Sometimes it’s like they aren’t even trying

This was in my inbox today…

image

The email address it was sent to isn’t the email address i use for my fb account.  And seriously, is there any legitimate use for zip files inside of email anymore?

Common Sense:  Don’t even bother with zip files as attachments in email messages.  If you need to move data try dropbox or iFolder or some other transport system.

My wife pointed out that facebook wouldn’t address me as “Dear user of facebook” they would say “Dear John”, they wouldn’t sign it “Your facebook”, and they would ask me to log in and change my password, not send me a new password.

Facebook’s gone phishing

I just got this group message from someone i know (but never gotten a message from before)

image

asking me to go “check out this interesting article”  DANGER WILL ROBINSON.  This is a common way of saying let me scam your money.

Their wasn’t a link on this but a typed out website.  So i typed that website which was a spoof from a common reputable news source. With a character added to the address.  Firefox immediately told me not to go any further, it was a scam.  Ok.. so i tried on IE (because i knew it wouldn’t block me) and this is what i saw.

facebook scam2

They scraped the site from the reputable news agency, and added some links “Google Pay Day” Which takes you to what looks like a very well done version of an advertisers page.  Allot of time and money went into this one.  Obviously they are making quite a bit from it to justify the expense.  Don’t be fooled into adding to their pockets.

Common Sense: If something looks suspicious, take extra caution to be sure your getting what your want to get to.  Only use websites you recognize, not only by look but by URL too.

The actual site seams to be owned by someone in China.  (Darn Chinese Hackers (inside joke))

Registrant Contact:
YAN HUA
HUA YAN
053182149514 fax: 053182149514
LONGSHANLU18
JN SD 250019
cn
Administrative Contact:
HUA YAN
053182149514 fax: 053182149514
LONGSHANLU18
JN SD 250019
cn
Technical Contact:
HUA YAN
053182149514 fax: 053182149514
LONGSHANLU18
JN SD 250019
cn
Billing Contact:
HUA YAN
053182149514 fax: 053182149514
LONGSHANLU18
JN SD 250019
cn
DNS:
ns1049.websitewelcome.com
ns1050.websitewelcome.com
ns1.lilil2iili.com
ns2.lilil2iili.com
Created: 2010-03-30
Expires: 2011-03-30

Update: 4/11/2010 Got the same message today this time asking for Local8News.net but the same scheme.

Is my antivirus actually working?

as more and more people become aware of all the bad things out there in the tangled mess of the interweb, most people just take for granted that their antivirus software is actually working.

virus-pendriveI have a stock pile of known virus’s but they are not what i would want to use to test an otherwise healthy computer with, hence the EICAR test virus is the perfect solution.  Back when i first started using EICAR it stood for European Institute for Computer Antivirus Research.  Now EICAR is just known for their name as an security company rather than just AV.

You can download the test virus’s from their website,

http://www.eicar.org/anti_virus_test_file.htm.

The signature of the file is designed to set off any virus and label it as the EICAR Test-Virus but no actual harm is done to your computer if the antivirus doesn’t catch it.  It does give you the chance to see if your antivirus is actually working and picking up treats.

Even my sister has joined the bad guys.

not willingly i hope though.  Got this email from her a few moments ago.  It was from someone i knew so i didn’t hesitate to open and investigate further. 

Image of infected email

The email was also CC’d to other friends and family members i knew.  It had these three thumbnails with links.  I didn’t recognize the people in the images.  There were not actual embedded attachments (kind of odd) i checked the link to see if it would actually go to an image and found it wanted to take me to:

http://downx05.h12.ru/

Taking me to a Russian website.  At the time i attempted to investigate the site further it was being overwhelmed by request to try and access that site.  Those poor souls…

Common Sense People:  If your not expecting people to send you files, be weary.  If it looks suspicious.. it probably is.

Banking in my sleep?

I must have done it in my sleep because i don’t ever remember opening a checking account with Yorkshire Bank. Come to think of it.. i don’t even know where to find my local Yorkshire Bank. 

image

This should be the first sign of a bogus email.  But for those who actually DO have a Yorkshire account it may appear legitimate.  Clicking on the link does not take you to the bank however.  It goes

http://mk.volina.ru/includes/patTemplate/patTemplate/Modifier/HTML/fullPassword.ctl.htm

FireFox, Chrome blocked the site, IE reported it as unsafe but brought it up

The site would then ask for your customer number, your password, all three of your security questions and answers as well as your email address.  After entering such information and submitting would take you to the actual bank’s site, http://www.ybonline.co.uk/personal/ib-logout  but by then, it’s probably to late.  you’ve just give all your sensitive information to the Russians. 

Common sense: If you bank does send you an email, log on to your banks site yourself.  don’t use any enclosed links.  That way you know your not being directed somewhere else without your knowledge.

The IRS is emailing me now?

I doubt the federal government would ever become that efficient.

image

no paypload in the email itself.. but a few things to notice on this one.  my email address isn’t in the to.  The website at first glance looks like irs.gov but it’s actually eawsqu.pl registered to a guy in Germany:

DOMAIN: eawsqu.pl is releasing after termination
created:                2010.03.31 13:08:04
last modified:          2010.03.31 18:02:42
expiration date:        2010.04.05 18:02:42
no option
REGISTRAR:
Key-Systems GmbH
Prager ring 4 – 12
66482 Zweibrücken 
Niemcy/Germany
+49 6332791850

Firefox gave me a big red warning when trying to visit the site.  I much rather like FF’s warning rather than IE’s

image

IE let the site come up but a tiny warning in the title bar

image

image

Telling me that the website may be unsafe.  The site then ask users to download an EXE.  I wonder what that could do…

Another case where common sense goes a long way. 

UPS delivers everything, even virus’?

Well, they might deliver bio hazards but not via email.  Here’s a letter i got this evening.

image

symantec let the file go right through the email.

extracted the zip,

image

scanned the file again with symantec and

image

doubled check the date on my definitions.  they are current.  I’ll test it against sophos tomorrow and see what they say.

another attempt

I was originally going to ignore this spam but i got it twice today so might as well share.

 

MICROWORD.COM CORPORATIONS

CUSTOMER SERVICE: TARRAGONA ESPANA Email:

ADDRESS: C/ L’ESTANY, PARC. 2, POST CODE – 43006 CITY – TARRAGONA – SPAIN.

MICROWORD.COM RESOURCE ADVERTISING LINK: http://www.microword.com/

Date: 03/03/2010.

MICROWORD.COM CORPORATIONS MARCH 2010 (3RD TO 30TH) OFFICIAL WINNING NOTIFICATION.

Good day, we write to inform you that your email address has won, in the microword.com corporation internet March 2010 promotions. Your email address was selected randomly from the microword.com automatic computer generated machine, and your email address emerges as one of the online winners. This attracts a prize of Three hundred thousand Euros only (300,000.00 Euro) and an Apple 13.3" Mac Book Pro Notebook laptop.

—————————————————————————————————————————-

*Your won cheque of three hundred thousand Euros (300,000.00 Euro) and Apple 13.3" Mac Book Pro Notebook laptop will be presented to you on arrival to our office in Tarragona, within the period of 30 days. Your winnings will be cancelled, if you do not present yourself at our office, within the given period of 30 days.

—————————————————————————————————————————

*If you are unable to come to our office in Tarragona- Spain to claim your won prize, your won prize will be presented to you by courier delivery via the promotion board contracted courier company. Microword.com Corporation is not responsible for the delivery changes [charges?] to your location. You will pay for the cost of delivery yourself. Please do not respond to this option, if you know, you will not pay for the courier service delivery. [ got, enough, commas, in there?]

—————————————————————————————————————————–

Please note: The draft certified cheque and all documents are packaged to be delivered under one way bill by the contracted courier company and are categorized as high priority & express delivery under applicable laws and regulations. This shipment cannot be delivered to P.O. boxes or postal codes but only to you the receiver at your given address.

——————————————————————————————————————————

For more information’s, on how to claim your prize, do contact our promotions department via the email below or via telephone, and quote this reference number: MSTF/2010/XУNAJZ/MAR 3-30/KFYXQX as you contact our promotion department. This reference number is the security key to your winnings, we advice you keep the reference number to yourself.

Microword.com promotion department.

Tel: 0034- 634 176 053

Tel: 0034- 659 347 846

Email: promotion_department@micro-word.com

This promotion is organized by microword.com to advertise and to promote our website, http://www.microword.com/ which is based on all kind internet companies, all kind of computer hardware and software product. This promotion is as well organized to encourage the use of the Internet user and to promote computer literacy worldwide.

Congratulations to you lucky winner!

Sincerely,

Mr. Golf . P Ivan.

CEO: MSFT Word Resource Tarragona.

Copyright © 1992-2010 Micro-word.Com All rights reserved.

===========================================================

NOTICE TO RECIPIENT: THIS E-MAIL IS MEANT FOR ONLY THE INTENDED RECIPIENT OF THE TRANSMISSION, AND MAY BE A COMMUNICATION PRIVILEGED BY LAW. IF YOU RECEIVED THIS E- MAIL IN ERROR, ANY REVIEW, USE, DISSEMINATION, DISTRIBUTION OR COPYING OF THIS E-MAIL IS STRICTLY PROHIBITED.

PLEASE NOTIFY CUSTOMER SERVICE: TARRAGONA ESPANA VIA EMAIL: info@micro-word.com IMMEDIATELY OF THE ERROR BY RETURN E-MAIL AND PLEASE DELETE THIS MESSAGE FROM YOUR SYSTEM. THANK YOU IN ADVANCE FOR YOUR CO-OPERATION.

A few things to note,

  • country code returns to spain. 
  • the email address uses the domain micro-world.com but the web links provided use microworld.com
  • micro-world.com belongs to a company in Torrance, CA where the company in this email is from Spain. 
  • the company wants you to pick up the “prize” in Spain or have them deliver it COD (for shipping expenses).  I wonder how much that COD charge would be. 
  • The lack of grammar is another good give away (no pun in intended)

Basically, one of those deals where if you never entered a contest in spain, and they want you to pay up front, too good to be true.  sorry.

The bad guys are busy today

Got two suspicious emails today.   Here is the first one

image

Click to enlarge..

The first thing to notice, this wasn’t sent directly to me.  The address is close but not me.  So this is some bot who put address in alphabetical list and set it out to groups at a time.

2nd thing, zip files have become notorious for sending virus and malware.

3rdly, I’ve been on fb all morning without any problem logging in so i know my password hasn’t been changed.

But what if I had opened that file.  Well I tested it against several antivirus programs.

Just scanning the file directly with Symantec didn’t find anything.

Opening the zip revealed an executable waiting to deliver it’s payload.

image

Symantec 10 didn’t find any problems with this file with normal scans but Sophos found it as Mal/BredoZP-B

The 2nd one was a little more crafty.

image

1st thing, this was sent directly to me but with an address i use specify for those sites which require you to enter an email address.  I use this one so i can confirm but discard any junk mail they send.

I tested the link to see if it redirected to a suspicious site.  No it actually went to that site with a doc file waiting for me.

I checked the site the file is hosted at and it belongs to:

Registrant:
R**** Z****
{Redacted}

miami, Florida 33138
United States

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: MARCUSLAWCENTER.COM
Created on: 16-Oct-09
Expires on: 16-Oct-11
Last Updated on: 25-Jan-10

So i opened the doc file expecting maybe a macro or something.  No macros found, and it passed my initial av scans.

When i opened it i found this..

image

So why not just send me the PDF directly?  Why package it directly into a word document?  So i look at the properties of the “pdf”  AH HA!

image

in side of there is an executable waiting to be ran.

Symantec 10 didn’t find anything wrong with this file but Sophos did detect it as Virus/spyware Rooj/Resdro-C

as a side note, Marcus Law did remove the link and placed an alert on their website.  They have made an effort to thwart off any further infection.  This should be an example however to all admins of websites to ensure the security of your servers, keep up to date with patches and fixes and lock those servers down as much as possible.

Mac's view of Windows

Here at my new job, the ratio of PCs to Mac’s is about 50/50.  Today i was showing one of the professors that instead of buying a bulk of usb drives to share data between his staff, they could just all put it on one of our servers.  So i was doing some testing on his mac and when i went to browse to the server the icon looked strangly familar.  Not the typical windows icon i would expect but the icon looks liked the BSoD!

I wasn’t sure if this was really what i was seeing until i “google’d” it and sure enough found this site

http://www.hongkiat.com/blog/mac-loves-windows-blue-screen-of-death/

http://www.engadget.com/2007/10/30/mini-how-to-remove-the-windows-bsod-icon-in-leopard-make-os-x-a-little-less-smug/

I guess it’s just mac’s way of poking fun of such a superior OS or just the best way users identify with the windows os?  Either way.. i got a slight chuckle out of it.