You Have Mail!

Clients keep asking about “spam emails” that are really malware in disguise, so this is the first of a few guides that hopefully you’ll all find useful.

Many of you will have been aware of the recent increase in spam emails containing ZIP file attachments. These ZIP files contain “malware” – a computer program (executable file) that is designed, at the very least, to alter the settings on your computer. Don’t panic if you’ve just opened the email and then deleted it – the problem is opening the attachment or using links within the email. Some of these may be designed to simply display advertisements, some to hijack your web browser, redirect your search, or in the case of a recent virus, CryptoLocker, encrypt your entire document and picture library and then demand a ransom to unencrypt it (“Ransomware“).

We are also seeing a lot more malware being spread by infected websites, especially poorly protected blogs. Sometimes these sites can be visited by you while surfing, sometimes these can be visited by clicking on links within emails unwittingly.

What is worse is that the majority of this malware is not detected by anti-virus software “until it’s too late”.  This is because:

a)  Each of these threats is new (they are often changed each time they are released to avoid detection) and will be in your inbox before the anti-virus vendors add them to their databases – these are known as “zero day” attacks.

b)  They often take advantage of software vulnerabilities on computers to load themselves into memory. They then carry out their task (including shutting down your anti-virus) before writing anything to disk.

With anti-virus and anti-malware vendors playing catch up, security is as much about common sense and avoiding the traps being created by the malware (and the criminals that send the malware) in the first place. Most of these emails use “social engineering” to try and get us to follow the instructions within the email – that is by pretending to be from a genuine source and offering us a positive benefit from following their instructions. Many of us are now familiar with and ignore the emails from lawyers saying a distant relative has died and left us millions – they just need our bank details or processing fee, likewise with fake emails from banks saying our “account has been blocked” (these can look convincing but are often from a bank we do not bank with!).

However, there are new social engineering techniques that try and persuade us to open or click:

  • Emails purporting to be from, for example, “shopping.co.uk” (usually sites like Amazon – especially near the sale times) saying our order has been shipped. Confirmation is attached.
    • Amazon do not send out shipping confirmations via an attachment.
    • Emails purporting to be from “courier-company.com” informing us they have a package. Details attached.
      • Courier companies do not usually have our email address, but if they do, they send an email with a tracking number (but see “safe browsing” below).
    • Emails from your bank informing you money has been credited into your account – these catch out even the wary due to their unusual nature and unthreatening tone.
      • Banks don’t send out debit, credit or overdraft alerts via email
    • Emails from oldfriend@freewebmail.com (often yahoo, Hotmail etc) saying they are stuck in some distant land without passport or money.
      • This email is likely to have been sent from your friends email account, but the account was hacked, probably because it had a simple password and all their contacts have received this demand.
      • The demand will often contain a different reply address, a link to a web site or a foreign mobile phone number.
      • Free webmail accounts are usually targeted because it’s easy for the criminals to guess the bit after the @ sign and just use lists of names for the prefix.
    • Online surveys and competitions from companies you don’t normally trade with.
      • Are used to gather sensitive personal information that can be used for an even more “convincing” socially engineered attack.
      • If you give away your full name, age, address or even just the name of the financial institution you bank with, these will all help a would-be criminal.
      • Use an approximate, not exact date of birth on social websites etc. It’s nice to be wished Happy Birthday, but not if everyone else on the site can use that fact and your age to calculate your date of birth.

If you receive an email you think is genuine, ask yourself the following questions:

  • Am I expecting this email?
    • A “yes” does not automatically mean the email is safe, continue to use the checks below.
    • Does the reply address AND sender’s FULL address match the sender?
      • E.g. if the sender says”amazon.co.uk” but either of the addresses are not “amazon.co.uk/.com” then be immediately suspicious. Recent examples show a sender of orders@amazon.co.uk with a real sender of first.lastname at yahoo.com. Hint: Amazon don’t send out order confirmations from Yahoo!
    • If there are links in the email and I hover the mouse over them (don’t click  – just “hover”) does the email client/browser display the senders address correctly?
      • The link in the email may say “http://tracking.dhl.com” or “click here to track your parcel” but when you hover does the displayed web address show a sensible address? If (e.g.) hovering over “http://tracking.dhl.com” displays (e.g.) “http://blog.wordpress.com/themes/church/77hj.php” there is definitely something very dodgy about that email. If in doubt, manually go to the suppliers/shippers website, type the tracking number manually and don’t use ANY links.
    • Is there an attachment?
      • If yes, what is the attachment (e.g. PDF, ZIP etc) and does it match the required content. Invoices for example are often sent in PDF format – never ZIP. Holiday photo’s via JPG etc. Don’t trust the icon for the attached file.
      • Watch out for hidden or obsfucated attachment types. Just because the file is called “invoice.pdf” with a pdf reader icon, if you have the extension view turned off in windows (the dangerous default), you might not see the file is actually “invoice.pdf.exe” with a faked reader icon. I recommend everyone (who can) turns off hiding of attachment extensions

It’s a sad fact that even the most expected and genuine “looking” emails can still be fakes- especially if sent from a hacked email account of someone you would normally trust.

Other tell-tale signs of issues with your PC are:

  • Your normal web search page is replaced with another (possibly similar looking) one. E.g. www.google.co dot uk gets replaced with (e.g.) www dot myhotsearchbar dot com
  • Pop up messages that are in the centre of the screen (most system information ones appear lower right)
  • PC running more slowly
  • Unable to open regularly used files, or they open in the wrong application.

I cannot stress enough the importance of backing up office documents, files, photos and anything important. Do so using either corporate backup solution or offline backup system. If you back up to a USB disk, have more than one disk, rotate them and ensure your backup is done using backup software – a simple file copy may not help if a miscreant virus deletes or encrypts all documents and photos from every location it can find- because that will include the backup drive when it is connected!

If you need further advice about some of the steps, including education, that your business can use to reduce these threats and risks then please don’t hesitate to get in touch.

Leave a Reply