Fame At Last, Or Under Attack?

By | April 15, 2005

Here’s an example of how social engineering can be more important than technical sophistication.

It’s an email with a credible from address, credible header, credible subject line, credible contents:

From: john@flexiprint.co.uk
Subject: Photo Approval Needed

Hello,

Your photograph was forwarded to us as part of an article we are publishing for our May edition of Business Monthly.  Can you check over the format and get back to us with your approval or any changes you would like.  If the photograph is not to your liking then please attach a preferred one.

Kind regards,

John Andrews
Dept Marketing
Flexiprint.co.uk

Attached is a zip file, photo-approval-needed.zip. Inside the zip file is a screen-saver executable, which, according to CodePhish’s Daniel McNamara, is an IRC trojan for building a botnet. In English this means compromising the victim’s computer so it can be controlled remotely to send spam, viruses and stuff. The compromised computer is called a zombie and the big collection of remotely controlled zombies is called a botnet.

While Daniel says the trojan is not that sophisticated it does do a pretty good job of turning off Windows XP’s firewall turning it, in his words, “into Swiss cheese”.

I’m more impressed, however, at the social engineering. Who wouldn’t wonder whether the picture might contain a picture of them, and why wouldn’t they be written up in Flexiprint’s Business Monthly? Only by opening the zip file, or by checking out Flexiprint’s website (which resolves to business Internet solutions provider altoHiway), would the recipient start sniffing a rat.

This goes to underline a point that is sometimes skated over in advice given to the casual Internet user: It’s not enough to scour a suspicious email for bad grammar, odd formatting or strange header fields. Sometimes these give up few clues. Best rule of thumb is: If you’re not expecting an email from the sender, be suspicious.

6 thoughts on “Fame At Last, Or Under Attack?

  1. Solb1 Kenobi

    I have to ask: are human beings generally stupid? Why is it that people fall back on their ‘social’ programming? Or is that a leading question?

    Most times, it seems I’m the only one who deletes unsolicited email (especially with unknown “re:” subjects) sight unseen. Attachment or no attachment. Friend or no friend.

    Methinks I’m the most incurious man in the world! LOL

    Reply
  2. The Norwegian

    I recieved a similar message at my home email address, with slightly different wording. My ISP had already detected the problem and deleted the attached file before sending on the email. I also checked the flexiprint website which took me to one called “moore” (http://www.flexiprint.co.uk/4/index.htm ) But as no one in the family knew the sender, there was no specific reference to any of our names, and no one was expecting anything of this sort, I deleted the offending email. Thanks for confirming my suspicions.

    Reply
  3. Carl

    We recently received a similar e-mail from “flexiprint” containing an attached zip file named “Screen Capture.zip”, which contained an ‘so.scr’ file. Other than the attached file format and name, the e-mail could have been taken as credible.

    —————–
    Hello,

    I noticed whilst browsing your site that there were problems with some of your links, when I tried again with Internet Explorer the problems were not there so I assume that they were caused by me using the Mozilla browser.

    As more people are turning to alternative browsers now it may be of help for you to know this. I have enclosed a screen capture of the problem so your team can get it fixed if you deem it an issue.

    Kind regards,

    James Andrews
    Dept. Publishing
    http://www.FlexiPrint.co.uk
    —————–

    Reply
  4. Michael Watts

    Yes i also recieved the same email with attached screensaver file. It was forwarded on by our receptionist (somehow it also got through trend anti-virus!). Luckily she hadnt opened it (wasn’t that interested).

    Reply
  5. Peter Lebensold

    This seems to be heating up again: In just the past 2-3 days, I have received over a half-dozen of these emails, from sources as apparently-legit as Britain’s Guardian newspaper and a Yale University campus publication!

    Reply
  6. Dean

    One of my team received this this morning and unzipped the file. What’s the possible outcome?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.