Archive for the ‘Email Security’ Category

New Spam Pretends to be Xerox Scanner Output

Friday, July 16th, 2010

by Barracuda Labs

Barracuda Labs spam monitoring systems have picked up a massive new spam campaign whose messages pretend to be output files from a popular Xerox office copier.

Hundreds of thousands of these messages are circulating around the globe, titled Scan from a Xerox WorkCentre Pro and containing a single .zip file attachment tagged with a random number that helps them avoid detection by anti-spam technology. In fact, Virus Total calculates detection rates at around 19.5% as referenced by certain TechHerald employees today.

The message format closely mimics the one used by a real Xerox WorkCentre Pro, except for one detail – Xerox scanners do not email their outputs using the .zip format. The WorkCentre Pro from Xerox typically scans documents to PDF, email or FTP accounts.

The message text claims that the attachment is a zipped .doc file, and the .zip file itself hides the true extension of the file contained within.  It is not until you go to open the file that you see its true nature.  It is an executable and it is not scanner output – it is a variant of Trojan Oficla.

Choosing  Run (which you should not do) seems to do nothing at all – the Trojan runs but does not display any decoy image.  Rather, it simply installs itself and gets to work in the background downloading other malware.

Samples executed at Barracuda Labs quickly start up a Spambot which sends out more copies of the same message.

As always, never trust unexpected emails, and in particular, never press the “Run” button unless you are 100% certain of what you are doing.  Word documents are “opened” and they are not “run” at any time. And, of course, always keep your security software updated on your system. If this message lands in your inbox, please delete and make sure to spread this message with your friends and colleagues.

Barracuda Spam & Virus Firewall customers are protected from this attack.

  • Share/Bookmark

Posted in Email Security | No Comments »

New Spam Poses as Spam Fighting Email

Wednesday, June 30th, 2010

by Barracuda Labs

This week a new sort of spam started showing up in the Barracuda Labs Spam Honeypots – fake sender verification emails such as the one below:

Sender Verification emails ask users to verify that they sent a particular email to someone, usually by responding with another email, or as in this case, by clicking on an embedded link.

Under normal circumstances, these emails come from an email server that has been enhanced with  sender verification software as a spam-fighting measure.  While this software is not as common as it once was, these systems still are used by some businesses and ISPs.

However, the example above merely pretends to be one of these verification emails and is not from an email server at all.  Instead, it is cleverly constructed spam whose included link can take the recipient to suspicious Websites, or even offer up executable malware.

This spam appears plausible and easily can trick the unwary email user.

Close examination does reveal several tell-all signs that this email is suspicious. For starters, the name of the person supposedly emailed is missing.  Second, the domain that the email purports to come from is the same domain as that of the user, which makes no sense since the user should not need to verify himself to his own mail server.

Indeed,  one aspect of this campaign is that each spam is carefully tailored to  reference the email domain of the recipient, most likely because that domain is one the recipient knows and trusts.

The message is sent only in HTML format, and the link has varied over time. In some cases, it redirects to Canadian Pharmacy Viagra sites.  In others, the link presents the user with a Windows .EXE to run, which is a variant of the rapidly spreading TDSS rootkit.

While it is easy enough to hover over the link and see that it does not go back to the organization shown as having sent the email, many users will not question the name of the domain in the verification link.

Barracuda Spam & Virus Firewalls block these emails.  We suggest users take note and warn other email users of this new social engineering tactic.  These emails do not fight spam; they ARE spam.

  • Share/Bookmark

Posted in Email Security, phishing | No Comments »

Eminem still isn’t dead

Thursday, June 24th, 2010

by Barracuda Labs

Eminem still isn’t dead… at least not as of June 2010. Barracuda Labs honeypots have received thousands of copies of a new spam that is trying to take advantage of a venerable hoax that rap artist Eminem has died in a car crash, this time according to CBS news.

Eminem Dead hoax email

The entire poorly written story is contained in an image that links to a file, outlined in red above. The victims are led to believe they are clicking on a CBS story, but actually the file downloads EminemDead.exe. Running this file installs a backdoor on the victim’s computer which has very low detection rates – VirusTotal results.

This once again reiterates the importance of never running anything distributed in an email unless the source is known.

Barracuda Spam & Virus Firewalls intercept these emails, and Barracuda Web Filters block the payload.

  • Share/Bookmark

Posted in Email Security | No Comments »

Who can you trust?

Thursday, May 20th, 2010

by Barracuda Labs

In slasher movies, there’s often a scene where terrified teenagers try to trace the phone calls of a homicidal maniac only to discover that the phone calls are coming from inside the building.

A recent spam case that was referred to the Lab reminded us of one of those scenes and underscored the fact that everyone should be suspicious of unsolicited emails. This is especially true of unsolicited emails that ask you to run something on your computer, no matter WHO they come from at any time.

In this particular case, the spam emails were sent to users within a medium-sized professional firm. They were carefully crafted to appear to be an Adobe security update originally sent to the Assistant Director of Information Technology and then individually forwarded from her. (Names and domains in the message have been changed.)

The bulk of the message looks like a security update from Adobe regarding vulnerability CVE-2010-0193. The linked executable actually is a malicious file that installs a Trojan backdoor program. The linked .PDF also contains a clickable link to the Trojan. Adobe already has reported this spam campaign here:

http://blogs.adobe.com/psirt/2010/05/alert_adobe_security_update_em.html

What’s particularly interesting is just above the forwarded message. The information about the sender of the email – Jane Doe, Assistant Director of Information Technology, JaneDoe@phished.com – is ‘real’ data, most likely harvested from elsewhere on the Internet, and would appear to be normal to co-workers within her company. Her email address is used in the body of the forwarded message as well, making it appear that it really was sent directly to Jane and then she is forwarding it along. Except that she isn’t.

The ‘From’ field of the email has been spoofed (i.e., faked), something spammers easily can do. Instead, examination of the internal email headers reveals that the entire message was sent from a compromised computer in West Virginia.

It is common for spam to be sent with faked ‘From’ data; however, this case takes that even a step further. The ‘From’ name was chosen specifically in order to gain the trust of the users at phished.com who received the messages. This was a deliberate and targeted batch of spam, sometimes called “spear” phishing, which demonstrates just how clever the bad guys are and just how cautious we as users have to be.

Barracuda Spam Firewalls block these emails.

Below are various screenshots of the targeted attack in action.

spam email message

The targeted email seemingly coming from inside the organization.

The spoofed "from" address.

The spoofed "from" address, which appears to be correct.

The .PDF mentioned in the email message that contains a malicious link.

The .PDF mentioned in the email message that contains a malicious link.

Malicious file in action: the presumed software license agreement.

Malicious file in action: the presumed software license agreement.

Malicious file in action: setup wizard.

Malicious file in action: setup wizard.

Malicious file in action: accepting terms of the license agreement.

Malicious file in action: accepting terms of the license agreement.

Malicious file in action: ready to install.

Malicious file in action: ready to install.

Malicious file in action: prompt to reboot.

Malicious file in action: prompt to reboot.

Malicious file in action: execution complete.

Malicious file in action: execution complete.

  • Share/Bookmark

Tags: , , , ,
Posted in Email Security, Research, Security, phishing | No Comments »

Online Safety: Tips to Protect Your Information

Monday, December 21st, 2009

Posted by: Barracuda Labs

With the increased awareness and attention around incidents of identity theft, consumers are becoming more vigilant in how they provide personal information online. At the same time, businesses that require such information to complete a transaction also must evaluate how they collect that information online from consumers.

For example, a colleague recently forwarded the email below from Southwest requesting personal information to complete the Transportation Security Administration’s (TSA) Secure Flight verification. Because the email was sent after the flight reservation was booked, it was unclear to the recipient whether or not the email was legitimate. Upon examination, it is clear that this is a legitimate email from Southwest; however, it is one that could easily be forged by a spammer or hacker attempting to collect a user’s personal information.

As people are making final travel arrangements and gift purchases online in this last week leading up to the holidays, Barracuda Networks has compiled a number of tips to help consumers discern legitimate emails and Web sites from malicious attempts, as well as recommendations for businesses to better serve their consumers online.

Online consumer safety:

1. Real or fake? Do not click on links included in an email. Instead, type the address directly into your Internet browser.

2. Email security and anti-virus solutions up-and-running. Make sure you have a strong email security solution in place that can block spam and phishing emails as well as detect and block viruses and other malware (including malicious Web links) contained in the email. As an extra precaution, make sure your desktop anti-virus protection is up-to-date and running. This will keep any viruses/malware not sent over email from infecting your computer or adding you to a larger botnet.

3. Strong Web filtering. Having a strong Web filter in place will allow you to block access to potentially dangerous Web sites. Web filters can block downloads by file type and applications that access the Internet (i.e. IM, music services, etc.) that are often used by hackers as a means of transporting malware onto your computer.

4. When in doubt, check it out. If you receive an email from a business that you recently have done an online transaction with – retail, bank, airline, etc. – and are not sure of its authenticity, check it out. Call or email the business to verify that the request is legitimate. Also, you can go directly to that company’s Web site to look for warnings listed of recent Web scams that have targeted the business.

Helping businesses serve customers:
1. On-site, at-once. Request all necessary customer information at the time of purchase, while the consumer is on the Web site. In the case of the Southwest email, if the consumer had been directed to the “MySouthwest Account” to provide this information at the time of flight reservation and purchase, it would have expedited the process for the consumer and eliminated the need to send a follow up email that raised the suspicion of the recipient.

2. Avoid follow up email. Consumers are likely to be more suspicious of emails requesting that they log back into – or create – an account to provide personal information.

3. Provide clear instructions. If sending a follow up email to complete the transaction is unavoidable, provide a clear message to the consumer at the end of the initial online transaction – before they leave the Web site – so that they know to expect an email that will require additional information and what that required information will be.

4. Privacy Policy. Be sure to provide a privacy policy that’s easy to find and is clear on what the Web site will and won’t do with the information entered.

5. Protect customer information on your site. Businesses are responsible for ensuring that the customer information that it collects online is protected from those with malicious intent. Implementing a strong Web application firewall protects the business Web site from being hacked and customer information from being stolen.

The underlying goal here is to enure that businesses that legitimately require user information receive it in a timely and secure fashion. That will keep the bad guys out of consumer’s wallets and bank accounts, and from stealing their identities.

If you look at the email you will see that we have identified the hyperlinks take you to a legitimate Southwest domain. We know it is a legitimate Web site because the URL contains the Southwest domain.

  • Share/Bookmark

Posted in Email Security, ID Theft, Internet Security Tips, Security, Web Security | No Comments »