New Targeted E-mail Attack Hits Business Execs

Erik Larkin writes "The same scammers who have been sending out the faked but highly convincing BBB and IRS e-mails are now targeting named victims with a new variety of e-mail that looks like a business invoice. Our editor-in-chief was sent one here at PC World."

Re:It's about time...

Not going to happen.

Best practice or not, it simply will. not. happen.

Re:Why is this sophisticated?

[rucs_hack]

No, no it isn't easy to spot.

Not if either of two conditions apply.

1: You are an idiot with computers.
2: The default 'do not show file extensions for known file types' is on for explorer.

Whoever thought that last was a good plan should have been shot. Without file extensions visible, people can simply not realise that they are about to run an executable. Plus some wouldn't know all the many executable file extensions for windows anyway.

They used to do it with faxes,

[arthurpaliden]

and before that they used the regular mail.

So this is news because .... they used computers .... and .....email.

Why not just send out business invoices?

[swb]

Many companies have good controls, but many have loose controls on paying invoices. If you used a reasonable database and chose businesses who might get a lot of bills but have a weak grasp on them, you could probably come up with a formula that would correlate highly with having randomly mailed invoices get paid.

Re:The simple way to avoid malware.

Eh, don't mind him. He's just a fanboy who has no idea of how business actually works.

And for what it's worth, I have a Linux box myself - and I work in IT for a Fortune 100 company. I know what it takes to deploy and support applications on a big scale.

While Linux may in fact be a better option, in almost every case, it's just not a practical one, and in business, you have to do what makes the most sense for the most people from a practicality standpoint, though I'm sure some people will beg to differ with me.

Re:Why is this sophisticated?

[dubbreak]

The default 'do not show file extensions for known file types' is on for explorer.

That shouldn't even matter. Why can they run anything? Why is Outlook allowing them to open exe files?

If #1 is true (it is where I work, a gov agency, different country), then don't let them make decisions on whether to open a file, have the system do that. You don't let mentally retarded people drive a car, so why let you average idiot choose what to run on a computer?

Hard work

[Ajehals]

This spam includes a valid email address for the recipient, and correct recipient name and business details. The message and attachment could be anything. In this case its an invoice, but it could just as easily be an order (sent to sales) or a request for info (sent to PR or Marketing). This would make it extremely difficult to identify.

Its not as if you could use heuristic scanning of the text content (any malicious payload excepted) to determine that messages of this sort are spam, it would prevent you from recieving any business related email that follows a similar formula and they are all pretty similar.

The attachment in this case was a doc.exe which is fairly obviously dodgy, but as the article states it could be a .doc (or presumably a file for any application that is exploitable by opening a file) to take advantage of a zero day vulnerability.

With this type of spam and the zero day vulnerability as the scenario it would be entirely possible for a message like this to get through to a real person, for that person to open the attachment and execute whatever malicious code is embedded in the attachment without realising that they have even done anything strange.

There is no way of preventing it that still allows your employees to function, with a 0 day you are (probably) not going to detect the payload before it is executed (what happens then depends on what precautions your company is taking). You cannot brief your user base not to open emails addressed to them with content that looks valid and may be part of their job to look at, the argument of only opening mail from people you know only really works in a social context where you can afford to ignore mail.

So, up until now most common scams and viral mail have had some tell-tale characteristics (although by no means all, custom attacks against specific targets have followed this model before), and now they may not have. (I never understood why spam was so poorly produced in any case). Given that even badly written and almost blindingly obvious spam and scams manage to trick a small number of people, this type of spam or scam is likely to be more effective. This leads me to think that from a business point of view (lets be honest, especially a Microsoft shop) the usefulness of email is seriously deteriorating, it is approaching the point where the existing system contains too much risk and is too overburdened to be useful and that is saying a lot because email really was/is a revolutionary technology. Not that I can think of an alternative nor am I suggesting that we will see business dropping email, but I can see business looking at some of those fatally flawed but great sounding add-ons that aim to secure mail from unknown recipients (micro payments and white listing etc..).

Re:The simple way to avoid malware.

[natmakarvitch]

Linux is not mandatory to use GPG. It runs dandy under MS-Windows and MacOS and there is a bunch of thingies to let most users benefit from it in a more-or-less transparent fashion.

Re:Why is this sophisticated?

[LiquidFire_HK]

Yes, but the ordinary user (exactly the type of user that is likely to have file extensions hidden) will probably not realize this. They have seen extensions in some places, and none in others - they'll simply ignore this potential giveaway.

You don't need to.

[khasim]

There is no way to protect these people and still have their computers be useful/enjoyable for them.

You don't need to.

As long as the protections cause the rate of infection to drop below the rate of disinfection, the threat will fade.

Social engineering will always be an issue. Even intelligent people can make mistakes.

The idea is to make it as obvious as possible that this is a DANGEROUS activity ...and then...
Make it as easy as possible to clean up the mess.

#1. Any time an application is launched by clicking on a file INSTEAD of going through the menu bar throw up a warning.

#2. No email program should EVER run ANY executable.

That is the primary reason that so few "viruses" exist in the wild ... for Linux. Running Ubuntu in the default configuration means that you have to:

#1. Save the attachment to your personal directory.

#2. Change the permissions on the file to be executable.

#3. Run the file.

And even with all of that the only thing in danger are your personal files (you do back them up of course). To do anything more you'd have to...

#4. Suppy it with your sudo password.

The reason this is so successful is that the possibility of FAILING to run the "virus" goes UP with each step that is required. Say that each step only has a 50% possibility of being run by the average user. The other 50% of the time they realize that they're doing something dangerous and they stop.

A. Old Windows example:
#1. Double-clicking on "sex.gif" in an old version of Outlook is a single step and will succeed with 50% of the people.

B. Linux example:
#1. Saving the file to your personal directory will work with 50% of the people.

#2. Changing the permissions on the file will work with 50% of the people from step 1 (25% of the total).

#3. Clicking on the file will work on 50% of the people from step 2 (12.5% of the total)

#4. Supplying the sudo password will work on 50% of the people from step 3 (6.25% of the total).

So, 50% infection rate vs a 93.75% NON-infection rate.