As frequent readers of this blog know, my primary concern is educating everyday users about avoiding tricks that criminals use to capture private data. An article at Trusteer warns of a recent attack technique that takes treachery to a new level. The underpinnings are a little complicated, but a user heading for trouble probably wouldn't notice what's going on. In fact, warning systems built into detecting bank account or credit card fraud essentially become disabled for the user, leading to incredible difficulty after the fact.

The problem begins — as if often the case — with a PC infected by a particular piece of malware. Now, before you say "But I have antivirus software installed on my PC!", there may be times when you find it necessary to use another person's computer, or a computer in a publicly accessible location to perform even a quick transaction (e.g., check your balance) with one of your financial institutions. You can't possibly know if that PC is clean, even when its owner or administrator swears on a stack of AV CDs that everything is OK (oh, well maybe the profiles haven't been updated this week...oops). These days, the same goes for using someone else's smartphone to access your accounts — a very risky proposition for numerous reasons.

So, this infected PC constantly monitors activity, looking especially for access to financial sites. At that point, it's easy for the malware to capture login credentials, which can then allow its masters to get inside your account. Rather than bleed your credit card or bank account dry for a quick shopping spree, the crook sends you a fraudulent email that tries to trick you into handing over your telephone number and account details. Why? So he can screw with your call forwarding such that telephone verifications from the institution are sent to established criminal call centers who provide all necessary verification data you've allowed to be phished or stolen. Your account stays alive longer for the crooks to bleed you even drier.

Because the institution has performed its job of verifying a transaction against information that only you, the customer, should know, you will have one helluva time getting things fixed.

How can you best protect yourself? You should be suspicious of any unsolicited email or telephone call you receive that asks for personal information of any kind. The more dire-sounding the reasoning behind the call, the more cautious you should be. If there is a genuine problem with your account, then you should be able to log into the account online the normal way (i.e., by following a pre-existing bookmark to the site) or call the institution by the telephone number on your most recent bill or statement. Just as you should not trust a link in an email, so should you mistrust a phone number given to you by an unsolicited telephone call.

If you're not paranoid about criminals coming after your valuables, you're crazy.

I love it when crooks make simple mistakes that cost them. Look at the following email message claiming to come from Intuit (the accounting and tax return software company):

From: INTUIT INC.
Subject: Your tax information needs verification.

Dear Account Holder,

In order to guarantee that correct data is being maintained on our systems, as well as to provide you better quality of service; INTUIT INC. has partaken in the Internal Revenue Service [IRS] Name and TIN Matching Program.

We have discovered, that your name and/or Employer Identification Number, that is indicated on your account does not correspond to the data obtained from the IRS and/or SSA.

In order to check and update your account, please click here.

Yours truly,
INTUIT INC.

Corporate Headquarters
2632 Marine Way
Mountain View, CA 94043

Is this a phishing expedition or a malware lure? It's hard to tell because the doofus failed to set up the botnet spam sender to fill in the actual link. Here's the source code:

<a href="http://{int_link}">click here</a>

The {int_link} text is a placeholder for the actual link to be inserted. My gut feeling is that this template is supposed to be used to lure recipients to a hijacked web site for malware delivery. That's just my, um, intuition based on years of reading this crap.

Anyway, don't be surprised to see a subsequent blast with this social engineering trick — don't want to screw around with tax stuff, right? — but with the link "fixed."

Update (26Jan2012, 1800 PST): He's been going at it now for over six hours and still no change in the URL. He must be scratching his head over why he has zero responses (my favorite number). Here are variations in the Subject: line I've seen personally:

• We need your tax information ASAP.
• Your tax information needs verification.
• Urgent update of tax information is requested.
• Verify the correctness of your tax information.
• Tax Information needed urgently.
• Please update your tax information promptly.
• Verify your information for INTUIT INC..

Message bodies also vary a little, but the basic intention is the same.

Somewhere along mid-run, the idiot figured out how to include the actual image binary data for the Intuit logo header at the top of the message. But he still can't figure out the active link stuff. He must have burned through at least a hundred bucks of botnet time with no chance of payback. I'm doing the Snoopy happy dance.

The latest in the malware lure campaign invokes the mighty piracy-fighting lawyers at Microsoft. In the email, the recipient is essentially accused of using pirated MS products, and he/she had better click the link to register a PC and avoid court. What a bunch of bullshit.

Here's the message:

Subject: Microsoft legal department

We've been tracking the illegally installed versions of our products for a long time, we've recently won tht claim in International Court, and we were alloud to request from the providers personal details of persons using the illegally installed versions of Microsoft products. We've decided to solve this problem avoiding court. After you follow this link, we register your PC as a legal one, thereby you avoid the judicial issues concerning presumably illegally instaled software on your PC.
With Respect To You
Emeline Welsh

SHA2 check sum: c084bfe116bfe1169dc08e16923723a5a5728e11169dcccccc08e6b572849237

How 'bout the typos and use of the non-word "alloud"? Hmmm, not what I'd expect from Microsoft's lawyers. Tee hee.

As a million times before, the link leads to a hijacked web site, where a page of obfuscated JavaScript can lead a user of an unprotected PC down the path of screwdom.