September 17, 2009

Attack E-mails Use Fake Shipping Confirmation Ruse

A triple-payload e-mail attack that uses a fake shipping confirmation notice with a supposed attached label is making the rounds, according to Webroot.

A write-up from the company describes a social engineering ruse designed to nail someone who wasn't paying close attention, with a .zip file attachment that contains an executable disguised with an Excel file icon. The text of the e-mail tells the recipient to open the attachment to print a shipping label (one big clue that this is a scam).

Andrew Brandt makes the good point that changing the default Windows behavior to show file extensions can help thwart the common trick of using a fake document icon to disguise an executable file, assuming that the attached file made it through your anti-spam and antivirus programs. You'd have the chance to see that the supposed Excel file ended in .exe.

In XP, as Brandt describes, change that by opening Explorer, clicking Tools up top, and then unchecking "Hide extensions for known file types." In Vista, start with Organize, then choose Folder and Search options. For either Vista or XP, be sure to click the "Apply to Folders" button to apply the change to all folder, not just the one you're looking at.

Another good idea not mentioned in the Webroot post is to upload any even remotely suspicious attachment or download to Virustotal.com for a malware scan (a free uploader utility makes it especially simple). The attachment in this attack jams three different pieces of malware into the .zip file, which makes for good odds that at least some of the antivirus scanning engines used at Virustotal would catch them.

---

DONATION: www.anti-keylogger.org and www.keylogger.org is an independent research projects supported by a team of enthusiasts. If you find this project useful and would like to help foster its continued development, please consider making a donation.

Thanks in advance for your support!