The difference between virus and spyware is a real grey area. Many anti-malware tools excel at stamping out one, but can let the other slip through. Because of this, I try to caution my users to not assume our lines of defenses are infallible. ABC: always be cautious.

This malware attempt was so transparent it was ridiculous. I’m glad my constituency was not fooled and instead found that they could not contain their laughter as they forwarded it to me.  This is officially the worst attempt I have ever seen.

From: Jane Doe <jane.doe@company.com>
Date: February 23, 2010 8:28:14 AM GMT-03:00
To: Jane Doe <jane.doe@company.com>
Subject: A new settings file for the jane.doe@company.com has just be released
Dear use of the company.com mailing service!

We are informing you that because of the security upgrade of the mailing service your mailbox jane.doe@company.com settings were changed.

In order to apply the new set of settings open this file:

http://irai.nerim.net/settings.exe

Best regards, company.com Technical Support.

At the risk of improving the techniques (educational mockery?) of any script kiddies out there, let’s break it down:

  • From self, to self.
    • Usually a major red flag. If sender headers were to be masqueraded legitimately, it would likely be as an IT-related mailbox, not as the recipient.
  • Poor grammar.
    • My team is not composed of Harvard grads and we are hardly perfect with “the King’s English”, but clearly this was done by someone of a foreign tongue.
  • Unnecessary exclamations!
    • Dear user, we don’t often get that excited!
  • Settings file?
    • Most mail systems do not have a “settings file”, and if it did, many users would have no idea where to place it. Sure there are “settings”, but if it were us, we would provide specific menu paths if settings needed to be altered.
    • Furthermore, if settings did need to change, we would make every effort to warn users ahead of time rather than announce after the fact.
  • No specificity.
    • The “company mail system”?!? Best not to overwhelm the novice user with geek-speak, but I think most users would have at least expected to see some slip through. Maybe a casual reference to the “Exchange” mail system, or a brief mention of what security changes were implemented. The lack of any details is telling. This could have been sent to any person at any company, and probably was.
  • A link to an EXE.
    • Another major red flag. People have learned that executables are non-grata. Better attempts would hide the EXE link behind a well-disguised and seemingly harmless URL, because Outlook and IE do not easily divulge the destination before clicking. But this blatant attempt was easy to spot from the beginning since the text matched the link and there was no scheme to hide the true nature of the evil-incarnate URL.
  • Anonymous support organization.
    • IT departments can go by many names. “Technical Support” may describe the function, but its equally likely that the group is “IT”, “MIS” or some other permutation. It would be tough for a skiddie to guess right. But I would go so far as to say that while automated processes might send out mail from a generic account, no significant announcements would be signed by an organization as a whole. “Bob” or “Ted” might be a better tactic, but then you have to hope that you guess the name of an IT employee or that the org is so large and faceless that the average user does not know all by name.

This message probably did not fool many. Quite the opposite for my users, since it was a comprehensive example of all the things that I warn to look for when deciding whether something is legit or not.

Share/Bookmark