Our colleagues at SophosLabs pointed us at a interesting item of malware the other day, namely a data-stealing Trojan aimed at Mac users.
In fact, it was somewhat more than that: it was one of those “undelivered courier item” emails linking to a dodgy web server that guessed whether you were running Windows or OS X, and under fire you accordingly.
You’re probably familiar with “undelivered item” scams.
The idea is surprisingly simple: you receive an email that claims to be a messenger company that is having trouble delivering your article.
In the email is a link to, or an attachment containing, what purports to be a tracking note for the item.
You are invited to review the applicable document and respond so that delivery can be completed.
We’ve seen a wide multiplicity of courier brands “borrowed” for this purpose, including DHL, the UK’s Royal Mail and even, in one bewildering case, a made-up courier company called TNS24, with its very own website, featuring its very own amusingly ill-Photoshopped planes, ships and automobiles.
But a competently-executed courier scam can be fairly persuasive, particularly if the criminals behind it know enough about you to create what becomes a targeted attack.
Even a modest amount of detail can do the trick.
For example, the crooks will sound a lot more believable if they know your address and phone number; are conscious of what you do in your job; and have a general idea about some of the projects you are working on right now.
Of course, if you open the attachment or click on the link in one of these scams, you are immediately put into harm’s way: the attachment might try to activate an exploit in your unpatched copy of Word, for instance, or the link might attack an unpatched Java plugin in your browser.
Here’s what the emails looked like in this attack, with some details changed or redacted for safety.
If you are a native speaker of English, you will notice that the wording of the email is clumsy and unidiomatic, and if you were to receive a message like this you might well be distrustful on those grounds alone.
But if Mr Sidebottom really is in the engineering business, and regularly deals with inbound papers from courier companies around the world, an email of this sort could easily pass muster.
The link, of course, doesn’t really lead to fedex.com.ch, but instead takes you to a domain name that is controlled by the attackers.
If you are on a mobile device, the server delivers an error message.
If you are using a desktop browser that isn’t Safari, you receive a ZIP file containing a Windows program detected by Sophos Anti-Virus as Mal/VBCheMan-C, a unclear relative of the Zbot or Zeus malware.
Visit at : http://www.nigerianspam.com/