Should you Unsubscribe from SPAM?

Definitions, Newsletter Reprints, , ,

A reprint from the PC410 Security Newsletter:

Sometimes, yes. Sometimes, no. Here’s how to tell the difference, and why.

First, definitions: SPAM is unsolicited, untargeted email, generally selling something. It’s named after an old Monty Python’s Flying Circus sketch that featured a restaurant with vikings that repeatedly burst into song, singing about Spam, the meat product. They’re still doing it here:

There’s also HAM, which is targeted commercial email, or email that is pointed at someone who is a possible purchaser. A lot of this is completely legitimate, difficult to filter out, and safe to unsubscribe from. Most junk mail that gets past spam filters is ham, and much of the ham can be removed from your daily email.

Don’t Try to Unsubscribe from Everything

If the sender’s email in a spam is an address that has nothing to do with the product, it was probably sent out from a BotFarm of infected computers using stolen email services. Any reply to that just goes to the email server used by the infected computer. Don’t send replies; the owners of those systems have enough problems already–thousands of bounces and “I’m out of the office until…” messages are already clogging their systems. And don’t click any unsubscribe links in those messages, either; they’re either confirming that you read the message, so they can send more spam, or they will go nowhere. Just delete these messages.

If the sender is an actual company that you’ve done business with, and the unsubscribe link is to their own web address, or to a known good newsletter company, yes, click the link and unsubscribe. The best-known newsletter companies are Constant Contact, MailChimp, and MadMimi, and they take spam very seriously, and will honor your unsubscribe requests.

Some of the worst offenders are retail stores, and these are safe to try and unsubscribe from, but unless they’re using a service, their actual removal process may take weeks, or may not actually succeed. Resorting to a phone call is unlikely to work; contact your email provider for a block if the volume of HAM from any one company is annoying.

And a reminder: Float the mouse over a link, without clicking, and the destination should appear at the bottom of the screen. If it’s not going where you expect it should, it’s either evil, or it was sent by someone who doesn’t care about security. Just delete it and move on.

Fake Web Charge DOC is a Social Engineering Attack

Identification

And today’s hoax email is a social engineering attack, arriving as a fake web charge DOC file. It wants me to open a DOC file and enable macros, and no, I didn’t do that.

Subject: Re: filetiger.com charge on my card

WTF is this $263.48 charge on my card?
I never ordered anything from filetiger.com.
I have attached a screenshot of my statement.
WTF is this about?

Thank you
Attachment: ss_filetiger.com_47155.doc

OK, I know what the transaction sizes are for my FileTiger file management software on my FileTiger.com site, and if there was a $263 site license sale for a product that sells for $9.90, I would have been notified when it happened. So it’s suspicious. There’s no signature, and the sending address has the email address as the name, like this:
abe@b.com <abe@b.com>
(I won’t show the original email addresses, as they’re both fake and variable, and likely stolen from an infected computer’s address book.)

Next, there are carbon copies to three other addresses, on three different domains. One of them is at Ford.com. Really. Another goes to a domain with no web site.

And, of course, it’s all blandly generic. The domain name is there, and it was sent to the email address associated with that domain, publicly available from the records at my domain registrar.

OK, well, I’m clearly not going to open a suspicious doc file in Word; it’s a stupid thing to do; Word has auto-run macros, and there are constant patches to force Word to ask permission before launching the macros, and workarounds for the bad guys to avoid that permission, especially if your version of Word is not the newest edition. Instead, I open it in the vastly-safer WordPerfect, which won’t run embedded macros without permission, ever, and couldn’t run a Microsoft Word macro in any case. This image is inside:  (Note that the logo for Office is wrong–it’s not a Microsoft message.)

“This document was created with an older version of Microsoft Office”
“This document was created with an older version of Microsoft Office”

Wow. Brazen. It asks me to “Enable editing” and then to “Enable content”.

OK, next, I take the file and submit it VirusTotal.com, which runs it against (currently) 55 antivirus products. I did this only 10 minutes after it arrived, so there are only 3 ‘infected’ diagnosis, but it’s clearly evil:

Virus DOC file scan result

 

Note that VirusTotal recognized the file with another domain name, but scanned the same day as I received it, one minute ago, in fact.

I also looked inside the file with a pure text editor; there are a lot of totally random phrases in there, so it’s probably being re-generated regularly to stay ahead of AV detection software.

As always, the defense against these social-engineering attacks is the same: Don’t open attachments you didn’t ask for.

 

UPDATE, Later in the same day:

Apparently, I’m ripping off a lot people and should expect chargebacks. I have just received an identical message, but now from an email address in Japan. The filename has changed to “ss_filetiger.com_197472.doc”, and VirusTotal says it’s a different file, but it’s now recognized as malware by 6 of the 54 scanning programs, although it’s still not detected by the AV software I’m running locally. In other words, AV can’t keep up.

AntiVirus Software EPIC FAIL by Design

Field Reports

Got an invoice in the mail this morning. A company I never heard of, with this message:

Here is your bill.

Waiting for your answer

Risus Incorporated
Lev Mckenzie
(896) 756-0588

The attachment is named “Risus Incorporated.bill42zo.06.p24me38i.rtf”.

So what’s wrong with that?

  • I have no business relationship with any of those names.
  • The company name doesn’t match the email domain.
  • 896 is a fake area code.
  • That last name is odd–that ‘k’ in ‘Mckenzie’ should be capitalized. Who misspells their own name?
  • The web site matching the email address that appears to have sent the email is the “Arab Real Estate Company”, with what appears to be a legit web site in Arabic.
  • The “invoice” is a RTF file, also known as a “Rich Text File”; that’s what we programmers used to use to create help files, so it is very capable of holding scripts and program code, but it’s a horrible choice for sending an actual invoice.

PhishSo it’s an obvious fake: a phish, an attempt to get me to open something I shouldn’t. OK, with caution, I looked inside. (Don’t do what I do. I’m a professional, and I don’t just double-click to see if anything explodes.) Inside there are multiple pages of this:

 

valvular wishbone sallymen poop gyn underdepth fearfulness feistiest vapulate gigsmen hemagglutinate bridoon diactinism shiplet subintegumental marliest vagabonding proamateur atamasco supracargo teleplay spherify rhytidome unheart verifiably neobotany horizontalism presbyterianism fatigues reconsign ower incontrollable gangliglions externa allopathically creep witches cicatrices scrappiest hardfistedness harakiri subcortically privily sappily intendence nearshore hypereutectoid chylidrosis metosteal sarcasm's dropsied earthing devour patashte stereoelectric brattie counterprove adventure resprout hyperparasitize humanised unevil pinyin prerighteousness pidgized shellful recompute ultrafiltration masslessness spig expectance voidance multipartisan fin mandrin mezair wastes audiotapes contrariness nonrefractional abnormalise wrihte morphonemics splenetive utilize goniostat chondrocranium

Well, that’s just a paste of words, mostly from a scientific dictionary, in random order, probably chosen because scientific terms are basically international, and would not trigger a “Wrong language” alert in an automated scan.

After a lot of that, I can see function calls to Windows libraries. In other words, yes, it’s a program or a script. Beyond that, I leave it to the malware labs, and yes, I sent a copy to one of the top providers, and they will share it with the other anti-malware companies.

FAIL

And here’s the issue. The computer that this arrived on has in excess of 12 layers of security filtering, between software, settings, and plugins that block evil activity, and is 100% up-to-date, confirmed with three different products. The message wasn’t flagged by Clam Antivirus on the mail server. And on arrival, I saved the attachment, and manually scanned it with three anti-virus and anti-malware products.

There were NO ALERTS AT ALL. Why? Because these anti-malware products are based on a spell checker. They do a mathematical calculation of the contents of a known-evil sample, and come up with a long number that identifies exactly that file, and they save that and send it out to all the computers running that AV product. Takes three days from submission to prevention. But this sample is full of dictionary words. Well, if the malware authors are generating new random pages of word scrambles in each attached RTF file, not one of their “invoices” will ever be detected. EPIC FAIL. Even if they don’t send you a dictionary, there’s a three-day lag time, and until then, the malware is undetectable.

The Fix

  • Educate your users.
  • Don’t open suspicious attachments.
  • Keep your patches up-to-date. Automate it, so that published security holes used by the bad guys aren’t available on your systems.
  • Use ONLY non-Administrator accounts on your computers.
  • Uninstall software that connects to the internet when it’s no longer needed, to reduce attack surface and reduce needed patches.

So there’s no infection here. I didn’t open the invoice. I don’t owe money to a real estate company in Saudi Arabia. Deleted. And you don’t need software to tell you when an email is just plain impossibly wrong.