Saturday, October 6, 2012

Malware Phish Spam of the Day

   This post is just to picture what ever these hackers spammers are sending to me at any given period of time for the past few schemes to help people be on guard against it and protect themselves.

Fake PayPal Scheme (2012-10-16)

(click on picture to enlarge)

   This isn't theirs and the saved message shows that instead of saving the message proper I must save the attached HTML file instead.  It is impossible to fill out the form and submit the information in Thunderbird on Linux.  Looking at the HTML file ... Well, the css style sheet is at 200.217.207.56.  Here is where your information goes:

        http://sochifito.cl/reactivation/w.php

By itself the URL is harmless.  But combined with the HTML file which I viewed in both Opera and Firefox on Linux it is rather nasty.  Both Opera and Firefox show the actual URL when you hover over the Submit button.   I have no idea what it does on Windows.  I imagine Outlook will do the usual of being helpful and hide this URL.  I take an even dimmer view of every web-mail and many POP email programs hiding the email address.  Rather than helpful (not) short hand names just give me the darn complete email addresses in an email program.  But if you fill in the form and click on Submit your PayPal account is gone.  My advice?  Never fill in these forms!  Close everything, open up your browser and go to PayPal directly to check things out.  Why?  Because PayPal does send things to you in email.  It is just that for me, I don't have a PayPal account.  When I did, it was not attached to the email address where this message was delivered.  In the body of the message it states: "Open and complete this form to avoid account termination."  That is a panic inducer.  Do not panic!  Take your sweet time and close things and then close your email program, your tabs in the browser, then the browser itself.  Then open up the browser again and go to PayPal directly.  Invariably you will find your PayPal account is just fine.  Oh yes, submit the email message to PhishTank.  This one must have been specially crafted for me.  When I tested the URL at PhishTank it was fine.

   If you want to see all of the schemes they have used in the past as well as currently here is the folder for the schemes / pictures:


How do you protect against them and many other things?  Use Firefox and add NoScript:


That would defeat this scheme completely and many others as well.  It will help keep your Windows machine from getting infected (unless you allow the thousands of infected hosts to do scripting).  It can also keep Linux, Macintosh, iPad, iPhone, and Android free of junk.  In fact I know a major University Mathematics department that mandates this combination for all operating systems under their control.  There was some bickering at the start but now many of the Mathematicians are even using the same setup at home.  It works.  I was blocking all of the PHP scripts they had as of 2012-10-15.  You can not block an index.html file.  I am monitoring the block of their second host with this private rule which may be useless because it may cause FPs (but have none so far):

BadURL_WordStarts[i++] = "js\.js";

But NoScript stops everything they have for web-sites where you don't allow scripting to be done.  Now do you understand why Firefox + NoScript is such an important security move for you to implement?  Use Firefox + NoScript!  It may be painful but it works.


Fake eFax and NACHA (2012-10-24)

(click on picture to enlarge) 
    I have had a small smattering but ever since they removed securemecca from the list of sendable addresses, all I get is bounces.  For a few days they sent fake porn web-sites.  If they are like the previous ones the hosts won't stay in DNS very long.  There were precious few eFax, and Intuit scams for the previous few days where they had hacked hosts. I do capture what URLs I can but I have been rather busy lately and there were so few it just wasn't worth it.  But for these latest eFax and  NACHA you are on your own.  Why?  If you enlarge the above picture you will see a "nacha-directdeposit-HASH.pdf.zip file.  It is attached to the message.  Since I do not have the actual file (yet) I do not know for sure but can assure you that from past experience it is not a normal PDF file.  It has a JavaScript exploit in it, and they zipped the file to obfuscate it from the AV companies.  If you look at one of the headers at least one AV product doesn't like it (probably Sophos).  Hold on!  I have the file.  It will indeed whack you but it isn't just for the NACHA scam but also for the eFax scam.  Do not open these files in Adobe Reader!  Use Evince instead:
Configure your browser and email readers to use Evince for embedded PDF files.  Since Evince does not interpret the JavaScript instructions in the PDF file do anything with it you are much safer.  The only legitimate purpose for JavaScript is for forms files.  AFAIK, you can save the file to the desktop, but I would never trust a forms file through the email.  As for what do with it in the browser on a web page I would much rather just download the file and open it in either Evince or Adobe Reader myself.  Other than this warning there is very little that I can do.

Fake NACHA and BBB Schemes (2012-11-08)

(click on picture to enlarge)

   Some of these have been coming the past few days.  They masquerade as a PDF file from NACHA, the BBB and perhaps other organizations.  If you enlarge the above picture, you will see they have  something like ACH-Report-${HASH}.pdf.zip.  For what ever reason, Microsoft and others have seen fit to blast the 7-zip format as being inherently less safe than the zip format.  This file illustrates just one of the many reasons 7-zip is safer than zip.  Why?  The user would have to save the 7-Zip file and unzip it.  Unless you have 7-zip (free from http://www.7-zip.org/ ), WinZip or something else you cannot open it.  But Windows happily will open this file.  What do you get?  A humongous file name that ends in not ".pdf", but ".pdf.exe".  The scans look like this at the best:

Scan of exe file from previous (2012-11-09)

(click on picture to enlarge)

   As you can see, the detection rate is deplorable.  Of course I sent it on to ClamAV.  That doesn't matter because the AV companies are now swamped.  Now do you really want to continue using a mix of Windows + Outlook or Windows + web-mail?  It is your choice but there is nothing I can do about the situation other than report it and urge you to at least use Thunderbird and POP mail. Notice that I can see the attachment but more to the point, Thunderbird doesn't oh so helpfully unzip that sucker and more to the point, the message as it is shown fools nobody since the images and other stuff are gone, at least on Linux.

No Read Scheme  (2012-12-01)

(click on picture to enlarge)

   This scheme seems to be linked to Thunderbird and Claws Mail users on Windows.  There is no rest of the file.  If there was and it was HTML, then Claws Mail users on Windows would not see the rest unless they plugged in the HTML viewer.  Thunderbird users on all platforms would also not have saw the HTML rendered page.  But in this case, there was no "rest of the file."  This link and the line leading to it was all there was.
   What should you do?  Do NOT click on the links!  So what did I do given the fact that all of them I have looked at so far are PHP scripts?  Remember that these run on the server, not on the connecting machine.  Well, I am running Linux, not Windows.  You say they will stab in an add-on in Firefox?  Remember, I have to copy the string in Thunderbird and then manually paste it into the URL box in either Firefox or Opera.  But before I did that I started WireShark running.  Then I went to them.  All of them either savaged the server so bad that it showed the hacking or they did nothing.  I attribute the do nothing to those queries for what my OS and browser were.  Maybe if you are not running Windows they do nothing.  Do not click on any links in email from dubious origin!  That advice is also valid for Linux users.  After all, since they did OS and browser checks they could have stuffed something into the user's browser data folder (~/.mozilla and ~/.opera on Linux for those browsers).  Yes the browsers have settings to prohibit add-ons from being installed but both JavaScript and especially Jave can do it.
   So am I some sort of god with teflon coating that protects me?  No.  I have taken the strongest settings for all browsers and do NOT store passwords in them.  But I am sitting on months worth of backups for both the browsers and the bookmarks:


If I get into something sticky I close the browser (use Quit, not the X button), blow away the user browser folder, then restore an old fail-safe backup.  If I am still suspicious, I can just blow it all away.  Then I start the browser creating a new user browser data folder.  I then import the latest bookmarks, add on the few add-ons that I have:  Cookie Safe, ABP, and Better Privacy for Firefox.  If that is not necessary then I just update them.  Then I create a new fail safe backup.  How long does it take me to recreate it all sans the bookmarks?  Less than four minutes.  Restoring takes less than a minute.  I did that after I did the above tests.  Better safe than sorry.  But unless you have to test it, do not click on the links!  I just wished that one piece of advice did it all for security.  Unfortunately, it doesn't.  But not clicking on links goes a long way in securing you from email borne threats.

Citibank Scheme (2012-12-13/14)

(click on picture to enlarge)

   Like all of the other fake schemes, I could not coax anything bad out of the links in the first email.  Only one of the links tried to go on but the others were removed.  My statement remains to use Firefox with NoScript which stops it even if you are reading your email in Outlook, as long as you set Firefox to be your primary browser.  But before that be a little more discerning and don't click on the links.  Just close everything down and go to Citibank if that is what you have.  Since only the crackers are reading this now ... I will bring this to an end.  Everybody seems to be protected.

Facebook Scheme (2012-12-19)

(click on picture to enlarge)
 
   Unlike the previous, these have no random sock it to you.  If you haven't been there before, then you will probably get infected.  They achieve it by using a Fake Facebook message with a visible link showing Facebook's URL but the real hidden URL contains the word "dating" in the host name.  Here is the scan at Virscan.org for the initial onslaught:
 
 
They seem to use another host named domainsstressadd DOT net to do black-listing to prevent you from getting multiple samples.  I have been getting lots of these both directly and bounces from sends to non-existing mail drops.  As usual, securemecca.com is not sending the messages.  Hacked WIndows machines with SMTP agents installed on them are sending the messages.  Suggestions for how to handle the problem are:

1. Delete the message with extreme prejudice and click on NOTHING in the email message.

2. Do not have a Facebook account.  If you don't have a Facebook account then you will know the message is not genuine.  It will either be a phish or as it is in this case, malware.

3. If you have a Facebook account, settle down and log out of email and close your POP / IMAP mail program if that is what you got the message in.  If you had Thunderbird you would have the malicious URLs shown to you.  If you are using web-mail (Yahoo, GMail, et al) then sign out.  Close all of the tabs in your browser, then clear the caches and information.  Now close the browser.  Open the browser again and go to Facebook directly via either your Bookmarks / Favorites.  Your account will probably be just fine.

4.  You should think seriously about using Firefox with NoScript.  It would stop all of these links (each of my email messages used a different host) cold since every one of them use a PHP script.

That is it!