Watch out for more malware link email scams this week
October 17, 2012
Malware purveyors are busy this week, distributing email scams containing either links to, or attachments containing malware. Thus far, since Monday this week, I have seen several company brands being spoofed to try to fool recipients into clicking on links leading to the Blackhole or Phoenix exploit kits.
These exploit kits are professionally written to take advantage of vulnerabilities in commonly deployed software that interacts with web browsers or email clients. The primary target is Java technology, which is now owned and maintained by Oracle.
Typically, the first round of scams arrive on Monday mornings and spoof business brands such as Intuit, or UPS, or USPS, or scans from an HP ScanJet, or fake invoices, or bogus schedules for company meetings. All of the above arrived in my inbox on Monday and Tuesday. On Wednesday, the brands being spoofed are UPS, LinkedIn and Facebook. They follow particular scam patterns that give them away to people who are aware and use caution before clicking on links.
The Tell-Tale Patterns
The LinkedIn Scams
So far, the scams targeting LinkedIn members all have the following commonalities:
Note: I use the pipe symbol | to separate different senders, subjects or items.
- From Name: LinkedIn.Invitations
- From account@domain: all were non-linkedin.com domains (e.g. [email protected])
- Subjects: Invitation | New invitation is waiting for your response
- Salutation: Hi [email address],
- Body text hook-line: [Name] sent you an invitation to connect [number] days ago. How would you like to respond?
- Links: All contain 5 (five) links, none of which are actually to linkedin.com. Of the 5 links, some or all may be duplicates.
- Link Structure: All of the links have a URL containing a folder which has a name comprised of 6 to 8 random numbers and or letters, of mixed case, a forward slash and a file named index.html. (e.g. /3aJcXKiK/index.html)
The UPS Scams
- From Name: UPS Service | UPS Support
- From account@domain: (errors|activity|customer.shipments)@upss.com
- Subjects: Delivery problem # Error ID2186 | UPS shipment status ID#0799 | Failure to deliver ID#59189
- Salutation: none
- Body text hook-line: Italian Job actor John Clive dies | Video: Extra: Robbie Walters interrogation | Amnesty International workers go on strike
- Links: One link, similar to this: compromised-domain/LTBRZJDLYO.html
- Link structure: The one link wraps around a very large image, pulled from the same compromised website as the link points to.
The lone Facebook scam I received was sent from a computer in Chile, with a sender named [email protected]. The subject was: "Isai MUNSON wants to be friends on Facebook." The hostile link (surrounding several keywords) leads to a file named: (domain-removed)/report.htm. Following that link, using WannaBrowser for safe viewing, reveals the Blackhole Exploit Kit code. It begins with the level 1 heading: "Please wait a moment. You will be forwarded.." - followed by an H3 heading: "Internet Explorer or Mozilla Firefox compatible only"
Everything after that is a huge JavaScript function that tests your browser for exploitable versions of Java, Flash, Reader, MSXML, etc. If any vulnerable plug-ins are found, a payload executable is downloaded and runs in the background, handing remote control of your computer to cybercriminals.
While the exploit kits used may vary, the purpose of them is to infect computers, or hand held devices, with malware that makes them members of the same botnet that sent the scam email to them. Compromised devices become zombie soldiers in spam and attack botnets (world-wide networks of remotely controlled infected computers and/or devices) Additionally, These computers or devices usually have Trojans installed that may steal online banking credentials, logins to PayPal, Facebook, LinkedIn, website control panels, et al. Others may end up with fake security programs that constantly display warnings about alleged infections found on the computer or device, demanding payment to remove them. The warnings are fake. The infection is the file presenting the dire warnings from fake scans.
So far, the exploit kits I have seen all use JavaScript to probe the computer or device arriving at the linked destination for certain exploitable software. The main targets are Oracle Java (previously owned by Sun Corp.), Adobe Reader, Adobe Flash, and a particular Microsoft MSXML control that was patched a few months ago. Attack codes are updated as old exploits become less productive (due to users applying patches and disinfecting their computers and devices) and new ones are discovered (a.k.a. zero-day exploits).
What you can do to protect yourself and your employees from these threats.
Your defenses must be multi-pronged. If you browse the Internet and have targeted software installed you need to take steps to reduce your risk of infection from email scams, or hostile codes invisibly embedded into otherwise innocent websites you visit. The following list represents my own preferences for protecting my computer from malware attacks.
- I browse primarily with the latest version of Firefox. Firefox does not run ActiveX Controls, which are the favorite target for exploits against Microsoft's Internet Explorer browsers. In general, Firefox is both more versatile and more secure than Internet Explorer, although both are frequently targeted for new vulnerabilities as they are discovered by hacking groups.
- I use the NoScript Add-on, which blocks JavaScript, Java, Flash, cross-site scripting, click-jacking, hidden iframes, and other possibly dangerous content by default. I have to whitelist domains and included objects that I trust, by specifically allowing them to run. This Add-on defeats all JavaScript exploit kits, unless they happen to be run on a website that one has previously allowed to run scripting.
- I have uninstalled Java from all of my computers. It is the single most exploited piece of software in the entire World and most websites no longer use it. If I find it necessary to use Java to work some particularly important website, I will run it in Google Chrome only and disable the Java Plug-in for all other installed browsers.
- I do not use a browser to read, send or compose email. I use a desktop email client, named Windows Live Mail 2011. I have set the options so that incoming email is opened in the Restricted Sites Zone, meaning no executing of JavaScript, or hidden iframe redirects. Further, I have disabled automatic checking for email; it only checks when I click the "Send/Receive" button. There's a reason for this, listed next!
- I screen all incoming email in MailWasher Pro (201x). This program displays the contents of incoming emails in plain text. A click of an option link reveals the hidden source code. This exposes obfuscated URLs that pretend to go to say LinkedIn, but really go to exploit sites. It makes it easy to identify and delete spam, scams and malware threats before I click the Send/Receive button on Windows Live Mail.
- I personally write and publish spam filters for MailWasher Pro. Any MailWasher user can download and use my spam filters. They are updated often, to detect and delete or flag spam, scams and hostile link emails. My filters detect hidden hostile links that might otherwise fool a typical busy email user.
- I operate all of my computers with less privileged accounts. My XP Pro computers run as a Power User and my Windows 7 account is a Standard User. I leave UAC enabled for my own protection. If or when I login to an Administrator level account, it is only to do things that cannot be installed or updated effectively from my Power or Standard account. Again, I leave UAC enabled. This reduces my exploitability to you must trick me visibly, rather than invisibly. I must allow the exploit to proceed by agreeing to warning boxes from the operating system. People running as Administrators all the ime can be silently exploited, with no warning or alert boxes.
- I always keep up to date, registered anti-malware software on all of my PCs. For me this translates into this 1-2 protection: Malwarebytes Anti-Malware and Trend Micro Internet Security.
- I have set both of these programs to automatically check for and apply updates as often as possible and to scan every day, twice a day.
- I use Acronis True Image (current version) to run scheduled backups not just of my user files, but complete system images of my primary hard drive. In the even of a malware attack that I can't fight off, or even the failure of my primary hard drive, I can restore everything from a very recent image backup in a half hour or less.
- Oh yeah, I don't click on links until I first hover over them and see the actual URL in my status bar (browser and email client). I have installed an Add-on to Firefox that gives me back a permanent status bar on the bottom of the browser. Windows Live Mail has a status bar on every email you open to read and has an optional status bar for the general interface. This is a must have for those who use the "Preview Pane" in their email client. Always hover over a link and read the destination URL before you click on it!.
The more steps you take to protect your computers from malware, the less likely you are to become a victim of it. Stay aware of the types of scams that are out there. Don't become a victim by allowing your curiosity to overcome your better judgement!
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.