Another campaign with virus/trojan laden emails

For the last couple of days I have been receiving a number of emails with file attachments.  They are from people I don't know and claiming I have unpaid invoices or they are coming from me with file attachments.  It doesn't matter, when I get email from unknown people with attachments I never open them.  When they are from me I know exactly every note I send myself and I don't open something I don't remember sending.  I checked a number of sites with the note information and found that they are full of nasty programs that will take over your computer.

Notes:

• If you get email with an attachment from someone you don't know never indulge your curiosity by reading the file, delete the email, empty the trash.
• If you get email from someone you know, but, are not expecting contact them first and verify that they actually sent the email.  Don't use any links inside, use your own contact list.  If they didn't send it, delete immediately and empty the trash.
• If you get email that claims to be you and you don't remember sending it, delete immediately and empty the trash.

 

My ISP flagged them as SPAM.

Example text of their claiming you owe them money.  Actually trojan laden attachment.

It does not matter what O/S you use when it comes to malware

Now that the Apple people got a reality check on how secure their O/S really was when they got hit with flashback.  We all may want to think about securing our machines.  It does not matter what O/S you run, we call can have our machine taken over by malware.  A few things that we all should be doing to at least slow down and make the lives of malware authors a bit harder:

• Keep your machines up-to-date by applying patches when they are available.
• Never open attachments from people you don't know and be skeptical about attachments when you get one from someone you know and you didn't ask for that file.  
• Assume that senders are not as vigilant and check with them before opening.
• Assume that the from account name was forged.
• Never believe a popup window in your browser stating your software is out-of-date and install the update via that convenient link.
• Never believe those popups or messages while browsing that they scanned your system and you are (or could be) infected.  
• Never run an account with admin priviliges.  Create a simple user account that cannot add, change or delete programs.
• Do regular backups of your files.  External USB hard drives are inexpensive.  When you are done remove the backup and do not leave it connected all of the time to your machines.  If you do get malware at least you have a chance that the backup is still clean.
• Use a simple firewall on your computer at a minimum.  
• If your router has the option to enable a firewall then use that firewall too.
• Assume that your machine will get taken over and make plans on how you will rebuild your system and recover your documents.
• Install, use and keep up-to-date an anti-virus package and scan on a regular basis.  It really does not matter now what O/S you use, assume malware writers can take over your machine.
• If someone hands you a CD, DVD, USB Memory stick or USB drive scan it before doing anything else.  Never assume that the media is clean.

At home every machine is running A-V software (for windows I like AVG as it gives good protect, fast running and not a resource hog).

I assume that sooner or later one or more of my computers at home will get infected and I will have to wipe and rebuild the system(s).  I do run backups on all of the machines so while I may lose some recent documents or email it won't be a total loss.

Linux on a USB stick

For the last couple of months I have been playing with a variety of Linux distros, but, they are running on a USB memory stick.  I found a nice program UNETBOOTIN that allows me to download and then install on the memory stick a number of Linux distros. You have the option of having the progam download the ISO itself or you can point it to the ISO image on your machine.  The program does everything else for you and at the end you have a bootable Linux.

I find this tool to be extremely useful as I can quickly test out a new distro and not waste CDs if the distro does not meet my needs.  I have two sticks right now with Linux.  The first stick for now is SABAYON and the 2nd will be for a security and recovery distro.  I need the second stick as friends and neighbors have problems with viruses, trojans and spyware getting on their machines and I figure a secure Linux distro that can help me clean this up will be very useful.

Five years of spam tracking

After 55 months of tracking spam on Yahoo I think I will finish my tracking of the mail.  Over the time I received almost 19,000 emails of which less than 7,000 were legit.  Over this year the rate has improved to almost 70% legit mail.  Spam and phishing emails are still a problem, but, with the various providers working on their filters and the authorities shutting down the spammers things are improving.

2005 - Legit mail = 1000 which was 50% of my total mail

2006 - Legit mail = 1700 which was 22% of my total mail

2007 - Legit mail = 1800 which was 31% of my total mail

2008 - Legit mail = 1500 which was 69% of my total mail

2009 - Legit mail = 1000 which was 70% of my total mail

SPAM - Unfortunately it is making a comeback

It has been a while since I talked about spam. The last time I noted that the amount was dropping and most of my email were legit. Well that has changed in the last two months. I have noticed that the volume of spam is now rising and most of my email is now spam. Yahoo has excellent filters, but, I have been getting at least one message a week getting through so the spammers are now figuring out how to get past the filters. Google is still good as I don't remember getting anything that was spam in my legit inbox, but, I notice there are a lot more spam messages. The last provider is Bell and I am getting about 1 or 2 emails a month that get through, but, I flag them as spam so that Bell can update their filters.

This will be a continuing battle between ISPs and the spammers. The thing is that the ISPs can only react most of the time after the fact so there is always a small window of opportunity for spammers to hit your inbox. You can help by using the email filters that your ISP provides and when one does get through flag it so that they can update the filters. When you do get a message don't click on the 'unsubscribe' button if it is provided or don't reply to their 'unsubscribe' email address if provided. All you do is confirm that your account is live and we can almost guarantee that you will actually receive more spam rather than less.

I may be paranoid, but, keep your anti-virus, anti-spyware and firewall up-to-date. These spammers may also try to embed scripts or auto-launch programs that will install software on your machine and take it over and add it to their bot network.

You can look at ClamAV, Malwarebytes anti-malware as a starting point for your securing your systems. Secunia also has a good package called PSI that will scan your system to see what is out-of-date, vulnerable, etc and allow you to keep your system-up-to-date. I use these on my home PC when I start up the dual-boot system to run Vista and not Linux.

Update (2009/09/22):

I am now running AVG on my Vista partition.  It seems to do a bit better on the detection of malware and does not impact the performance of the machine in any noticeable way.  I will be still keeping Clam on the Linux portion as I can then use that to scan my external HDD or USB sticks while staying in Linux.

New Phishing scam - CRA

Earlier this week I got a mail from what purported to be the CRA (Canada Revenue Agency). Looking at the email I saw a grammar error and the way the email was addressed made it look like a scam. My ISP also flagged it as a possible scam. I didn't click on the attached link, but, put my mouse over it to see what the link would resolve to. The proper URL for the CRA is WWW.CRA-ARC.GC.CA. This one had that and a bit more, namely the URL went to a '.COM' site. As this was a new scam to me I forwarded the note to RECOL and reported it as a scam/phishing attempt.

It failed on a few areas:

• Subject was 'recalculation of you tax refund'. They used 'you' instead of 'your'
• It was addressed to 'Dear Applicant' rather than my proper name.
• The URL provided did not end in GC.CA, but, to a COM site which the Government of Canada does not use.
• I had already got my tax refund and I know that the CRA does not have my main email address for correspondence as I prefer hard-copy rather than email from them.
  

When I got home I opened the site using Linux as it was fairly safe from trojans and viruses. It asked the following questions:

• Name and Adress
  
• Date of Birth
  
• Mother's maiden name
• Phone number
• email address
  

One of the first things firefox did was to warn me that this was a site reported for web forgery. If you don't have firefox I would advise you to download and install this browser ASAP as it is a second level of defense.

Again, if you get an email that claims to be from the government, bank, insurance company or anyone else asking you to key in personal information do not ever use the attached URL, go to their site yourself (using a link you know is legit).

It has been quiet... too quiet

Not much has been happening here. It is now almost tax time and there are no Linux versions of any tax preparation software for Canada so far. I broke down and picked up QuickTax and installed it on my Vista partition. To say that I am unhappy about this would be a slight understatement. I can understand in a way that companies will cater to the largest segment of the O/S market, but, figure out what has to be anchored to the O/S and what can be independent. If you do that you should be able to market to Linux, OS/X along with Windows and gain a slight competitive advantage by grabbing market share from those of us who use anything but Windows.

On the Linux Distro side I have been playing a bit with KUbuntu. I like the look and feel of it and the latest distro actually booted up on my Dell box. There will be a bit more playing around here to see if

• Runescape will play
• My graphic card can be used to its fullest
  
• TV tuner
• my Palm will work
• Scanner will work (XSANE)
• Web Camera
• Software to organize my photo library
  

KDE 4 looks nice and clean, but, I want more than eye-candy, I want all of my hardware to work to its fullest.

Another little thing and maybe someone out there can point me to the right place. A little while ago I was the photographer at my daughter in-law's baby shower and I took two videos. The camera stored it in AVI format. Linux does not have a problem showing me those, but, they are massive files and I cannot upload 200+ meg videos to facebook to share with the family. I looked quickly at the video editing software, but, I cannot see how I can redo AVI to MPG format and lower the size of the video. I don't want or need 640x480 to show family members some of the funny portions of the part, I just want to be able to share a small, easily downloaded video.

Now about one of my favorite topics, SPAM email. So far this year it has been a minor problem unlike other years (less than 30% spam rate now). However I have noticed the scams have been getting much better. Both for grammar and spelling. When you get a notice that purports to be from your Bank, Insurance Company, ISP wanting private information or to re-enter your security information... DON'T. Never click on any link supplied, but, use the one you type directly into a browser or saved previously in a bookmark. Keep your system up-to-date with all patches, run a virus scanner and have a firewall installed and running.

Year end 2008

It is now the last day of 2008 and it has been some time since I talked about spam. This year marked a real drop in the number of spam messages that I have been tracking in Yahoo, but, all my other accounts now get regular spam emails. The troubling part is that they are looking much better that a few years ago and it appears that the spammers are targeting a more select group rather than doing a blanket spam.

Since I started tracking spam mail in June 2005 I have now received a total of 17,579 emails of which 11,589 were spam. That leaves me with 5,990 (34%) of the mails were legit that I asked for. The upside is that this year 69% of my mail was legit (1,529 emails).

A few things that I keep telling everyone and bears repeating here:

1. If you get mail that purports to be from anyone asking you to re-enter or reverify your account information never click on the link provided. Go directly to their site yourself and check there.
2. Keep your firewall up-to-date and active. If you don't have a firewall get one and install it. There are a number of good free firewall packages out there.
   
3. Keep your anti-virus up-to-date and active. Again, if you don't have this software get one and install it. Like #2 there are a number of excellent packages out there for free that you can download.
   
4. Keep your Operating System (O/S) up-to-date and apply all patches immediately. It does not matter what O/S you run, keep your system up-to-date.
   
5. Keep a good set of backups. Even if you follow #2-4 hardware does fail at times and having a good current backup will go a long way to restoring all of your critical files.
6. If you get an email that sounds to good to be true... it probably is.
7. Never open up file attachments that you don't know who the sender is. Even if you know the sender, check the file first with a current virus scanner and then check with the person before trying to open the file. You are not paranoid, just prudent if you check before doing anything with that file.
8. Enable viewing of the extension of the file name. Some of the nasty packages are really '.EXE', but, shows '.ZIP' at the end of the name hoping to trick you into trying to open the package.
9. Change your passwords on a regular basis. Some people use passwords that have never changed in years, use post-it notes with the account and password or make an easily guessed password. You can make passwords that are hard to guess, but, easily remembered. If a cracker can guess your account password then they can use your identity for whatever purposes they want.
   

Another scam/spam

My wife received an email last week that purported to be from United Airlines. Even though we run Linux she didn't want to open it up until I had a chance to check it out.

The subject line was [Your Online Flight Ticket N 24097] and the contents of the message was as follows:

Good day,
Thank you for using our new service "Buy airplane ticket Online" on our website.
Your account has been created:

Your login: **Removed**
Your password: **removed**

Your credit card has been charged for $947.90.
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the airplane ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards,
United Airlines

The first thing I did was to check our credit card to make sure that we were not the victims of identity theft, fortunately we are not. I then checked the file attachment and it showed 'E-ticket.zip.exe'. I checked out via Google about this and found out that there is a scam for the last year with variants on the subject for other airlines. Fortunately we don't use windows so we are fairly safe from the payload. I forwared a note to United Airlines and to quote their reply:

Mr. Traynor, please know that the e-mail you have received is not legitimate as it is not sent by United Airlines.  I would request you to not to open any attachment and provide any personal information.  Rest assured that I have forwarded your concern to our Fraud Investigation Department for their review and investigation.

We truly value your business and always look forward to serving you again

Just a heads up for everyone when you receive something like this not to open the attached file if you are not sure that you are the correct recipient. I would assume that the people behind this are hoping that people are curious enough to open the package and then take over their machines. I also like the fact that United Airlines replied so quickly that the email was not legit and forwarded a copy to their fraud department.

---

Update - 2008/12/15

CERT has a security notice about this, you can learn more about this scam by clicking on airline ticket email scam.