Not your father's spam: Trojan slingers attach badness to attachment WITHIN attachment Cybercrooks are upping the ante by loading malware as an attachment inside another attachment in a bid to slip past security defences. A new variant of the Upatre Trojan comes bundled in spammed messages that imitate emails from known banks such as Lloyds Bank and Wells Fargo. The .MSG file of the malicious emails contains …
The Trend Micro site says:
... cybercriminals soon upped the ante by using password-protected archives as email attachments. The email includes the password as well as instructions on how to use the contents of the attachment. The use of passwords is highly notable as it adds a sense of legitimacy and importance to the message.
So they're supposedly sending a password protected archive as an attachment and including the password and instructions in the same email, and that's supposed to give it a sense of legitimacy?
"So they're supposedly sending a password protected archive as an attachment and including the password and instructions in the same email, and that's supposed to give it a sense of legitimacy?"
Having spent the last xx years working with your average user, the answer is "yes".
I'll say it again, why we, the folks on the bleeding edge of computing, expect the average person to understand the most complicated device ever invented in mankind's history and become as proficient with it as we are, is beyond me.
That is why smart phone sales exploded. Compared to your average PC, they are very easy to use. It's also why Apple is still around. It's why tablet sales are so good.
PC basics, like basic personal finances, should be REQUIRED classes in grade school. That alone would prevent much of the fraud perpetuated on the average person.
Although it might interfere with business profits.
Security software is sold with the false promise that it will virtually guarantee safety. People need to learn that it won't, and to be very paranoid, because they really are out to get us.
It would help to ban zip files as email attachments, they are almost only used by spammers (and people who mistakenly put incompressible files in them.) Apart from that, people need to learn to look both ways before opening an email as they do (well, should) when crossing the road. I've nearly been caught a few times but have learned to ask myself a couple of simple questions:
"Why would xxx (HMRC or whoever) make me open an attachment to find what it's about, rather than put more information in the body of the email?"
"Could I check the information on their web site instead?"
There's no hope for those who think they might have won a lottery that they haven't entered, but it is possible to train reasonably smart people to be a lot more cautious, and it pays dividends in reduced calls to sort out infected systems.
I regularly get zipped files emailed to me. It's common in the construction industry, where tender documents can get pretty huge.
Although I've noticed lots of links to Dropbox going round in the last 6 monnths, so maybe the zips aren't getting through corporate mail scanners anymore.
The tragic thing is, some people paying for up-to-date home security packages will think the end of XP doesn't apply to them... Not realizing that retail security software is largely impotent! (As reported here on the Reg many times)
"It would help to ban zip files as email attachments, they are almost only used by spammers (and people who mistakenly put incompressible files in them.)"
Oh? Really? Some of us (me, for example) get numerous ZIP files on a daily basis. It's just easier to stick all relevant files to a project into a single folder and ZIP the folder rather than attach files individually. Especially when a project might have dozens of relevant files. (I got a ZIP with 29 files included last week. And yes, all 29 had been updated, most by only minor tweaks, but still there were changes and they had to be accounted for.)
And, oh yeah, in many cases the files in the ZIP might include a JPG or a PNG or a PDF or two... not to compress them, but to send them along with the other relevant files.
Any attempt to ban ZIP files will be met with serious resistance.
That serious resistance will be renaming them as stuff.abc, rather than stuff.zip, which seems to fool 90% of attachment filters I've come across (all of which are presumably blacklist powered, rather than whitelist)
"Yar, just rename this at your end, it'll be reet".
"The ZIP files poses as a password-protected archive containing a "secure message" from the intended victim's bank "
I can't think why the bank would want to send me a Russian doll email - especially a zip file.
Ah well, it's not as if I don't hover over links in emails from 'banks' anyway - it's always amusing to see the return address turning out to be one at Gmail.
The people who should really be answering questions are the total morons like Voltage SecureMail who send HTML attachments in their legitimate emails with a username and password box, apparently trusting that phishers would NEVER send a damned near identical email with an HTML file with a html form set to the spammers server to get the login details.
They also contribute towards reducing security by getting users used to having to open attachments from unexpected emails, which they are otherwise highly sceptical about.
Apparently someone earned over a million spondoolies by an email to a UK educational establishments (they used to be schools but nowadays ... )
http://metro.co.uk/2014/04/08/school-with-worst-gcse-results-lost-1million-to-textbook-fraud-4692001/
So long as the message appears believable it seems to work?
Rule 1: "No bank, government department or financial institution will ever ask you to click a link in an email or open an attachment,no matter how official it looks."
Rule 2: "If you get an email with a link or attachment from someone you know, always phone that person first to confirm that they've sent it before opening the attachment or clicking the link."
Rule 3: "If you get an email with a link or attachment from someone you don't know, delete it. No matter how interesting or funny or wonderful it may seem, delete it. Don't think, just do it."
I've drilled these three simple rules into the heads of my friends and family as though they were god's own commandments. I also set them up with Firefox, Adblock and NoScript, set NS to allow scripts for the major sites like Google, Facebook, YouTube, and each person's own banks and favourite sites, and left them to it. Since then, I haven't had to disinfect any of their computers for several years. It's not rocket science. A few simple precautionary principles will protect you from even the most devious tricks.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
