Fame At Last, Or Under Attack?

Here’s an example of how social engineering can be more important than technical sophistication.

It’s an email with a credible from address, credible header, credible subject line, credible contents:

From: john@flexiprint.co.uk
Subject: Photo Approval Needed

Hello,

Your photograph was forwarded to us as part of an article we are publishing for our May edition of Business Monthly.  Can you check over the format and get back to us with your approval or any changes you would like.  If the photograph is not to your liking then please attach a preferred one.

Kind regards,

John Andrews
Dept Marketing
Flexiprint.co.uk

Attached is a zip file, photo-approval-needed.zip. Inside the zip file is a screen-saver executable, which, according to CodePhish’s Daniel McNamara, is an IRC trojan for building a botnet. In English this means compromising the victim’s computer so it can be controlled remotely to send spam, viruses and stuff. The compromised computer is called a zombie and the big collection of remotely controlled zombies is called a botnet.

While Daniel says the trojan is not that sophisticated it does do a pretty good job of turning off Windows XP’s firewall turning it, in his words, “into Swiss cheese”.

I’m more impressed, however, at the social engineering. Who wouldn’t wonder whether the picture might contain a picture of them, and why wouldn’t they be written up in Flexiprint’s Business Monthly? Only by opening the zip file, or by checking out Flexiprint’s website (which resolves to business Internet solutions provider altoHiway), would the recipient start sniffing a rat.

This goes to underline a point that is sometimes skated over in advice given to the casual Internet user: It’s not enough to scour a suspicious email for bad grammar, odd formatting or strange header fields. Sometimes these give up few clues. Best rule of thumb is: If you’re not expecting an email from the sender, be suspicious.

15. April 2005 by jeremy
Categories: Malware, Phishing, Security | Tags: , , , , , , , , , , , , | 6 comments

Comments (6)

  1. I have to ask: are human beings generally stupid? Why is it that people fall back on their ‘social’ programming? Or is that a leading question?

    Most times, it seems I’m the only one who deletes unsolicited email (especially with unknown “re:” subjects) sight unseen. Attachment or no attachment. Friend or no friend.

    Methinks I’m the most incurious man in the world! LOL

  2. I recieved a similar message at my home email address, with slightly different wording. My ISP had already detected the problem and deleted the attached file before sending on the email. I also checked the flexiprint website which took me to one called “moore” (http://www.flexiprint.co.uk/4/index.htm ) But as no one in the family knew the sender, there was no specific reference to any of our names, and no one was expecting anything of this sort, I deleted the offending email. Thanks for confirming my suspicions.

  3. We recently received a similar e-mail from “flexiprint” containing an attached zip file named “Screen Capture.zip”, which contained an ‘so.scr’ file. Other than the attached file format and name, the e-mail could have been taken as credible.

    —————–
    Hello,

    I noticed whilst browsing your site that there were problems with some of your links, when I tried again with Internet Explorer the problems were not there so I assume that they were caused by me using the Mozilla browser.

    As more people are turning to alternative browsers now it may be of help for you to know this. I have enclosed a screen capture of the problem so your team can get it fixed if you deem it an issue.

    Kind regards,

    James Andrews
    Dept. Publishing
    http://www.FlexiPrint.co.uk
    —————–

  4. Yes i also recieved the same email with attached screensaver file. It was forwarded on by our receptionist (somehow it also got through trend anti-virus!). Luckily she hadnt opened it (wasn’t that interested).

  5. This seems to be heating up again: In just the past 2-3 days, I have received over a half-dozen of these emails, from sources as apparently-legit as Britain’s Guardian newspaper and a Yale University campus publication!

  6. One of my team received this this morning and unzipped the file. What’s the possible outcome?