrogation | Amnesty International workers go on strike
6. Links: One link, similar to this: compromised-domain/LTBRZJDLYO.html
7. Link structure: The one link wraps around a very large image, pulled from the same compromised website as the link points to.

The lone Facebook scam I received was sent from a computer in Chile, with a sender named [email protected]. The subject was: "Isai MUNSON wants to be friends on Facebook." The hostile link (surrounding several keywords) leads to a file named: (domain-removed)/report.htm. Following that link, using WannaBrowser for safe viewing, reveals the Blackhole Exploit Kit code. It begins with the level 1 heading: "Please wait a moment. You will be forwarded.." - followed by an H3 heading: "Internet Explorer or Mozilla Firefox compatible only"

Everything after that is a huge JavaScript function that tests your browser for exploitable versions of Java, Flash, Reader, MSXML, etc. If any vulnerable plug-ins are found, a payload executable is downloaded and runs in the background, handing remote control of your computer to cybercriminals.

While the exploit kits used may vary, the purpose of them is to infect computers, or hand held devices, with malware that makes them members of the same botnet that sent the scam email to them. Compromised devices become zombie soldiers in spam and attack botnets (world-wide networks of remotely controlled infected computers and/or devices) Additionally, These computers or devices usually have Trojans installed that may steal online banking credentials, logins to PayPal, Facebook, LinkedIn, website control panels, et al. Others may end up with fake security programs that constantly display warnings about alleged infections found on the computer or device, demanding payment to remove them. The warnings are fake. The infection is the file presenting the dire warnings from fake scans.

So far, the exploit kits I have seen all use JavaScript to probe the computer or device arriving at the linked destination for certain exploitable software. The main targets are Oracle Java (previously owned by Sun Corp.), Adobe Reader, Adobe Flash, and a particular Microsoft MSXML control that was patched a few months ago. Attack codes are updated as old exploits become less productive (due to users applying patches and disinfecting their computers and devices) and new ones are discovered (a.k.a. zero-day exploits).

What you can do to protect yourself and your employees from these threats.

Your defenses must be multi-pronged. If you browse the Internet and have targeted software installed you need to take steps to reduce your risk of infection from email scams, or hostile codes invisibly embedded into otherwise innocent websites you visit. The following list represents my own preferences for protecting my computer from malware attacks.

1. I browse primarily with the latest version of Firefox. Firefox does not run ActiveX Controls, which are the favorite target for exploits against Microsoft's Internet Explorer browsers. In general, Firefox is both more versatile and more secure than Internet Explorer, although both are frequently targeted for new vulnerabilities as they are discovered by hacking groups.
2. I use the NoScript Add-on, which blocks JavaScript, Java, Flash, cross-site scripting, click-jacking, hidden iframes, and other possibly dangerous content by default. I have to whitelist domains and included objects that I trust, by specifically allowing them to run. This Add-on defeats all JavaScript exploit kits, unless they happen to be run on a website that one has previously allowed to run scripting.
3. I have uninstalled Java from all of my computers. It is the single most exploited piece of software in the entire World and most websites no longer use it. If I find it necessary to use Java to work some particularly important website, I will run it in Google Chrome only and disable the Java Plug-in for all other installed browsers.
4. I do not use a browser to read, send or compose email. I use a desktop email client, named Windows Live Mail 2011. I have set the options so that incoming email is opened in the Restricted Sites Zone, meaning no executing of JavaScript, or hidden iframe redirects. Further, I have disabled automatic checking for email; it only checks when I click the "Send/Receive" button. There's a reason for this, listed next!
5. I screen all incoming email in MailWasher Pro (201x). This program displays the contents of incoming emails in plain text. A click of an option link reveals the hidden source code. This exposes obfuscated URLs that pretend to go to say LinkedIn, but really go to exploit sites. It makes it easy to identify and delete spam, scams and malware threats before I click the Send/Receive button on Windows Live Mail.
6. I personally write and publish spam filters for MailWasher Pro. Any MailWasher user can download and use my spam filters. They are updated often, to detect and delete or flag spam, scams and hostile link emails. My filters detect hidden hostile links that might otherwise fool a typical busy email user.
7. I operate all of my computers with less privileged accounts. My XP Pro computers run as a Power User and my Windows 7 account is a Standard User. I leave UAC enabled for my own protection. If or when I login to an Administrator level account, it is only to do things that cannot be installed or updated effectively from my Power or Standard account. Again, I leave UAC enabled. This reduces my exploitability to you must trick me visibly, rather than invisibly. I must allow the exploit to proceed by agreeing to warning boxes from the operating system. People running as Administrators all the ime can be silently exploited, with no warning or alert boxes.
8. I always keep up to date, registered anti-malware software on all of my PCs. For me this translates into this 1-2 protection: Malwarebytes Anti-Malware and Trend Micro Internet Security.
9. I have set both of these programs to automatically check for and apply updates as often as possible and to scan every day, twice a day.
10. I use Acronis True Image (current version) to run scheduled backups not just of my user files, but complete system images of my primary hard drive. In the even of a malware attack that I can't fight off, or even the failure of my primary hard drive, I can restore everything from a very recent image backup in a half hour or less.
11. Oh yeah, I don't click on links until I first hover over them and see the actual URL in my status bar (browser and email client). I have installed an Add-on to Firefox that gives me back a permanent status bar on the bottom of the browser. Windows Live Mail has a status bar on every email you open to read and has an optional status bar for the general interface. This is a must have for those who use the "Preview Pane" in their email client. Always hover over a link and read the destination URL before you click on it!.

The more steps you take to protect your computers from malware, the less likely you are to become a victim of it. Stay aware of the types of scams that are out there. Don't become a victim by allowing your curiosity to overcome your better judgement!

Posted by Wiz at 11:44 AM | Permalink

back to top ^

October 11, 2012

We are now 1/3 the way into October and there is no letup in the volume of malware infested email scams flooding our inboxes. When I refer to malware delivered via email, most of it is in the form of links to compromised websites that are hosting the Blackhole Exploit Kit and other similar badware.

Because of blogs like this one, many computer users are wary of clicking on links in unexpected emails. This is especially so if they have taken my advice and read the destination URL in the status bar of your email client, while hovering without clicking on links. The hovering typically causes the bottom status bar to (appear and) display the actual URL in any hidden HTML codes. This will contradict any fake anchor text, or the spoofed company's domain name, in of most spam emails that are written to trick unwary users into clicking without thinking it through.

For example, if an email claims to be from CNN Breaking News, yet, when you hover over the links the status bar shows something like the following, it is a spoofed link, probably leading to an exploit attack kit:

h**p://strange-domain.de/FME2kA9/index.html.

"Index.html" is a favorite file name for the Blackhole purveyors. A few use the variation index32.html, while another poisoned link template uses the destination file name: "forwarding.htm."

In order to attack the more cautious email readers who don't blindly click on links, some scams pack their malicious codes into attachments that the reader is encouraged to open. One usually sees these malware laden attachments in the emails that pretend to contain a (sometimes forwarded) scan from an HP ScanJet; like this example from earlier tonight: (Subject) Re: Fwd: Scan from a HP ScanJet #14191476. That email contained an attachment named: "HP_Document.zip" that when opened would exploit some vulnerable, unpatched software you might have installed (like an outdated version of Adobe Reader, Acrobat, or Flash), launching an exploit attack on the user's computer.

A third method of exploitation is by embedding hostile scripting and invisible iframes into .htm attachments. Recipients are then urged by the spammers to open those files in Internet Explorer. Doing so launches all of the Blackhole or Phoenix exploit codes that are normally served from remote, compromised websites, or hostile malware servers.

What senders or subjects are currently being spoofed in scams hitting inboxes with malware links or attachments?

Last week the majority of email malware scams were spoofing ADP payment processors, eFax. Earlier this week they began spoofing Intuit, with phony QuickBooks updates. On October 10 the first scams were fake Sprint bills, followed by bogus LinkedIn notices, using the subject: "(Name) is now part of your network. Keep connecting..." - followed by a flood of scams pretending to be from the Chase Bank, with subjects like: "Chase: Your credit cars account" (sic) - and from Chase.Alert, "Credit card report."

The very latest email scams involve the old but still effective Scan from an HP ScanJet come on, with the payload in an attached file.

Since last Friday, there have also been several PayPal phishing scams, a few fake CNN Breaking News alerts, plus a bunch spoofing UPS deliveries and bills. All either contained links to various remote malware serving locations, or attachments containing the payloads.

The cyber criminals behind these scams are going all out to try to draft as many computers into spam and attack botnets as is possible in the shortest amount of time. Most of the infected PCs will also have a bank account stealing Trojan installed (e.g. Cridex or ZeuS), to empty their bank accounts, or steal their credit card details, or their identities, before the Christmas shopping season begins. Others will deliver "Ransomeware" that locks their computer and encrypts its documents until a ransom is paid by MoneyPak.

How to protect your computer and yourself from these email-borne threats

First and foremost, keep modern, fully automatic (updates and scans), up-to-date anti- virus and anti-malware security programs running at all times. I use Trend Micro Titanium, as well as a fully licensed copy of Malwarebytes Anti-Malware on all of my PCs.

Second, whether you use a browser, or a standalone desktop email client (e.g. Windows Live Mail, Microsoft Outlook or Outlook Express, or Mozilla Thunderbird), make sure that it is capable of revealing the actual destination of links in a status bar, whenever you hover your pointer over them without clicking. Most desktop email clients have a fixed status bar that is on the bottom of an email window, when you "open" an email message from the Inbox, or other custom folders.

Web browsers (e.g. Internet Explorer, Chrome, Firefox, etc.) used to have status bars on the bottom that you could turn on or off. Now, sadly, most don't offer a permanently visible status bar. Instead, the above listed companies offer a hidden status bar that can appear when you hover over a link, reveal the actual URL, then disappear after you click.

I prefer to not leave matters to chance, so I also run a spam filter, named MailWasher Pro, before my desktop email application (Windows Live Mail). MailWasher Pro is an advanced spam and email threat detection program. It utilizes a combination of methods for identifying and dealing with unwanted email of all kinds. The method I like the best is the user configurable spam filter rules. When I see a new type of email scam, or an old one that fools my existing filters, I either add a new condition to an existing filter, or create a brand new one, then upload an entire set of my filters to my website for public use. You can read about and download my MailWasher Pro Filters here.

Finally, If you use Firefox, you can install the NoScript Add-on. By default, NoScript blocks the rendering of JavaScript, Java, Flash and several other active technologies that can be misused to harm a computer. If you browse with Google Chrome, there is an extension named "ScriptNo" available for it, which works in a similar manner to NoScript (but not currently as effectively). Since it is highly unlikely that you will have whitelisted the various compromised websites used in malware links, they will be blocked from running hostile codes against your browser (because of NoScript being enabled and blocking scripting by default).

The Blackhole exploit kit relies 100% upon JavaScript being enabled to run its probes for vulnerable software on a PC it is attacking. Assuming JavaScript is enabled, it then tests to see if you have an exploitable version of the Java plug-in installed and enabled. If not, it moves along to look for old versions of Adobe Reader, Acrobat, Shockwave and Flash Player. It may also check to see if the PC has not had certain Windows Updates applied that patched zero day exploits released this year.

Last, but not least, if you use a current version of any Trend Micro security programs, they include blocking of known hostile, or suspicious web pages. You cannot accidentally open a web page blocked by the Trend Smart Protection Network.

Posted by Wiz at 1:03 AM | Permalink

back to top ^