New Targeted E-mail Attack Hits Business Execs

Erik Larkin writes "The same scammers who have been sending out the faked but highly convincing BBB and IRS e-mails are now targeting named victims with a new variety of e-mail that looks like a business invoice. Our editor-in-chief was sent one here at PC World."

Why is this sophisticated?

[yohanes]

It is still using the same method. The only difference is that they don't include spelling/grammar errors, and uses correct recipient and business name (how hard is that to find?). They are still using the same ".doc.exe" file names, which is very easy to spot.

Re:Why is this sophisticated?

Faked bills is an old scam.

Similar to this one...

-Years ago, we used to have guys that would come to "check" the fire extinguishers in the office.
-They would do their thing, and wait for the receptionist to pay from petty cash.
-Only problem... They weren't OUR fire extinguisher guys.
-We sometimes would get guys coming around every other week. /blah, blah, profit

Re:Why is this sophisticated?

[jez9999]

2: The default 'do not show file extensions for known file types' is on for explorer.

Whilst this is annoying (I disable it as I like to SEE my files' extensions), it doesn't prevent you checking for 'trick' filenames, actually. Any filename that appears to have an extension ('mywork.doc') has a double-extension, so you should be VERY suspicious.

Re:Why is this sophisticated?

[Opportunist]

Actually those files do have the word .doc file standard icon. Unless, of course, it's a .pdf.exe, in that case it will have the standard Adobe Acrobat one.

It's trivial to add an arbitrary icon to an executable. Actually, that's a feature of pretty much every standard compiler on Windows.

Checking out the 'from' address...

[26199]

Doesn't help in the slightest.

Don't people know by now that the 'from' address can be easily changed?

(That was a rhetorical question; they answer is evidently 'no'.)

Here's a pretty good description

[dachshund]

The PC World article doesn't go into a lot of detail. Here's some more. The malware itself looks pretty silly, since you have to click through a bunch of warning dialogs to even execute it.

http://avinti.com/press-room/targeted-malware-atta ck.html

Small business owner

[narced]

As a small business owner, I can attest to the fact that many of my clients will blindly pay the bills I send them, without questioning a thing. I service their computers throughout the month, racking up between 10 and 30 hours, and then send them a bill that simply says "30 hours service * $60.00 / hour" and they pay it. I have never been asked to explain myself. I can probably make up whatever numbers I want.

I was wondering how long before the crooks realized that most businessmen do not have the time or patience to study their bills.

Sorry, the actual details are here

[dachshund]

http://www.avinti.com/proforma-invoice-malware.htm l

EXE embedded in DOC, not .doc.exe

[httptech]

I've noticed some comments to the effect that it's easy to spot because it is a .doc.exe extension on the attachment. Not so! The latest runs of these scams have been EXE files embedded within actual MS Word or RTF files. Inside the document is a PDF icon and a note telling the user to click on the icon to view the invoice (or complaint, depending on the scam). This is a different method of social engineering than we usually see. That plus the targeted nature of the emails is what makes this sophisticated. It may not fool the savvy user, but as many execs haven't seen something of this nature before, they are likely to click and open the embedded executable. Most are just trusting their AV to warn them if there is anything wrong with the file, which is a big mistake these days.

If you work corporate security, make sure you are watching for signs of the data exfiltration on the network. I've written some Snort IDS signatures which are available here:
http://www.secureworks.com/research/threats/bbbphi sh