This has been a dangerous week for email recipients
March 8, 2013
The work week of March 4 through 8 has been very dangerous for email recipients, with all manner of malware links and attachments thrown at us. Subjects and senders vary widely, as do the names of the payload files. If you are not super careful, you might be tricked into clicking on a hostile link, or opening a Trojan Horse attachment.
Here are some of the subjects I intercepted over the last 5 days.
- Your AT&T wireless bill is ready to view
- IRS notification of your tax appeal status.
- Order N38956
- Email confirmation for Wire Transfers service
- Please respond - overdue payment
- Re: Fwd: Order confirmation
- ACH Dept. Notification : ACH Process End of Day Report
- You have been sent a file (Filename: Software-60.pdf)
- Transaction is completed
- Your Receipt and Itinerary
- Efax Corporate
Every one of these messages either contained a Trojan attachment, or led to the Blackhole or similar exploit attack kit. Judging by the subjects, all or most are targeted at office personnel. Busy, or unaware recipients who click on the hostile links would have their default web browser probed with JavaScript until it found a vulnerable plug-in, or browser type or version.
Java, by Oracle, is the first plug-in targeted by these exploit kits. This is due to the fact that millions of computers have Java installed, unbeknownst to the owners. If one doesn't even know that they have Java installed, how is one to keep it updated with patches? Java is so exploitable right now, that Oracle has issued three critical patches in 30 days. Add to that the fact that fully patched Java Virtual Machines fell four times in two days, to hackers at this week's Pwn2Own contest in Vancouver, and you have a real minefield for common computer users.
Not to be left out in the cold, both Adobe Flash and Reader were also hacked at Pwn2Own, as were the Firefox, Chrome and Internet Exploder web browsers. You can read about these hacks here.
So, expect more updates and patches from Oracle, Adobe, and the big three browser makers over the next week or so. If you find Java installed and don't know if you really need it, disable it as a plug-in from your web browsers. Windows users can do this via the Java Control Panel Applet, in the Windows Control Panel. Under the Security Tab, just uncheck the top option that allows Java content to run in your browsers and click Apply. Restart any open browsers and they will be Javaless!
People using other operating systems will have to manually disable Java plug-ins from each browser, or better yet, uninstall all installed versions for your own safety (old versions of Java were left behind when new versions are installed, until the more recent updates). After disinfecting a PC, I usually end up uninstalling 4 or more versions of Java, which was how they probably got infected in the first place.
Android smartphone users are also sometimes targeted in malware exploit attacks and this is becoming more prevalent every week. One advantage that PC users have over smartphone users is the ability to hover over a link and get a readout of the actual destination in a status bar. This way, if the text claims that a link is to AT&T, but the hovered over link goes to a totally non-related website, your Sixth Sense should tell you that something just ain't right.
Here's an example of a hostile link, cloaked around bait-words:
Visible text says: My AT&T Account
Actual link goes to: AllAboutHearingAidsInc.com/confrontation/index.html
This loads three JavaScript includes into an HTML coded message, all of which redirect your web browser to a Blackhole Exploit Kit server. A person using a mouse pointer would see this wrong destination and hopefully not click on it.
No matter what type of device you use to access the Internet and do email, it is imperative that you have good and up-to-date anti-virus and anti-malware protection installed. If you leave matters to chance, the bad guys will have the upper hand.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.