Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Targeted E-mail Attack Hits Business Execs

CowboyNeal posted more than 7 years ago | from the careful-what-you-click-on dept.

Security 100

Erik Larkin writes "The same scammers who have been sending out the faked but highly convincing BBB and IRS e-mails are now targeting named victims with a new variety of e-mail that looks like a business invoice. Our editor-in-chief was sent one here at PC World."

cancel ×

100 comments

Sorry! There are no comments related to the filter you selected.

Money to be made (5, Funny)

Realistic_Dragon (655151) | more than 7 years ago | (#19531709)

Finally, a profitable application of the peter principle.

Linux on a PowerBook... (your sig) (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#19535123)

Shouldn't that be, "a velvet glove with iron spikes on the inside?".

CHARLES.. (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#19531713)

HE HAS A LICKING PROBLEM!

Re:CHARLES.. (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#19531847)

This "CHARLES" intrigues me. Please send more info.

It's about time... (4, Interesting)

eneville (745111) | more than 7 years ago | (#19531729)

I think it would be wise for companies to switch to use something like GPG and keep keys safe. The sooner this happens the sooner scammers will have a more difficult job with this style of social engineering.

Re:It's about time... (2, Insightful)

Anonymous Coward | more than 7 years ago | (#19531783)

Not going to happen.

Best practice or not, it simply will. not. happen.

Re:It's about time... (2, Funny)

eneville (745111) | more than 7 years ago | (#19532439)

Not going to happen.

Best practice or not, it simply will. not. happen.
i don't see why not. i'm thinking i might implement this at work next week, we can easily put our public key on the "about us" page as a matter of customer protection against fraud. it's not a big deal to sign all out outgoing mail. its not something that could have any problems, if antthing, i've noticed the mere signing of email causes outlook to put a nice rosette against the mail, so it can't possibly cause any problems for us.

Re:It's about time... (1)

Opportunist (166417) | more than 7 years ago | (#19537187)

Simple. Managers and "high tech" like encryption. Add that the same applies to their business partners and you'll see why it can't fly.

First of all, it would be a lot of work to convince your managers that it's necessary, and you're putting your job at risk with it, too. The reason is simple: You will be responsible when something bad happens regardless. And it will. Because you said it's safe. Not to mention that you put burden on your manager, someone who can make your life rather miserable quite easily, and has possibly a bit to say when it comes to choosing the next guys to leave the company in the next lay off wave.

Yes, I know how easy it is to add PGP to Outlook, it's still some change after they finally got used to the way it works now.

And second, your business partners are exactly in the same boat. They, too, don't have PGP installed. If you demand now that any kind of invoice or offer comes PGP encrypted and signed, your manager will (rightfully) object that this loses you business. Because the managers on the other end of the line think the same way: It's more hassle to deal with it (in this case, to deal with this company), so we'll move on to the next that doesn't require us to jump thorugh hoops to do business with them.

Re:It's about time... (0)

Anonymous Coward | more than 7 years ago | (#19538087)

That seems logical, imho it should be built into the protocol. Perhaps a ng(next-gen)smtp and pop5?

Yes, pop4 is around, but it's stagnated. wdyt?

The simple way to avoid malware. (0, Flamebait)

Farfnagel (898722) | more than 7 years ago | (#19531773)

Don't use Microsoft Crapware. Problem solved.

Re:The simple way to avoid malware. (1, Flamebait)

zenlessyank (748553) | more than 7 years ago | (#19531813)

Hmm, well then please sell me your operating system that yu have made. Smartass.

Re:The simple way to avoid malware. (1, Insightful)

Anonymous Coward | more than 7 years ago | (#19531961)

Eh, don't mind him. He's just a fanboy who has no idea of how business actually works.

And for what it's worth, I have a Linux box myself - and I work in IT for a Fortune 100 company. I know what it takes to deploy and support applications on a big scale.

While Linux may in fact be a better option, in almost every case, it's just not a practical one, and in business, you have to do what makes the most sense for the most people from a practicality standpoint, though I'm sure some people will beg to differ with me.

Re:The simple way to avoid malware. (2, Insightful)

natmakarvitch (645080) | more than 7 years ago | (#19532179)

Linux is not mandatory to use GPG. It runs dandy under MS-Windows and MacOS and there is a bunch of thingies to let most users benefit from it in a more-or-less transparent fashion.

Re:The simple way to avoid malware. (1)

ehrichweiss (706417) | more than 7 years ago | (#19533473)

You can integrate it with Thunderbird as well. I know most companies don't use non-M$ email clients but the more widespread it is the better.

Why is this sophisticated? (4, Informative)

yohanes (644299) | more than 7 years ago | (#19531789)

It is still using the same method. The only difference is that they don't include spelling/grammar errors, and uses correct recipient and business name (how hard is that to find?). They are still using the same ".doc.exe" file names, which is very easy to spot.

Re:Why is this sophisticated? (1)

Joe The Dragon (967727) | more than 7 years ago | (#19531825)

You don't need doc.exe files names people have sent faked bills and some Business end up paying them.

Re:Why is this sophisticated? (3, Informative)

Anonymous Coward | more than 7 years ago | (#19531863)

Faked bills is an old scam.

Similar to this one...

-Years ago, we used to have guys that would come to "check" the fire extinguishers in the office.
-They would do their thing, and wait for the receptionist to pay from petty cash.
-Only problem... They weren't OUR fire extinguisher guys.
-We sometimes would get guys coming around every other week. /blah, blah, profit

Re:Why is this sophisticated? (5, Insightful)

rucs_hack (784150) | more than 7 years ago | (#19531853)

No, no it isn't easy to spot.

Not if either of two conditions apply.

1: You are an idiot with computers.
2: The default 'do not show file extensions for known file types' is on for explorer.

Whoever thought that last was a good plan should have been shot. Without file extensions visible, people can simply not realise that they are about to run an executable. Plus some wouldn't know all the many executable file extensions for windows anyway.

Re:Why is this sophisticated? (3, Informative)

jez9999 (618189) | more than 7 years ago | (#19531925)

2: The default 'do not show file extensions for known file types' is on for explorer.

Whilst this is annoying (I disable it as I like to SEE my files' extensions), it doesn't prevent you checking for 'trick' filenames, actually. Any filename that appears to have an extension ('mywork.doc') has a double-extension, so you should be VERY suspicious.

Re:Why is this sophisticated? (2, Insightful)

LiquidFire_HK (952632) | more than 7 years ago | (#19532255)

Yes, but the ordinary user (exactly the type of user that is likely to have file extensions hidden) will probably not realize this. They have seen extensions in some places, and none in others - they'll simply ignore this potential giveaway.

Re:Why is this sophisticated? (1)

nEoN nOoDlE (27594) | more than 7 years ago | (#19533229)

In any case, even if the extension is hidden, you usually know what filetype it is by the icon. An exe won't have the same icon as a word doc file, and these people who get real doc attachments see the icons for word doc files all the time so they should be suspicious if the file they're opening doesn't have it.

Re:Changing the icon is trivial (0)

Anonymous Coward | more than 7 years ago | (#19534607)

It is trivial to change the icon of an executable (or anything else) so it looks like a safe file type, so don't rely on the icon.

Re:Why is this sophisticated? (2, Informative)

Opportunist (166417) | more than 7 years ago | (#19537197)

Actually those files do have the word .doc file standard icon. Unless, of course, it's a .pdf.exe, in that case it will have the standard Adobe Acrobat one.

It's trivial to add an arbitrary icon to an executable. Actually, that's a feature of pretty much every standard compiler on Windows.

Re:Why is this sophisticated? (2, Insightful)

dubbreak (623656) | more than 7 years ago | (#19532043)

The default 'do not show file extensions for known file types' is on for explorer.


That shouldn't even matter. Why can they run anything? Why is Outlook allowing them to open exe files?

If #1 is true (it is where I work, a gov agency, different country), then don't let them make decisions on whether to open a file, have the system do that. You don't let mentally retarded people drive a car, so why let you average idiot choose what to run on a computer?

Re:Why is this sophisticated? (1)

Opportunist (166417) | more than 7 years ago | (#19537221)

Why is Outlook allowing them to open exe files?

Because saving it and executing it from explorer is first of all actually a non-trivial task for those people and it wouldn't help at all.

Imagine file extensions are turned off. So bogus_file.doc.exe is shown as bogus_file.doc, and has a Word-document like icon. When that file is now saved, it will appear as bogus_file.doc in the explorer.

Re:Why is this sophisticated? (1)

yuna49 (905461) | more than 7 years ago | (#19540657)

Even more pertinent, why is the mail system set up to deliver executable files to users in the first place?

Every system I've ever installed for clients blocks executables at the server and puts them into quarantine. Occasionally some doofus, sadly usually some IT consultancy, wants to send an .exe file with patches, updates, etc. (I'm always amazed how often these people say that we're the only ones who don't accept executables by default. What kind of consultants are they?) Usually the IT manager has whitelisted permissions to receive executables; everyone else, forget it.

Re:Why is this sophisticated? (1)

dubbreak (623656) | more than 7 years ago | (#19559281)

Excellent point. There is no reason to send any exe by email in a corporation. If necessary for some reason, then it should be posted on the intranet somewhere and only a link sent via email. Allowing any exe to come in via email from externally makes no sense.

Re:Why is this sophisticated? (5, Funny)

canUbeleiveIT (787307) | more than 7 years ago | (#19532073)

Not if either of two conditions apply.

1: You are an idiot with computers.
2: The default 'do not show file extensions for known file types' is on for explorer.


But these are the same people who click "Allow" when their software firewall says "H4xoR!tR0jun.exe is attempting to access the Internet, install a malicious script, steal your personal information and have sex with your wife until she screams like a deaf girl. Permit or Allow?" There is no way to protect these people and still have their computers be useful/enjoyable for them.

You don't need to. (4, Insightful)

khasim (1285) | more than 7 years ago | (#19532351)

There is no way to protect these people and still have their computers be useful/enjoyable for them.

You don't need to.

As long as the protections cause the rate of infection to drop below the rate of disinfection, the threat will fade.

Social engineering will always be an issue. Even intelligent people can make mistakes.

The idea is to make it as obvious as possible that this is a DANGEROUS activity ...and then...
Make it as easy as possible to clean up the mess.

#1. Any time an application is launched by clicking on a file INSTEAD of going through the menu bar throw up a warning.

#2. No email program should EVER run ANY executable.

That is the primary reason that so few "viruses" exist in the wild ... for Linux. Running Ubuntu in the default configuration means that you have to:

#1. Save the attachment to your personal directory.

#2. Change the permissions on the file to be executable.

#3. Run the file.

And even with all of that the only thing in danger are your personal files (you do back them up of course). To do anything more you'd have to...

#4. Suppy it with your sudo password.

The reason this is so successful is that the possibility of FAILING to run the "virus" goes UP with each step that is required. Say that each step only has a 50% possibility of being run by the average user. The other 50% of the time they realize that they're doing something dangerous and they stop.

A. Old Windows example:
#1. Double-clicking on "sex.gif" in an old version of Outlook is a single step and will succeed with 50% of the people.

B. Linux example:
#1. Saving the file to your personal directory will work with 50% of the people.

#2. Changing the permissions on the file will work with 50% of the people from step 1 (25% of the total).

#3. Clicking on the file will work on 50% of the people from step 2 (12.5% of the total)

#4. Supplying the sudo password will work on 50% of the people from step 3 (6.25% of the total).

So, 50% infection rate vs a 93.75% NON-infection rate.

Re:You don't need to. (1)

dangitman (862676) | more than 7 years ago | (#19533221)

#1. Any time an application is launched by clicking on a file INSTEAD of going through the menu bar throw up a warning.

This just worsens the problem. If you throw warnings and dialog boxes at people constantly, then they just stop reading them, and always click "Ok" or "Yes." It's not just a terrible idea, it's actually counterproductive. It's a massive problem with Windows, which seems to throw dialog boxes at you every 5 seconds for the most trivial of operations. I've seen "Are you sure you want to do the command you just asked me to do" boxes on the most stupid things.

Re:You don't need to. (1)

FJGreer (922348) | more than 7 years ago | (#19533479)

Unfortunately the only way to decrease the incredible urge most computer users have to open things they ought not to is to have companies require their users to take "Computers for Dummies" courses, and if they don't learn at least something about how their computers work they should be fired on the spot. Or just make them switch to OS X or Linux or What-Have-You where it takes a lot of hard work to screw up your computer. And at least until the virus writers get smart about linux and mac malware (it CAN be done, its just hard) they will get default protection since most malware is windows only.

However, social engineering will always work (OOh, free USB-Stick) with people. P.T. Barnum was a prophet.

Re:You don't need to. (1)

Opportunist (166417) | more than 7 years ago | (#19537277)

For reference, see Vista and pretty much ever "learning" personal firewall.

The only thing people noticed when those "pesky" popups appear is that whatever they want to do only works if they say "allow" all the time. So when in doubt, they will "allow". Reason: They learned that their network suddenly stopped working after a windows update where some DLL got changed which was a necessity to make the DNS service work, but they said "deny" when it tried to contact the DNS server.

Learning effekt: Better say yes if you dunno what's going on, or things stop working.

Social engineering in Linux (1)

Opportunist (166417) | more than 7 years ago | (#19537257)

Let's imagine for a moment we got those people to use Linux instead of Windows.

They get a mail, claiming the attachment enables them to run HD content under Linux, it's some supersecret, hacked AACS key thingamajig, the text makes it look like it was supposed for someone else so the lucky winner of the HD player thinks he hit the jackpot.

Included are detailed instructions what you got to do to make it run, which includes sudo'ing.

Bet you my computer against an abacus that it will work. The security of a system is the minimum of the system's capabilities and the user's capabilities. It doesn't help jack to have the most secure system on the planet if a monkey is using it.

Re:Why is this sophisticated? (3, Funny)

Tunfisch (938605) | more than 7 years ago | (#19532455)

I'd tend to say that choosing between "Permit" and "Allow" is tough for just about anyone.

Re:Why is this sophisticated? (1)

Opportunist (166417) | more than 7 years ago | (#19537303)

"$program just tried to access $address on port $port, allow or deny?"

Well, what would you click? No, I won't provide info what program tried to access what address on what port, because the sentence above is exactly the information an untrained user gets out of the message! The only information he has is that something tried to do something with a server somewhere on the 'net. Is it a system dll that does some periodic check of something? Is it a scheduled task (ok, he won't even think of that)? Is it a trojan?

As long as people don't learn what those messages mean, they can just as well not exist at all. It's a cheap blame shifting trick of MS, because every infection can be brushed away with "Duh, the user said allow, how is the system to blame?"

Re:Why is this sophisticated? (5, Funny)

guywcole (984149) | more than 7 years ago | (#19532483)

But these are the same people who click "Allow" when their software firewall says "H4xoR!tR0jun.exe is attempting to access the Internet. Permit or Allow?"
If those are the only two options, can you really blame them?

Re:Why is this sophisticated? (2, Funny)

MrR0p3r (460183) | more than 7 years ago | (#19532549)

But these are the same people who click "Allow" when their software firewall says "H4xoR!tR0jun.exe is attempting to access the Internet, install a malicious script, steal your personal information and have sex with your wife until she screams like a deaf girl. Permit or Allow?"


That is one hell of a descriptive (albeit true) firewall advisory message. What software firewall are you using?

OT: sex and deafness (0)

Anonymous Coward | more than 7 years ago | (#19533627)

...and have sex with your wife until she screams like a deaf girl.

Had sex once with a deaf woman. Found her disconcertingly quiet throughout the experience.

Re:Why is this sophisticated? (1)

Anonymous Coward | more than 7 years ago | (#19532325)

Arrogant bastard. There you /.'ers go calling people who don't 'know' as much as you idiots. Get a life and a clue, you don't know everything. If you did, you wouldn't be posting on /.

Fscker.

I just had genius idea (1)

whois_drek (829212) | more than 7 years ago | (#19532747)

I just an incredibly genius idea. What if all executable files, whatever the common or arcane extension, were underlined or colored (like hyperlinks in HTML). Scanning a directly listing, the bright red executable files would stand right out from the rest of the black text. Just like people have been taught than underlined text on HTML pages can be clicked, they will learn than bright red files can be executed, and will take the appropriate caution.

Re:I just had genius idea (1)

rucs_hack (784150) | more than 7 years ago | (#19533517)

I just an incredibly genius idea. What if all executable files, whatever the common or arcane extension, were underlined or colored (like hyperlinks in HTML). Scanning a directly listing, the bright red executable files would stand right out from the rest of the black text. Just like people have been taught than underlined text on HTML pages can be clicked, they will learn than bright red files can be executed, and will take the appropriate caution.

Interesting. However it won't ever appear in windows, and Linux/most other operating systems have no need for such a system, being already safer by design.

Re:I just had genius idea (1)

slackingme (690217) | more than 7 years ago | (#19535833)

Try 'ls --color=always' and/or additionally, 'man ls'

*padding.. padding.. wouldn't want to set off one of the obnoxious 'filters'*

Re:Why is this sophisticated? (1)

frisket (149522) | more than 7 years ago | (#19534681)

Hell, it might help cull the current crop of dorks who inhabit Executive Row.
  1. What kind of dickhead opens a .doc or .doc.exe attachment anyway? (See first post)
  2. If you do business with dickh^H^H^H^H^Hpartners who send their invoices as .doc files, you're going to get what you deserve anyway.

Re:Why is this sophisticated? (1)

Opportunist (166417) | more than 7 years ago | (#19537327)

Hey, it's fun to read the changes. With a hint of luck you'll see just how low they'd go 'cause the original creator of the document wrote his limit in and the boss just changed that to the "let's see if they swallow it" amount. :)

Re:Why is this sophisticated? (0)

Anonymous Coward | more than 7 years ago | (#19537443)

doc.exe is easy to spot for those with a clue but how many are they? And besides we're talking WINDOWS here friends: an erratic click on another platform might cause damage but it won't cause total destruction. On Windows you never know what the F they're going to do because they can almost literally do anything.

So saying you recognise doc.exe is no comfort.

Re:Why is this sophisticated? (1)

yoth (862235) | more than 7 years ago | (#19538105)

Several executives at work received the BBB email. It wasn't actually an exe file, but a word doc with an embedded object inside the doc. The embedded object also used a pdf icon graphic. Still kind stupid to click on a pdf in a word doc, but some people did it because their boss sent it to them to find out what it was.

Wake-up call? (1)

riker1384 (735780) | more than 7 years ago | (#19531929)

Maybe if a spam scam starts affecting businesses, or the wealthy, there will be a better chance that the politicians will wake up and do something about spam.

Re:Wake-up call? (1)

Wiarumas (919682) | more than 7 years ago | (#19532379)

I'm pretty sure no amount of money protects the wealthy from the overwhelming amount of crap on the internet. Spammers do not discriminate.

Re:Wake-up call? (1)

cryfreedomlove (929828) | more than 7 years ago | (#19532713)

On the whole, do you think business has a positive or a negative effect on society?

They used to do it with faxes, (3, Insightful)

arthurpaliden (939626) | more than 7 years ago | (#19531937)

and before that they used the regular mail.

So this is news because .... they used computers .... and .....email.

Re:They used to do it with faxes, (1)

Aliriza (1094599) | more than 7 years ago | (#19531985)

And it is not targeted enough cause they have hit the editor of PC World , they should be more carefull.

They used to do it ... (1)

Lead Butthead (321013) | more than 7 years ago | (#19532059)

And it used to work too, because the 'smart ones' would invoice for less than what would've otherwise cost the billed company to find out if the invoice is legitimate or not, so the company simply pay it just to 'make it go away.'

Quick, apply for a patent! (1)

smurfsurf (892933) | more than 7 years ago | (#19532619)

"So this is news because .... they used computers .... and .....email."

Looks like it has all the components to be patentable.

Re:Quick, apply for a patent! (1)

arthurpaliden (939626) | more than 7 years ago | (#19533185)

Can you patent a scam as a business process? Then once the police catches the fraud artist you can then sue him/her for patent infringment and so long as they still have money left take it as a settlement.

Re:They used to do it with faxes, (1)

vidarh (309115) | more than 7 years ago | (#19533397)

RTFA. This is _not_ about sending fake invoices, but about sending spam e-mails with malicious apps masquerading as attached invoices.

Re:They used to do it with faxes, (1)

Icyfire0573 (719207) | more than 7 years ago | (#19533741)

They used computers? On the internet? Slap a patent on that baby it's bound to be a money maker!

Re:They used to do it with faxes, (1)

kalirion (728907) | more than 7 years ago | (#19538803)

They used to do it with faxes, and before that they used the regular mail.

Ok, I can see how regular mail could be used to spread viruses, but faxes? Are we talking about a Snowcrash scenario here?

Why not just send out business invoices? (2, Insightful)

swb (14022) | more than 7 years ago | (#19531951)

Many companies have good controls, but many have loose controls on paying invoices. If you used a reasonable database and chose businesses who might get a lot of bills but have a weak grasp on them, you could probably come up with a formula that would correlate highly with having randomly mailed invoices get paid.

Re:Why not just send out business invoices? (1)

u38cg (607297) | more than 7 years ago | (#19533019)

The really at-risk group are growing companies who are getting just beyond the stage where the person inputting the invoice knows the business well enough to sanity-check it, but haven't yet put in place decent procedures for authorising invoices. Happily, it only takes a couple of stupid mistakes to be caught before such procedures are introduced.

Re:Why not just send out business invoices? (1)

swb (14022) | more than 7 years ago | (#19542089)

I suspect there's many risk factors. Think of smaller companies with field offices -- often the bills for field office services go to the home office, and the person paying the invoice has little idea what the services are but knows the risk of not paying them may be disruption to the field office.

It also helps to keep the amounts small as well as perhaps add a late payment charge, so the person getting the bill is worried they might be in trouble if they make the bill late.

Checking out the 'from' address... (3, Informative)

26199 (577806) | more than 7 years ago | (#19531967)

Doesn't help in the slightest.

Don't people know by now that the 'from' address can be easily changed?

(That was a rhetorical question; they answer is evidently 'no'.)

Re:Checking out the 'from' address... (1)

jez9999 (618189) | more than 7 years ago | (#19533311)

Of course the From address can't be faked. It's just like envelopes. Do you think that the return address on the back of an envelope can be faked?

Re:Checking out the 'from' address... (1)

26199 (577806) | more than 7 years ago | (#19537309)

Er. The question was "don't people know that it can be faked", to which the answer was "no"; meaning no, people don't know that it can be faked, not, no, people don't know that it can't be faked.

Sorry for the confusion. But, to be clear, I do know that it can be faked. It's just most people don't.

Re:Checking out the 'from' address... (1)

jez9999 (618189) | more than 7 years ago | (#19539421)

I was, in fact, being incredibly sarcastic. Didn't work very well over the net.

Re:Checking out the 'from' address... (1)

26199 (577806) | more than 7 years ago | (#19540381)

Oh.

That was my first thought, but then I realised there actually was potential for confusion, and you didn't give any sarcasm hints ;)

Why bother faking it? (1)

Opportunist (166417) | more than 7 years ago | (#19537353)

Recently a wave of "P2P lawsuit" spam mails flooded the servers around the globe, claiming the attachment is a court order (yes, that alone is enough stupidity).

The from-address read: "Lawyer". No name, no address, no reply-to address, just "Lawyer". And people fell for it in heaps.

People are stupid. Deal.

Here's a pretty good description (2, Informative)

dachshund (300733) | more than 7 years ago | (#19532021)

The PC World article doesn't go into a lot of detail. Here's some more. The malware itself looks pretty silly, since you have to click through a bunch of warning dialogs to even execute it.

http://avinti.com/press-room/targeted-malware-atta ck.html [avinti.com]

Sorry, the actual details are here (3, Informative)

dachshund (300733) | more than 7 years ago | (#19532041)

Re:Sorry, the actual details are here (1)

pe1chl (90186) | more than 7 years ago | (#19539077)

When the executable is run it downloads a new .exe and .dll from multiple hosts. The malware appears to be hosted on many machines, as the IP addresses are always different and are located in several countries, including the United States, China, Canada, and Romania. The downloaded malware attempts to find shares on the local network in order to create files. The process registers itself with the system to guarantee future runtime as well as getting hooked into standard operating system files.

Ok, so to infect the system the user has to be allowed to:
- run executables from untrusted locations
- download exe and dll files from the Internet
- modify the machine part of the registry
- write into standard operating system files.

It looks like network admin has to be pretty lousy for this to catch on!
None of the above are allowed on our network, and I would say that at least 2 out of 4 should never be allowed on a Windows PC.
(only outright idiots work as an Administrator or Power User all day...)

Small business owner (5, Informative)

narced (1078877) | more than 7 years ago | (#19532025)

As a small business owner, I can attest to the fact that many of my clients will blindly pay the bills I send them, without questioning a thing. I service their computers throughout the month, racking up between 10 and 30 hours, and then send them a bill that simply says "30 hours service * $60.00 / hour" and they pay it. I have never been asked to explain myself. I can probably make up whatever numbers I want.

I was wondering how long before the crooks realized that most businessmen do not have the time or patience to study their bills.

Re:Small business owner (4, Funny)

Anne Thwacks (531696) | more than 7 years ago | (#19532057)

You are obviously not in the UK. Here the problem is that you do the work, send the bills, and still don't get paid!

Re:Small business owner (1)

Prune (557140) | more than 7 years ago | (#19539741)

I don't get it.

Re:Small business owner (1)

Ritchie70 (860516) | more than 7 years ago | (#19535565)

When I was a small business owner, I used to get:

  - Fake invoices from "phone books" for ads (that said in tiny little print that it was not a bill, thereby making it legal rather than mail fraud.)
  - Phone calls from someone claiming to be my regular supplier of printer or copier supplies, offering to sell them "before the price goes up"
  - Similar phone calls to the last for air hoses and a variety of other industry-specific stuff.

The new thing here appears to be that, rather then profiting from the fraudulent billing, the goal is to get malware installed via the attachment. Interesting.

Re:Small business owner (1)

dbcad7 (771464) | more than 7 years ago | (#19538163)

The major ones I've noticed are Toner, and light bulbs.

These people obtain a name of an employee, and just send it, with the unsuspecting employees name as a PO. Then they bill it, hoping accounts payable will just pay it.

Re:Small business owner (0)

Anonymous Coward | more than 7 years ago | (#19539151)

Well, it may work in a small company with lousy accounting.
Where I work it is usually difficult to get a supplier paid at all, let alone within reasonable time.
When there is no fully correct invoice with all the details they lawfully can require, and no matching purchase order in the ERP system, it will be very difficult.
Also, each invoice has to be signed off by the person responsible for the purchase order, his boss, and above certain amounts the general manager.

Antivirus caught double extension right away (1)

Tiado (556984) | more than 7 years ago | (#19532105)

I just wanted to try out how likely it would be for me to accidentally open a .doc.exe file, immediately after renaming a .exe file to .doc.exe, AVG was onto it. Since we use AVG on our computer shop systems, I'm reasonably sure that with having that Antivirus and Thunderbird, this sort of scam won't get far with us. Well, that and the fact that we are always in close communication with the BBB to begin with, so if we get a strange email from them, we can always ask them if they sent one.

Please help! (3, Funny)

Anonymous Coward | more than 7 years ago | (#19532127)

I am a VP for HR at a giant multi-national technology corporation and I just sent all of my post-dated stock options to someone in Nigeria so that I could give a puppy a good home.... well, the puppy never showed up and I need some help to get my $6,000,000 back. Won't you please help?

Re:Please help! (1)

It'sYerMam (762418) | more than 7 years ago | (#19532741)

Do those 419 scams even exist? It would seem that, since they need a correct email address for you to reply to, you could just DDoS them if you had sufficient willing vigilantes. If not, you could always create a botnet...

Blue Security tried that with spam (1)

Gary W. Longsine (124661) | more than 7 years ago | (#19535191)

It was alleged that the spammers performed a DDoS on their web site and drove them out of business. They made an application called Blue Frog [wikipedia.org] .

Hard work (4, Insightful)

Ajehals (947354) | more than 7 years ago | (#19532139)

This spam includes a valid email address for the recipient, and correct recipient name and business details. The message and attachment could be anything. In this case its an invoice, but it could just as easily be an order (sent to sales) or a request for info (sent to PR or Marketing). This would make it extremely difficult to identify.

Its not as if you could use heuristic scanning of the text content (any malicious payload excepted) to determine that messages of this sort are spam, it would prevent you from recieving any business related email that follows a similar formula and they are all pretty similar.

The attachment in this case was a doc.exe which is fairly obviously dodgy, but as the article states it could be a .doc (or presumably a file for any application that is exploitable by opening a file) to take advantage of a zero day vulnerability.

With this type of spam and the zero day vulnerability as the scenario it would be entirely possible for a message like this to get through to a real person, for that person to open the attachment and execute whatever malicious code is embedded in the attachment without realising that they have even done anything strange.

There is no way of preventing it that still allows your employees to function, with a 0 day you are (probably) not going to detect the payload before it is executed (what happens then depends on what precautions your company is taking). You cannot brief your user base not to open emails addressed to them with content that looks valid and may be part of their job to look at, the argument of only opening mail from people you know only really works in a social context where you can afford to ignore mail.

So, up until now most common scams and viral mail have had some tell-tale characteristics (although by no means all, custom attacks against specific targets have followed this model before), and now they may not have. (I never understood why spam was so poorly produced in any case). Given that even badly written and almost blindingly obvious spam and scams manage to trick a small number of people, this type of spam or scam is likely to be more effective. This leads me to think that from a business point of view (lets be honest, especially a Microsoft shop) the usefulness of email is seriously deteriorating, it is approaching the point where the existing system contains too much risk and is too overburdened to be useful and that is saying a lot because email really was/is a revolutionary technology. Not that I can think of an alternative nor am I suggesting that we will see business dropping email, but I can see business looking at some of those fatally flawed but great sounding add-ons that aim to secure mail from unknown recipients (micro payments and white listing etc..).

Re:Hard work (1)

vidarh (309115) | more than 7 years ago | (#19533333)

There is no way of preventing it that still allows your employees to function,

Yes there is. By default sequester all downloaded content to a sandboxed environment with very limited access rights to anything (such as no access to other files, and no access to the network without being given explicit permission for every action). Making functionality to make that trivial to do would be a killer app for virtualization technology. For most users, having a shared clipboard to cut and paste data, images and other info scrubbed clean of anything resembling script or executable stuff from the sandboxes would be sufficient to get the data they need out.

You'd still need a way of bypassing it for things like application downloads, but even most apps could be sandboxed - for the most part they have no business accessing files other than those a user gives explicit permission to or that are part of the app. I like the Java security model - I wish OS's would enforce a similar model for all system access. It would make it so much harder for malicious code.

Re:Hard work (1)

Ajehals (947354) | more than 7 years ago | (#19635127)

By default sequester all downloaded content to a sandboxed environment with very limited access rights to anything (such as no access to other files, and no access to the network without being given explicit permission for every action). Making functionality to make that trivial to do would be a killer app for virtualization technology.
My point is you are going from a useful technology i.e.
1) get email, it has a power point attachment, Open the power point attachment, modify it save it send it back...
2) get an email, have it quarantined, now you cannot do anything with it.
After all accessing it with a suitable reader application would threaten that application, if you are suggesting running the application that opens the attachment in a sandboxed environment then you need to realise that things like external media sources embedded in files wont work, you cannot save it nor send it anywhere until it is moved from the sandbox back to your environment.

Of course this would be the procedure for every mail with an attachment, every html mail with an embedded logo.... It becomes a nightmare to manage and less convenient. What I mean is that you can work around this but not without significantly degrading the usefulness of the technology, oh and not without relying on the user to realise what is OK for a powerpoint document or word document to do (winword.exe wants to contact http://191.2.3.45/whatever.mov [191.2.3.45] is that OK?) and what is not.

Sandboxing individual applications that have opened a suspect file only works in a disconnected environment, one where one application doesn't want access to other resources. All you would end up with is something akin to the Vista yes/no prompts, and then you are back to relying on the user not to allow an application to do something stupid, even if that stupid action is not obviously stupid.

The circle of life... (2, Interesting)

Telecommando (513768) | more than 7 years ago | (#19532579)

In nature, the successful predator always goes after the weak and the lame first.

Where I work we had to implement draconian measures concerning attachments and files because the execs kept clicking "run anyway" even though the anti virus software warned them it could be an infected file. They honestly thought they knew more than the AV software.

That's really mean (1)

MECC (8478) | more than 7 years ago | (#19532653)

Now they're tageting the most intellectually vulnerable of society.

Good Thing? (3, Interesting)

Bob9113 (14996) | more than 7 years ago | (#19532777)

At the risk of sounding a little jaded and anti-establishment (which would surely make me an outcast on this site, haha):

I think maybe this is a good thing. I think the scammers have been, to this point, largely targeting the gullible. Old people, drug abusers, the socially awkward. The problem with that is those sections of our society are, I would guess, significantly underrepresented in the political process.

If the friends and contributors of our ruling elite class start getting tagged, perhaps we will see some Internet legislation that is focused on taking out the really vile scum, instead of just the low grade malefactors that infringe copyright for personal use. Copyright legislation is going gangbusters because the people Congress talks to believe it is good. If those same people start to feel the bite of scammers, maybe they'll get serious about finding these assholes and putting them away.

Re:Good Thing? (0)

Anonymous Coward | more than 7 years ago | (#19533619)

I think the scammers have been, to this point, largely targeting the gullible.

Well, since business executives tend to be pro-Bush Republicans, they are gullible by definition. I'm surprised they weren't targeted sooner.

Re:Good Thing? (1)

laffer1 (701823) | more than 7 years ago | (#19536949)

Who do you think buys the Viagra on the Internet?

You think that'd be a good thing? (1)

Opportunist (166417) | more than 7 years ago | (#19537415)

Well, while it would be a good thing if we got more sensible laws, do you think that's what would happen if this actually got pumped towards congress? I mean, you've seen what BS came out of there recently, right?

We'd probably get some new unenforcable laws, or insane punishments on existing unenforcable laws, and on top of it some laws that won't even address the issue but make the life of the whitehats even more uncomfortable than it already is, to the point where the only one who'll still be able to determine whether networks are safe are actually the ones who attack them, because they don't care in the first place.

Germany is about to (or already did) pass a law that makes the possession of "hacking tools" illegal. I.e. checking your network for security holes is no longer legal.

I won't believe it. (1)

Sj0 (472011) | more than 7 years ago | (#19532933)

I won't believe it. I think these were probably the same painfully obvious scams that I get every day.

EXE embedded in DOC, not .doc.exe (3, Informative)

httptech (5553) | more than 7 years ago | (#19533239)

I've noticed some comments to the effect that it's easy to spot because it is a .doc.exe extension on the attachment. Not so! The latest runs of these scams have been EXE files embedded within actual MS Word or RTF files. Inside the document is a PDF icon and a note telling the user to click on the icon to view the invoice (or complaint, depending on the scam). This is a different method of social engineering than we usually see. That plus the targeted nature of the emails is what makes this sophisticated. It may not fool the savvy user, but as many execs haven't seen something of this nature before, they are likely to click and open the embedded executable. Most are just trusting their AV to warn them if there is anything wrong with the file, which is a big mistake these days.

If you work corporate security, make sure you are watching for signs of the data exfiltration on the network. I've written some Snort IDS signatures which are available here:
http://www.secureworks.com/research/threats/bbbphi sh [secureworks.com]

FTFA: Editor-in-Chief Harry McCracken (1)

bl8n8r (649187) | more than 7 years ago | (#19533259)

poor guy. his name sounds like spam all by itself.

Business ID (1)

Tablizer (95088) | more than 7 years ago | (#19533487)

Every business should be required to have a national ID and place that ID on any ads. That would make it much easier to trace crap to the source and filter out any known abusers.

Re:Business ID (0)

Anonymous Coward | more than 7 years ago | (#19534945)

If they are in the USA and are on the up and up, they have a tax ID number that (should be) unique. Put that into use.

Problem solved (In the USA at least).

Re:Business ID (1)

Tablizer (95088) | more than 7 years ago | (#19537335)

But they are not required to include it in ads, and only larger companies have it.

Re:Business ID (1)

innocent_white_lamb (151825) | more than 7 years ago | (#19538909)

So I get a number, and post it in my ad. Someone wants to impersonate me so he copies the number out of my ad (after all, it's of no value if it's kept secret), and uses it to fool people. What has been gained?

Re:Business ID (1)

Tablizer (95088) | more than 6 years ago | (#19588517)

So I get a number, and post it in my ad. Someone wants to impersonate me so he copies the number out of my ad (after all, it's of no value if it's kept secret), and uses it to fool people. What has been gained?

If somebody paid money for the ad, it is more likely traceable. Plus, they can do this anyhow now with a company name.
     

I had a similar idea (1)

rantingkitten (938138) | more than 7 years ago | (#19534183)

The service my company offers is primarily targeted at small to medium businesses. As such I frequently deal with the owners of these companies, and if the issue is technical in nature I have to ask them about their network setup. Simple stuff like "Okay, and what kind of internet connection do you have?"

It's astonishing how many of them will say things like "I dunno" or "Oh, it's broadband" or "There's a box that says Netgear, does that help?" If they don't know sometimes I press a little: "Well, do you know who your internet service is from?" since if they say something like "Verizon" I'll know it's DSL, or "Roadrunner" will be cable.

"I'm not sure," they'll say. This happens all the time.

Some of these people work out of their homes, too. Even then they have no idea.

It's like.. let me get this straight, sir. A bill arrives for you every month. You have no idea what company it's from and you don't know what service it's for, but you just pay it?

Why am I doing this job, then? I could start my own business where I just send out random invoices to random people! Clearly they aren't paying any attention to what the hell they're paying for, so I could just make an invoice for "services rendered" and lots of them would, evidently, pay it anyway.

Email as file transfer (2, Interesting)

termigan (118387) | more than 7 years ago | (#19534747)

I've seen all sorts of people here comment that email is getting too risky for businesses to use. From where I stand, that's not the real problem. The problem that's at the center of both the malware and spam problems is that it's become very hard to quickly determine the credentials of a person sending you information. In the case of email, the solution to the malware problem is simple: strip out all html tags and attachments off as the mail is received. There is no way to get malware from an email without active content. (HTML, Attachments, etc.)

When you make email safe, you then have the real problem distilled to its essence: How do internet users safely receive files over the internet. And the answer to that is authentication, but then credentials become tradeable items, and you have malware going after credentials.

The problem is not with email, it's with the whole internet's permissiveness. Every solution you put in place gets knocked to its core problem that there's no easy way to definitively say what person you're interacting with at the time. And this will be a tough sell; We're used to an anonymous internet. To solve the problem of internet crime once and for all, I predict that we will have to give up our ability to become entirely anonomous. There will be bumps in the road, but once everything that lands on your computer can be attributed to a real person, your email and internet will be as safe and sane as your US-Mail. Maybe even safer, because it will be easier to exclude content from people with bad reputations.

Yeah....Did you...Did you get the memo? (1)

Crauemine (1116451) | more than 7 years ago | (#19537367)

Don't forget to file your TPS reports people!
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>