Slashdot Mirror
New Targeted E-mail Attack Hits Business Execs
Erik Larkin writes "The same scammers who have been sending out the faked but highly convincing BBB and IRS e-mails are now targeting named victims with a new variety of e-mail that looks like a business invoice. Our editor-in-chief was sent one here at PC World."
Finally, a profitable application of the peter principle.
Beep beep.
I think it would be wise for companies to switch to use something like GPG and keep keys safe. The sooner this happens the sooner scammers will have a more difficult job with this style of social engineering.
Why UNIX?
It is still using the same method. The only difference is that they don't include spelling/grammar errors, and uses correct recipient and business name (how hard is that to find?). They are still using the same ".doc.exe" file names, which is very easy to spot.
-- tinyhack.com
Hmm, well then please sell me your operating system that yu have made. Smartass.
Maybe if a spam scam starts affecting businesses, or the wealthy, there will be a better chance that the politicians will wake up and do something about spam.
and before that they used the regular mail.
So this is news because .... they used computers .... and .....email.
Undetectable Steganography? Yep, there's an app fo
Many companies have good controls, but many have loose controls on paying invoices. If you used a reasonable database and chose businesses who might get a lot of bills but have a weak grasp on them, you could probably come up with a formula that would correlate highly with having randomly mailed invoices get paid.
Eh, don't mind him. He's just a fanboy who has no idea of how business actually works.
And for what it's worth, I have a Linux box myself - and I work in IT for a Fortune 100 company. I know what it takes to deploy and support applications on a big scale.
While Linux may in fact be a better option, in almost every case, it's just not a practical one, and in business, you have to do what makes the most sense for the most people from a practicality standpoint, though I'm sure some people will beg to differ with me.
Doesn't help in the slightest.
Don't people know by now that the 'from' address can be easily changed?
(That was a rhetorical question; they answer is evidently 'no'.)
The PC World article doesn't go into a lot of detail. Here's some more. The malware itself looks pretty silly, since you have to click through a bunch of warning dialogs to even execute it.
a ck.html
http://avinti.com/press-room/targeted-malware-att
As a small business owner, I can attest to the fact that many of my clients will blindly pay the bills I send them, without questioning a thing. I service their computers throughout the month, racking up between 10 and 30 hours, and then send them a bill that simply says "30 hours service * $60.00 / hour" and they pay it. I have never been asked to explain myself. I can probably make up whatever numbers I want.
I was wondering how long before the crooks realized that most businessmen do not have the time or patience to study their bills.
http://www.avinti.com/proforma-invoice-malware.htm l
And it used to work too, because the 'smart ones' would invoice for less than what would've otherwise cost the billed company to find out if the invoice is legitimate or not, so the company simply pay it just to 'make it go away.'
ELOI, ELOI, LAMA SABACHTHANI!?
I just wanted to try out how likely it would be for me to accidentally open a .doc.exe file, immediately after renaming a .exe file to .doc.exe, AVG was onto it. Since we use AVG on our computer shop systems, I'm reasonably sure that with having that Antivirus and Thunderbird, this sort of scam won't get far with us. Well, that and the fact that we are always in close communication with the BBB to begin with, so if we get a strange email from them, we can always ask them if they sent one.
I am a VP for HR at a giant multi-national technology corporation and I just sent all of my post-dated stock options to someone in Nigeria so that I could give a puppy a good home.... well, the puppy never showed up and I need some help to get my $6,000,000 back. Won't you please help?
This spam includes a valid email address for the recipient, and correct recipient name and business details. The message and attachment could be anything. In this case its an invoice, but it could just as easily be an order (sent to sales) or a request for info (sent to PR or Marketing). This would make it extremely difficult to identify.
.doc (or presumably a file for any application that is exploitable by opening a file) to take advantage of a zero day vulnerability.
Its not as if you could use heuristic scanning of the text content (any malicious payload excepted) to determine that messages of this sort are spam, it would prevent you from recieving any business related email that follows a similar formula and they are all pretty similar.
The attachment in this case was a doc.exe which is fairly obviously dodgy, but as the article states it could be a
With this type of spam and the zero day vulnerability as the scenario it would be entirely possible for a message like this to get through to a real person, for that person to open the attachment and execute whatever malicious code is embedded in the attachment without realising that they have even done anything strange.
There is no way of preventing it that still allows your employees to function, with a 0 day you are (probably) not going to detect the payload before it is executed (what happens then depends on what precautions your company is taking). You cannot brief your user base not to open emails addressed to them with content that looks valid and may be part of their job to look at, the argument of only opening mail from people you know only really works in a social context where you can afford to ignore mail.
So, up until now most common scams and viral mail have had some tell-tale characteristics (although by no means all, custom attacks against specific targets have followed this model before), and now they may not have. (I never understood why spam was so poorly produced in any case). Given that even badly written and almost blindingly obvious spam and scams manage to trick a small number of people, this type of spam or scam is likely to be more effective. This leads me to think that from a business point of view (lets be honest, especially a Microsoft shop) the usefulness of email is seriously deteriorating, it is approaching the point where the existing system contains too much risk and is too overburdened to be useful and that is saying a lot because email really was/is a revolutionary technology. Not that I can think of an alternative nor am I suggesting that we will see business dropping email, but I can see business looking at some of those fatally flawed but great sounding add-ons that aim to secure mail from unknown recipients (micro payments and white listing etc..).
Linux is not mandatory to use GPG. It runs dandy under MS-Windows and MacOS and there is a bunch of thingies to let most users benefit from it in a more-or-less transparent fashion.
You don't need to.
As long as the protections cause the rate of infection to drop below the rate of disinfection, the threat will fade.
Social engineering will always be an issue. Even intelligent people can make mistakes.
The idea is to make it as obvious as possible that this is a DANGEROUS activity
Make it as easy as possible to clean up the mess.
#1. Any time an application is launched by clicking on a file INSTEAD of going through the menu bar throw up a warning.
#2. No email program should EVER run ANY executable.
That is the primary reason that so few "viruses" exist in the wild
#1. Save the attachment to your personal directory.
#2. Change the permissions on the file to be executable.
#3. Run the file.
And even with all of that the only thing in danger are your personal files (you do back them up of course). To do anything more you'd have to...
#4. Suppy it with your sudo password.
The reason this is so successful is that the possibility of FAILING to run the "virus" goes UP with each step that is required. Say that each step only has a 50% possibility of being run by the average user. The other 50% of the time they realize that they're doing something dangerous and they stop.
A. Old Windows example:
#1. Double-clicking on "sex.gif" in an old version of Outlook is a single step and will succeed with 50% of the people.
B. Linux example:
#1. Saving the file to your personal directory will work with 50% of the people.
#2. Changing the permissions on the file will work with 50% of the people from step 1 (25% of the total).
#3. Clicking on the file will work on 50% of the people from step 2 (12.5% of the total)
#4. Supplying the sudo password will work on 50% of the people from step 3 (6.25% of the total).
So, 50% infection rate vs a 93.75% NON-infection rate.
In nature, the successful predator always goes after the weak and the lame first.
Where I work we had to implement draconian measures concerning attachments and files because the execs kept clicking "run anyway" even though the anti virus software warned them it could be an infected file. They honestly thought they knew more than the AV software.
Beta sux! Join the Slashcott! http://hardware.slashdot.org/comments.pl?sid=4760465&cid=46173047
"So this is news because .... they used computers .... and .....email."
Looks like it has all the components to be patentable.
Now they're tageting the most intellectually vulnerable of society.
"We are all geniuses when we dream"
- E.M. Cioran
I just an incredibly genius idea. What if all executable files, whatever the common or arcane extension, were underlined or colored (like hyperlinks in HTML). Scanning a directly listing, the bright red executable files would stand right out from the rest of the black text. Just like people have been taught than underlined text on HTML pages can be clicked, they will learn than bright red files can be executed, and will take the appropriate caution.
At the risk of sounding a little jaded and anti-establishment (which would surely make me an outcast on this site, haha):
I think maybe this is a good thing. I think the scammers have been, to this point, largely targeting the gullible. Old people, drug abusers, the socially awkward. The problem with that is those sections of our society are, I would guess, significantly underrepresented in the political process.
If the friends and contributors of our ruling elite class start getting tagged, perhaps we will see some Internet legislation that is focused on taking out the really vile scum, instead of just the low grade malefactors that infringe copyright for personal use. Copyright legislation is going gangbusters because the people Congress talks to believe it is good. If those same people start to feel the bite of scammers, maybe they'll get serious about finding these assholes and putting them away.
Stop-Prism.org: Opt Out of Surveillance
I won't believe it. I think these were probably the same painfully obvious scams that I get every day.
It's been a long time.
I've noticed some comments to the effect that it's easy to spot because it is a .doc.exe extension on the attachment. Not so! The latest runs of these scams have been EXE files embedded within actual MS Word or RTF files. Inside the document is a PDF icon and a note telling the user to click on the icon to view the invoice (or complaint, depending on the scam). This is a different method of social engineering than we usually see. That plus the targeted nature of the emails is what makes this sophisticated. It may not fool the savvy user, but as many execs haven't seen something of this nature before, they are likely to click and open the embedded executable. Most are just trusting their AV to warn them if there is anything wrong with the file, which is a big mistake these days.
i sh
If you work corporate security, make sure you are watching for signs of the data exfiltration on the network. I've written some Snort IDS signatures which are available here:
http://www.secureworks.com/research/threats/bbbph
poor guy. his name sounds like spam all by itself.
boycott slashdot February 10th - 17th check out: altSlashdot.org
You can integrate it with Thunderbird as well. I know most companies don't use non-M$ email clients but the more widespread it is the better.
0x09F911029D74E35BD84156C5635688C0
Every business should be required to have a national ID and place that ID on any ads. That would make it much easier to trace crap to the source and filter out any known abusers.
Table-ized A.I.
...and have sex with your wife until she screams like a deaf girl.
Had sex once with a deaf woman. Found her disconcertingly quiet throughout the experience.
The service my company offers is primarily targeted at small to medium businesses. As such I frequently deal with the owners of these companies, and if the issue is technical in nature I have to ask them about their network setup. Simple stuff like "Okay, and what kind of internet connection do you have?"
It's astonishing how many of them will say things like "I dunno" or "Oh, it's broadband" or "There's a box that says Netgear, does that help?" If they don't know sometimes I press a little: "Well, do you know who your internet service is from?" since if they say something like "Verizon" I'll know it's DSL, or "Roadrunner" will be cable.
"I'm not sure," they'll say. This happens all the time.
Some of these people work out of their homes, too. Even then they have no idea.
It's like.. let me get this straight, sir. A bill arrives for you every month. You have no idea what company it's from and you don't know what service it's for, but you just pay it?
Why am I doing this job, then? I could start my own business where I just send out random invoices to random people! Clearly they aren't paying any attention to what the hell they're paying for, so I could just make an invoice for "services rendered" and lots of them would, evidently, pay it anyway.
mirrorshades radio -- darkwave, industrial, futurepop, ebm.
It is trivial to change the icon of an executable (or anything else) so it looks like a safe file type, so don't rely on the icon.
I've seen all sorts of people here comment that email is getting too risky for businesses to use. From where I stand, that's not the real problem. The problem that's at the center of both the malware and spam problems is that it's become very hard to quickly determine the credentials of a person sending you information. In the case of email, the solution to the malware problem is simple: strip out all html tags and attachments off as the mail is received. There is no way to get malware from an email without active content. (HTML, Attachments, etc.)
When you make email safe, you then have the real problem distilled to its essence: How do internet users safely receive files over the internet. And the answer to that is authentication, but then credentials become tradeable items, and you have malware going after credentials.
The problem is not with email, it's with the whole internet's permissiveness. Every solution you put in place gets knocked to its core problem that there's no easy way to definitively say what person you're interacting with at the time. And this will be a tough sell; We're used to an anonymous internet. To solve the problem of internet crime once and for all, I predict that we will have to give up our ability to become entirely anonomous. There will be bumps in the road, but once everything that lands on your computer can be attributed to a real person, your email and internet will be as safe and sane as your US-Mail. Maybe even safer, because it will be easier to exclude content from people with bad reputations.
Today is all we really have. We should all live it well: it is our stepping stone to all of our tomorrows.
It was alleged that the spammers performed a DDoS on their web site and drove them out of business. They made an application called Blue Frog.
If you mod me down, I shall become more powerful than you could possibly imagine.
Let's imagine for a moment we got those people to use Linux instead of Windows.
They get a mail, claiming the attachment enables them to run HD content under Linux, it's some supersecret, hacked AACS key thingamajig, the text makes it look like it was supposed for someone else so the lucky winner of the HD player thinks he hit the jackpot.
Included are detailed instructions what you got to do to make it run, which includes sudo'ing.
Bet you my computer against an abacus that it will work. The security of a system is the minimum of the system's capabilities and the user's capabilities. It doesn't help jack to have the most secure system on the planet if a monkey is using it.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Recently a wave of "P2P lawsuit" spam mails flooded the servers around the globe, claiming the attachment is a court order (yes, that alone is enough stupidity).
The from-address read: "Lawyer". No name, no address, no reply-to address, just "Lawyer". And people fell for it in heaps.
People are stupid. Deal.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Don't forget to file your TPS reports people!
Well, while it would be a good thing if we got more sensible laws, do you think that's what would happen if this actually got pumped towards congress? I mean, you've seen what BS came out of there recently, right?
We'd probably get some new unenforcable laws, or insane punishments on existing unenforcable laws, and on top of it some laws that won't even address the issue but make the life of the whitehats even more uncomfortable than it already is, to the point where the only one who'll still be able to determine whether networks are safe are actually the ones who attack them, because they don't care in the first place.
Germany is about to (or already did) pass a law that makes the possession of "hacking tools" illegal. I.e. checking your network for security holes is no longer legal.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.