Bogus Quotation/Purchase Order Malware EmailsPosted on February 20, 2015 at 01:22 PM
Following up on the other day's dispatch on the NYC parking ticket scam, I wish to publicize what I believe to be an exceptionally damaging campaign by crooks to dig their way into small business bank accounts. The messages in question arrive in the form of requests for quotation or a purchase order for goods or services. Here is one plucked out of today's email flood:
Subject: supply only quotation 16822 in total
Attached are 1 quotes so far they are in excel format so they can be altered if necessary (I normally only send the quotes in PDF so they can’t be altered but Mike asked me not to do this).
The rest to follow tomorrow a.m.
I'm omitting some identifying information about a U.K. company that claims to be the originator of the message. The company has nothing to do with this email, so I choose to keep the innocent just that.
Aside from the abominable grammar, the crook-creator of this campaign also isn't very bright when it comes to generating HTML email. His effort may have been aided by entering correct URLs for company logo images, rather than local file paths. All I see in the message are broken image placeholders.
But don't let the crudeness of the missive mislead you. The attached ZIP file is a loader for one of the nastiest pieces of malware currently in circulation. Commonly known as the Dyre Banking Trojan, this ever-evolving piece of work has an incredibly sophisticated network of bad actors behind it. The sneakiest aspect is that it can act as a man-in-the-middle to intercept communications between an individual user and a financial institution. So, not only can it grab login credentials to use willy-nilly, but it can also inject content into the web page that originates at the bank. For instance, the Bad Guys could use the login credentials to nearly wipe out the account, but the next time the human user logs in, the bank's web page shows a full balance, as if nothing is amiss. The malware is wired to make this mysterious behavior work under Windows in Internet Explorer, Chrome, and Firefox. Tomorrow? Who knows what other systems could be affected.
[You don't have to be a genius (or English major) to take advantage of these sophisticated malware campaigns. Many are for rent, and the malware contains an identifier that lets the true leader know whom to compensate for each infected computer. If you are technically inclined, Dell has an excellent writeup about Dyre at http://www.secureworks.com/cyber-threat-intelligence/threats/dyre-banking-trojan/. It's a couple of months old, so the software has most likely evolved beyond the capabilities described there.]
I worry greatly for small businesses who receive these types of emails with requests for price quotes and purchase orders from companies the recipient has never heard of before. It's a tough business world out there, and any chance for increased business is a massive lure. Someone receiving such an email message might think he or she will become this week's hero by snagging some fresh business that came in over the transom.
The wary recipient might think twice about opening the attachment. But the hope that this message is the legitimate one (so why not take a look?) draws that itchy mouse finger to double click the attachment.
New York City Parking TicketsPosted on February 18, 2015 at 10:40 AM
To observe how online crooks gain access to business computing systems (for so-called hacking activities that expose millions of customer accounts), look no further than a malware-laced email blasting its way across the Internet today. Here is an example:
Subject: Thank you for your payment
This is confirmation that your payment on Wed, 18 Feb 2015 16:24:50 +0000 for USD 7900.00 has been
accepted by the NYC Department of Finance. Your Credit Card statement will show
an entry from Parking Fines NYCGOV. Please read the attachment and save it in case
you have any questions about the items that you have paid.
Name: sol [removed to protect the innocent]
Payment Date: Wed, 18 Feb 2015 16:24:50 +0000
Receipt Number: WWW31356651
Payment Amount: USD 7900.00
Credit Card: Visa
Account ending in: 5792
Your payment was for the following items:
Agency Item Amount
------------------------------ -------------------- ---------------
PVO 1160025162 USD 3000.00
PVO 7247746580 USD 4500.00
DOF Convenience Fee USD 400.00
Thank you for using New York City's website to process your payment.
Please do not reply to this email. You may contact us by visiting
http://nycserv.nyc.gov/NYCServWeb/ContactUs.html if you have questions
or need further assistance.
Getting the email past anti-virus detection on incoming mail servers is the first challenge. But that's really not much of a challenge these days. Crooks have tools that slightly modify each instance of the attachment so that typical anti-virus checkers (which look for patterns of previous, known viruses) don't stop the delivery of the attachment. The attachment.zip file in the above email was detected by only 7 of 50 anti-virus systems, with a huge number of name brand products not seeing any problem with the file, and sending it on its way to recipients.
With the file safely delivered to the inbox, the crook has one more goal: To trick the recipient into opening the attachment. This is where so-called "social engineering" takes over. With any luck, the fable being told in the message will get the recipient mad or concerned enough to automatically trigger the double-click action to open the file without any critical thinking. In this case, the recipient probably won't notice that the Visa card doesn't have the same last four digits of his or her card mentioned in the email message. In any case, nobody wants an errant charge for $7900 to be their responsibility, especially for parking tickets in a city they may have never visited. Nor would the uncritical recipient wonder how the NYC Department of Finance would find his or her email address, when the possible information they could have from the parking tickets would be the mailing address of the vehicle owner or renter.
[I also highly recommend getting to know a little about email headers so you could see that this email message—despite its claim as being "from" finance.nyc.gov—actually originated from a DSL account in the Netherlands. Not exactly the data processing outsourcing center of the universe.]
Double clicking one of these malware loader email attachments is a one-way trip down a very dangerous alley. Analyses of the malware found on computers of some of the biggest successful hack attacks have demonstrated that the crooks are exceedingly patient. Once they have a foothold, they'll quietly rummage around not only your computer, but any network(s) to which you connect. They'll do this for months until they have captured sufficient knowledge of where vital information is stored and the login credentials needed to steal that information.
Oh, and you Macintosh users out there—that includes me—don't be so smug that your system is hacker proof. THERE IS NO SUCH THING! I simply steer clear of any attachment I wasn't expecting and won't click on a link in an email message without first confirming that the link destination is safe.
Safer than most.
It seems paradoxical to me that the most difficult part of teaching computer users how to be safe from email-borne malware attacks is getting them in the habit of not acting on suspicious stuff in the messages. You'd think the world is full of lazy people, but they're actually overachievers when it comes to clicking and double clicking email message content.
Crooks know this, too. Which is why we're doomed.