Locky Malware in Email:
What are the hackers counting on? You being distracted by screaming children, burning breakfast, or a myriad of other things that take your attention off of being careful and one little woops and there it goes. The reason it is called Locky or Ransomware is because they encipher your files and promise you can get the files back if you send them money. Can you trust them? If they will lock the files in the first place, can you really trust them? Maybe not. I don't trust them to do just unlock them. Use of a one-time card is all you should use if you think that is all they will do is unlock the files.
We need help from Email Reader Creators:
Okay, so you got an email message from your good pal Joey. You can trust his links (but maybe not attachments), right? Wrong! I received two email messages supposedly from a friend just like this. Was it really from them? I read my POP email from that Unix-like system in Thunderbird. Thunderbird won't render any all HTML messages. Unlike the phish URLs I see stripped of everything so us reviewers at Phishtank can see if they still pose a threat, there are various ways hackers can hide the true URL inside email readers from you and substitute a fake URL that you see. That doesn't work on me because all I will see is white space. But these email messages were insistent that they came from my friend. Why? Because they showed only the visible first name rather than the the entire email address. All email readers do this! They should not do it! But even Thunderbird shows only the name and omits showing the purported sending email address. So I saved the email messages to files and looked at them in the vim editor. I could see that the email messages MAYBE came from another email address. Even that is dubious since you can fake the sending email address and have email sent from special purpose send-only SMTP email servers on both Android and Windows. You should be able to count on a SMTP receiving server to at least faithfully record the sending IP address. So what does a receiving Microsoft Exchange SMTP server do? It strips that IP address off (that IP address is given to you by the routers and just cannot be substituted out by the sending SMTP server), does a look up of the DNS MX (Mail eXchange) records for the purported sending email address domain, does a lookup of the DNS A records of the MX host(s), and then puts those into the headers. It is enough to drive you nuts. Why doesn't Microsoft Exchange just faithfully give you the REAL sending IP address? I can assure you that there really is only ONE user at my domains. With the qmail SMTP server I KNOW that what I am getting is the REAL sending IP address. qmail is what powers my mini honey-net. I got the mini honey-net whether I wanted it or not, no thanks to the IMSP. How good were these hackers with these emails faked to look like they came from my friend? So good that they had fake domains and MX records that looked like the real thing. I could even send replies to the phishy looking email messages addresses. But after a few days, everything fell out of DNS and my reply email messages would then boomerang. I did look at the URLs in the message (remember, even downloaded Linux binaries won't run on a Linux system because the file permissions don't set the execute bit on download). Spam. All that effort for spam? I expected at least a phish!
So emai reader developers, either make your email readers capable of showing the entire email address or just display the whole email address in the email reader. With this real (er, purported) email address people can at least see whether the email address is from YourFriend@gmail.com instead of a pretender at YourFriend@bogus.org. Hackers can count on this behavior mostly for phish. Just because you have a Macintosh you are not immune. My friend uses a Macintosh. They clicked on a link in an email. The hackers were able to read the contents of their email address book in a webmail account! Get the idea? All platforms are vulnerable to phish. Only email readers like Thunderbird give you a leg-up for phish that are all HTML messages. For those, Thunderbird just gives you a nice white blank message and there is nothing to click on.
If all else fails and your email message really does look like it came from your friend, call your friend on the phone and ask them if they sent you an email message with a URL in it. Ask them what was in the email message. Usually you can use your common sense to say "they would never send me something like THAT." So this advice is only for those email messages you believe REALLY came from them. That means this particular email message looks valid. If it is a targeted attack and the hackers have the time to see what your friend is really like then they can make an email message really look like it came from your friend, right down to even faking the sending email address. Thus my warning about using your phone. Don't assume anything, including that you are so unimportant that you won't have a hacker pretending to be somebody you know. Well, I guess I am that unimportant. But I use Linux which shrugs off almost everything but phish. Ubuntu-Mate and Xubuntu are recommended. They are even more secure than Micintosh as long as you don't offer services. I don't provide services and hide behind two hardware firewalls as well. Am I paranoid? Yes! Am I paranoid enough? Maybe.