The problem begins — as if often the case — with a PC infected by a particular piece of malware. Now, before you say "But I have antivirus software installed on my PC!", there may be times when you find it necessary to use another person's computer, or a computer in a publicly accessible location to perform even a quick transaction (e.g., check your balance) with one of your financial institutions. You can't possibly know if that PC is clean, even when its owner or administrator swears on a stack of AV CDs that everything is OK (oh, well maybe the profiles haven't been updated this week...oops). These days, the same goes for using someone else's smartphone to access your accounts — a very risky proposition for numerous reasons.

So, this infected PC constantly monitors activity, looking especially for access to financial sites. At that point, it's easy for the malware to capture login credentials, which can then allow its masters to get inside your account. Rather than bleed your credit card or bank account dry for a quick shopping spree, the crook sends you a fraudulent email that tries to trick you into handing over your telephone number and account details. Why? So he can screw with your call forwarding such that telephone verifications from the institution are sent to established criminal call centers who provide all necessary verification data you've allowed to be phished or stolen. Your account stays alive longer for the crooks to bleed you even drier.

Because the institution has performed its job of verifying a transaction against information that only you, the customer, should know, you will have one helluva time getting things fixed.

How can you best protect yourself? You should be suspicious of any unsolicited email or telephone call you receive that asks for personal information of any kind. The more dire-sounding the reasoning behind the call, the more cautious you should be. If there is a genuine problem with your account, then you should be able to log into the account online the normal way (i.e., by following a pre-existing bookmark to the site) or call the institution by the telephone number on your most recent bill or statement. Just as you should not trust a link in an email, so should you mistrust a phone number given to you by an unsolicited telephone call.

If you're not paranoid about criminals coming after your valuables, you're crazy.

From: INTUIT INC.
Subject: Your tax information needs verification.

Dear Account Holder,

In order to guarantee that correct data is being maintained on our systems, as well as to provide you better quality of service; INTUIT INC. has partaken in the Internal Revenue Service [IRS] Name and TIN Matching Program.

We have discovered, that your name and/or Employer Identification Number, that is indicated on your account does not correspond to the data obtained from the IRS and/or SSA.

In order to check and update your account, please click here.

Yours truly,
INTUIT INC.

Corporate Headquarters
2632 Marine Way
Mountain View, CA 94043

Is this a phishing expedition or a malware lure? It's hard to tell because the doofus failed to set up the botnet spam sender to fill in the actual link. Here's the source code:

<a href="http://{int_link}">click here</a>

The {int_link} text is a placeholder for the actual link to be inserted. My gut feeling is that this template is supposed to be used to lure recipients to a hijacked web site for malware delivery. That's just my, um, intuition based on years of reading this crap.

Anyway, don't be surprised to see a subsequent blast with this social engineering trick — don't want to screw around with tax stuff, right? — but with the link "fixed."

Update (26Jan2012, 1800 PST): He's been going at it now for over six hours and still no change in the URL. He must be scratching his head over why he has zero responses (my favorite number). Here are variations in the Subject: line I've seen personally:

• We need your tax information ASAP.
• Your tax information needs verification.
• Urgent update of tax information is requested.
• Verify the correctness of your tax information.
• Tax Information needed urgently.
• Please update your tax information promptly.
• Verify your information for INTUIT INC..

Message bodies also vary a little, but the basic intention is the same.

Somewhere along mid-run, the idiot figured out how to include the actual image binary data for the Intuit logo header at the top of the message. But he still can't figure out the active link stuff. He must have burned through at least a hundred bucks of botnet time with no chance of payback. I'm doing the Snoopy happy dance.

Here's the message:

Subject: Microsoft legal department

We've been tracking the illegally installed versions of our products for a long time, we've recently won tht claim in International Court, and we were alloud to request from the providers personal details of persons using the illegally installed versions of Microsoft products. We've decided to solve this problem avoiding court. After you follow this link, we register your PC as a legal one, thereby you avoid the judicial issues concerning presumably illegally instaled software on your PC.
With Respect To You
Emeline Welsh

SHA2 check sum: c084bfe116bfe1169dc08e16923723a5a5728e11169dcccccc08e6b572849237

How 'bout the typos and use of the non-word "alloud"? Hmmm, not what I'd expect from Microsoft's lawyers. Tee hee.

As a million times before, the link leads to a hijacked web site, where a page of obfuscated JavaScript can lead a user of an unprotected PC down the path of screwdom.

Subject: Brand new iPhone 5 design

We are pleased to introduce you a piece of future. Take a look at the new iPhone's design here.

[35 line breaks omitted]

Copyright © 2012 Apple Inc. All rights reserved.

The link, of course, is not to any genuine Apple site (although the freshly-minted domain has "iphone5" in its name). It downloads a Windows executable...which is a piece alright, but not a piece of future.

Subject: NOTIFICATION OF CREDIT FROM BANK OF AMERICA

NOTIFICATION OF CREDIT FROM BANK OF AMERICA.

Attn: Beneficiary,

We received a payment credit instruction from the Federal Government of Nigeria to credit your account with your full Inheritance fund of US$10.3Million from the Nigerian reserve account with our bank, Bank of America on 23rd of December, 2011.

However, you shall required to provide the followings data’s below:

{1}. Your Full Name and Address.
{2}. Your Confidential Tel, Cell and Fax.
{3). Your Bank name and address.
{4). Your A/c Name and A/c Numbers.:
(5). Your Swift Code / Routing Numbers.

Please do provide the above information accurately, because this office cannot afford to be held liable for any wrong transfer of funds or liability of funds credited into a ghost account.

Thanks for banking with Bank of America while we looking forward to serving you with the best of our service.


Thanks and God bless you.

Regards,

I omitted the full signature section because it's where the fun really begins:

So, I'm supposed to believe that Ben Bernanke is an account office at the Athens, GA branch of BofA, while also being Chairman of the Federal Reserve Bank of New York. Notice, however, that this is Ben M. Bernanke. The middle initial of the real Ben Bernanke is S. He's also the Chairman of the whole Federal Reserve. And something tells me that Ben S and Ben M are not identical twins with only distinguishing middle names.

Anyone who takes this email as genuine and responds needs some adult supervision. Seriously.

Subject: Your order for chopper for the weekend

Your order for our air commuter services has been taken and processed. The rotorcraft will be at your disposal from 16.45 saturday to 7.30 p.m. wednesday. Once again, the rates are as follows:
1 hour in the air: 525$
Takeoff / Landing: 254$
1 hour standstill on the ground: 78$
Longest period in the air is 3 hours.
When flying for longer distances, a co-pilot is needed, and the cost consequently increases by 120$ per hour.

Tital to pay.doc 406kb
Best wishes
Trey Toney

Secure Checksum: 5a572849d084b57dccc03af4bf49

Clearly written by a non-U.S., English-as-a-third-language crook. Like so many of these messages, the link isn't to an attached document, but rather to a hijacked web site, where obfuscated JavaScript takes over.

First the link variety. This time, the crook is using a bunch of legal mumbo jumbo. It's mostly meaningless, but invocating "the court" may put the fear of God into recipients and get the clicking finger adrenalin going:

Subject: Re: Fwd: Our chances to win an action are better than ever.

We discussed it with the administration representatives, and if we plead guilty our slight infringements to improve their statistics, the major action will be closed due to the lack of the state interest to the action. We have executed your explanatory text for the court. Please read it carefully and if anything in it of you feel uncomfortable with anything in it, advise us.

Speech.doc 556kb

Best Regards
Alita Feliciano

Secure Checksum: b1de6f8a5c8a50c3e1de127d4b650c3e6f

Although the message is formatted to make it appear as if the link is to an attachment, it is really just a clickable hyperlink to a hijacked web site where nefarious things happen to the unprotected PC.

The second one displays the guts of the malware distributors. They pose as no less than the United States Computer Emergency Readiness Team (US-CERT). Check this out:

From: soc@us-cert.gov
Subject: Phishing incident report call number: PH0000005724464

US-CERT is forwarding the following Phishing email that we received to the APWG for further investigation and processing.

Please check attached report for the details and email source

US-CERT has opened a ticket and assigned incident number PH0000001057411. As your investigation progresses updates may be sent at your discretion to soc@us-cert.gov and should reference PH0000009366166.

Thank you,

US-CERT Operations Center
888-282-0870
soc@us-cert.gov
http://www.us-cert.gov

[Attached File: US-CERT Operations Center Report 9463207.zip]

Ignoring the use of three different PH numbers (I guess as in PHony incident numbers), the fact that the message headers reveal its origination in Indonesia taints the authenticity just a tad.

Just remember: The more an unsolicited email message tries to elevate your blood pressure, the more likely it's B.S.

He's doing this to advertise all kinds of products and services, including some very well-known brand names, such as Pimsleur language training. It's impossible to know if the spammer is an actual affiliate, or is using another route to generate leads for Pimsleur. Links in the messages do not go to Pimsleur (or whatever company is being promoted), but rather to domains whose registrations were minted fairly recently and are privacy-protected. The opt-out links go to the same domains as the offer links.

The particular hash-busting technique that this guy has been using for quite awhile is to load the hidden text at or near the end of the visible HTML, buried within a <style> tag. If you're not into HTML, let it be known that a browser does not render the content of <style> tags because they're supposed to contain layout instructions, such as fonts, colors, margins, and so on.

To give you an idea of the magnitude of the hash-busting text, I studied the content of a recent Pimsleur spam message. The entire message (including headers) was 12,397 characters long; the hash-busting text represented 10,650 characters of that. Eighty-six percent of the message's bytes were dedicated to bypassing recipients' spam filters.

In that particular message, the hash-busting text was predominantly scraped from a macrumors.com forum web page from 2008. Here's a brief excerpt:

<style type="text/css"> Apple News

Front Page
Mac Blog
iOS Blog
Buyer's Guide
Forums

Register FAQ / Rules Community Forum Spy Today's Posts Search
Go Back MacRumors Forums > Apple Hardware > Notebooks > MacBook Pro
Reload this Page Advice Appreciated: MacBook Pro Logic Board Replace?

User Name Remember Me?
Password

Reply

Thread Tools Search this Thread Display Modes
Old Aug 12, 2008, 11:04 PM #1
intercept789
macrumors newbie

Join Date: Aug 2008

Advice Appreciated: MacBook Pro Logic Board Replace?
Hi everyone. I don't have Apple Care. I am out of warranty.

My computer recently, today, got a problem where the monitor no longer works, and an external monitor doesn't work. Thought it was maybe this can't get out of sleep problem, but it's not. A shut down and restart, battery removal, connect a another monitor does not do anything. It seems to work fine otherwise. Took it in and they said the entire logic board had to be replaced, and would be $1,300. owwww.

Is this reasonable? Anyone have a cheaper way to go about this? This is a 2.4 MacBook Pro. Another option, I would hate to do without my computer for a length of time, but $1,300 is money I really don't have now. I see in the Buyer's Guide another incarnation of the MacBook Pro is coming. Does that mean the price of my logic board would drop soon?

Thanks in advance!
intercept789 is offline 0 Reply With Quote
...
</style>

Another spammer out there has been pushing a skin care line using slightly different hash-busting overloading. His technique uses a combination of syntactically-correct style sheet rules (although referencing HTML elements that don't exist in the message), plus multiple series of slash-delimited dictionary words and wide-spaced single words all within the same <style> tag, like the following:

nnggttff/pfizer/collapses/tradition/scratched/reminiscent/salvaging/inexplicably/shannon/hr/shins/Subsidiaries/redefinition/se/possessed/undershirt/legislation/nelson/lie/round/canaan/enrolled/misfit/reimagined/DETECT/murmured/

returns

pilipinas

exporters

until

dvh

bars

duncans

radars

endangers

braverman

chameides

straw

job

pastured

pascal

xcsk

tam

cns

A typical message arrives with a total of 18,313 characters, 16,734 (91%) of which are dedicated to hash busting.

It's clear from the source code of these messages that the spammer knows the recipients likely don't want to receive these messages, and is working diligently to get past whatever defenses lie in his path. Unfortunately, this activity is protected by the CANSPAM law, as long as an opt-out link is provided. But I can tell you that the way the opt-out language is written, it's totally worthless when spammers use thousands of domains for their advertising campaigns. There is nothing preventing a spammer from taking an opt-out email address for one domain and handing it over to be used for any of his other domains. That's why I recommend never opting out of an unsolicited email message — it's merely confirming that the address is alive and ready to receive more crap from other domains from serial spammers.

If the brand-name companies are either hiring these "email marketing" firms directly or let such firms sign up to be affiliates, they must monitor the senders' activities. Any brand-named product I see being advertised with onerous (as in 80+%) hash busting content goes on my black list as a consumer. From this morning's email alone, the list added Pimsleur, match.com, and American Home Shield.

Observe:

From: FEDEX COURIER COMPANY
Subject: GOOD DAY

Dear Customer,
Good day to you. We have been waiting for you to contact us for your Confirmable Package that is registered with us for shipping of your Package to your residential location.
We are hereby obliged to inform you that your parcel has been with us for weeks now, We got over 20 set of packages from the United Kingdom We took time to write out the email addresses on the label Of each parcel and yours was included This is to inform you that we are in possession of your Parcel (which include a certified cheque worth of $800,000.00 USD and other vital documents) that we facilitate the clearance of the cheque in your country, which is to be couriered to you. It is the usual practice of our organization to conduct a proper verification of all PaCkages that we are to delivered, to ensure that they are valid. Be rest assured that your cheque has been confirmed valid and true and delivery will be made once you have meet the necessary requirements. The package is registered with us for mailing by the Online Lottery Award Promo Board as claimed,in England, United Kingdom.
We are sending you this email because your package has been registered on a Special Order.
What you have to do now, is to contact our Delivery Department for immediate dispatchment of your package to your residencial address.
Note that as soon as our Delivery Team confirms your informations, it will take only one working day (24 hours for your package to arrive it designated destination. For your information, the Mail, VAT & Shipping fees have been paid by the Lottery Award Promo Board before your package was registered. What you need to pay is the Security Keeping fee of the FedEx company as stated in our privacy terms & condition page, in order to secured your Package.
The cost for the Security Keeping fee is $286 USD.
This is mandatory, kindly complete the below form to reconfirm your Postal
information:
Name:......................
Occupation:...................
Country:........................
State:...........................
City:.............................
Sex:............................
Age:.........................
Phone:.....................
Await your Swift Response.

Yours Faithfully,
Mike Robert

Email:fedexdeliveryservice[more removed]@yahoo.com
(The Dispatched Officer).
FedEx Online Team Management © 1995 - 2012 FedEx

Even if you were to fall for the preposterous FedEx part of the story (e.g., calling themselves "Fedex Courier Company"; that they confirm the contents of a package to contain a massive check; that they would charge recipients a Security Keeping fee), hopefully the lottery connection will give you pause, since lottery scams have been around forever.

On the one hand, the crook tells you up front how much money you'll be scammed out of in the first round. On the other hand, believe me when I tell you it's only a down payment. That poor, nonexistent parcel will travel around the world several times, winding up in places that need official fees, taxes, security costs, and bribes to free it on its way to you.

Oh, and if you think this scam is a new hybrid, examples with nearly verbatim language have been circulating for at least two years. It's just one of the many templates in the 419 Crook's Playset.

From: Postal Service <support@usps.com>
Subject: USPS service. Get your parcel NO#2517

Dear customer,

Your parcel has arrived at the post office on December 5.
We were not able to deliver your package to your address.
To receive a parcel you should go to the nearest USPS office and show your post label.
The post label is attached to this letter.

Thank you for your attention.
USPS Customer Services.

[Attached File: Post_Label_N1976US.zip]

Problem is, the attached file or the page at the end of the link destination can rip open an unprotected PC faster than a 5 year old kid tearing through wrapping paper on Christmas morning.

That's one way to get your New Year off to a crappy start.

To get the recipient all riled up, the crook employs a common tactic:

Subject: Re:IRS NOTIFICATION:-Complaint against your business af8d0a35bfd97efb

Nothing like invoking the tax folks to get the adrenalin flowing.

The message body goes horribly wrong in the way it had been deployed, but here's what shows up in my email client:

308389540413

852-78-0055
<!--We regret_to_inform_you, that link--> goo.gl/[removed]

The HTML commented part looks like the start of boilerplate code, complete with a mail merge-like placeholder (the underscored bit). From the looks of it, the kid screwed up the composition of the body and didn't test before deploying (Kids!). He (or she) did insert an active URL, using a Google URL shortener, but not as a clickable link. To save you the trouble of copying the URL and pasting it into a browser, the journey continues through a freshly-minted domain containing further redirection until your browser lands at an India-based server hosting the main.php program. That's where the JavaScript looks for all the usual Windows security holes.

At the same time, the malware lure campaign using a phony contract as bait continues. Today's installment makes it sound like the contract process has gone further until the latest snafu:

Subject: The variant of the contract you've offered has been delcined.

After our legal department studied this contract carefully, they've noticed the following mismatches with our previous arrangements. We've composed a preliminary variant of the new contract, please study it and make sure that all the issues are matching your interests
NEW_Contract.doc 20kb

With Respect
Jorge Prescott

MD5 check sum: 8c46c46c4138ce9a52180726c413338c

As before, the link is not to an attached document but to a Russian server hosting the main.php code.

Ya de yadda.

Subject: Your customers concern

	Better Business Bureau® Start With Trust®
RE: Case # 58871023 2011/12/21 Dear Sirs, The Better Business Bureau has got the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer's concern are explained in attached file. Please give attention to this case and notify us of your opinion. We encourage you to open the ATTACHED REPORT to answer this complaint. We look forward to your urgent reply. Sincerely, Shawna Dennis Dispute Counselor Better Business Bureau
Privacy Policy | Terms of Use | Trademarks | Find a BBB | BBB Directory © 2011 Council of Better Business Bureaus

In addition to the many grammatical errors in the message, the forged headers of this message are a mess. The From: field shows an address from a legitimate web site domain — not the BBB; the To: field is addressed to someone at cya.ca.gov (the California Youth Authority). Now I'd wager that some of the CYA's "customers" complain, but not through the BBB.

Although the action item of the message indicates that the complaint is in an attached file, instead there is a link to a hijacked web site. The offending page had been taken down by the site's owner (Way to go!), so I don't know if the page contained the main.php iframe or script download technique. Poker professionals will tell you that if you are bluffing, the story you're representing has to be solid so your opponent(s) can believe your bull. This one fails miserably.

I truly don't care where the links lead. I'd rather recipients be aware that this message — or any message that attempts to get the recipient all riled up and click-happy — is phony and potentially dangerous if they click the link.

Subject: Suspension of your transactions

Dear customer,

In order to diminish the number of wire fraud cases, we have introduced a new security system. In this connection all the ACH and WIRE transactions of our customers will be suspended until your security version meets the new requirements.. In order to reinstate your account abilities, you are required to install a special security software. You may use the link below and follow the instructions to proceed with the installation.

http://fdic.gov/updates/49378441
We apologize for causing you troubles by this measure.
Please do not hesitate to contact us if you experience any problems.

Yours truly,

Federal Deposit Insurance Corporation
Security Department

======================================

Subject: For the urgent attention of Accounting Dpt.!

Dear Sirs,

In connection with the introduction of a new security system for the purpose of preventing new cases of wire fraud, all the ACH and WIRE transactions on your account have been blocked until your security version meets the new requirements.. In order to re-establish the full functioning of your account, you need to install a special security software. Please open the link below to read the instructions and download all the necessary files.

http://fdicgov/updates/96042318
We apologize for any troubles caused to you by this measure.
Please do not hesitate to contact us if you have any questions.

Sincerely yours,

Federal Deposit Insurance Corporation
Security Department

======================================

Subject: Urgent notice from FDIC

Dear Sirs,

Due to our adoption of a new security system, for the purpose of preventing new cases of fraud and scams, all your account ACH and WIRE transactions will be suspended until you update your security version in compliance with our new requirements.. In order to restore your ability to make transactions, you are required to install a special security software. Please open the link below to download and install the latest security version.

http://fdic.gov/updates/28009746
We apologize for causing you inconveniences by this measure.
Please do not hesitate to contact us if you have any questions.

Yours truly,

Federal Deposit Insurance Corporation
Security Department

The links beneath the visible fdic.gov links go to hijacked web sites as before. But instead of loading the main.php URL into an iframe, these hijacked site pages load not one, not two, but three copies of a script, each from a different hijacked site — a redundancy that plans against possible shutdowns/cleanups of one or more sites. The scripts are loaded via simple <script> tags, and all three sources end in jqueri.js (not related to JQuery). The scripts consist of obfuscated JavaScript which decodes itself to execute a laundry list of JavaScript-controlled exploits on malware-susceptible PCs.

As an extra bonus, when the decoded script finishes, its last task is to redirect your browser to yet another site that has been known to load malware. Your browser — and perhaps your PC — will have been beaten to a pulp before this sequence finishes.

Again, the actual exploits being abused in this campaign aren't important to everyday users. But the social engineering techniques in the opening email salvos definitely are. Resisting to click on ominous links is hard. But resist you must!

Here they are:

From: sales1@[my own domain].com
Subject: Re: Fwd: Order K90309811

Hello,

You can download your Windows Vista License here -

Microsoft Corporation

Like the earlier Adobe message, this one attempts to lure with a previous generation product license. Since the crooks aren't really giving anything away, I'm still puzzled why they flaunt a license for an outmoded version.

Subject: Im shocked!

Have you seen how much money has Cameron spent on his new movie?
What a graphics, check out the trailer!

Yes, both lines are underlined, but only the second one is a clickable link.

In the case of both messages, the actual links take victims to hijacked legitimate web sites, where the page contains an iframe that loads (from a URL that ends in main.php) an obfuscated JavaScript page from a Russian web site. Unlike antivirus sites that delve into the particular exploits being used by the malware attacks, I couldn't care less. My concern is teaching recipients of this junk to think twice — if not thrice — about clicking on links from unsolicited email.

This one claims to help you overcome a billing snafu at the Apple Store:

If you dare follow the link—the real link is to a site whose domain was registered yesterday—you'll be asked for your AppleID and password. After that you'll find a form requesting additional identity info.

Compromised Apple Store login credentials can really do damage if you don't catch it in time. Fixing it can be an even bigger headache.