Viral Spam

I’m seeing a lot of spam today with titles like Customs – We have received a parcel for you or Customs, please read. There was a lot yesterday about undelivered parcels from UPS.

These have a zipped attachment which is infected with a virus. Typical text of the e-mail is:

Good day,

We have received a parcel for you, sent from France on July 9. Please fill out the customs declaration attached to this message and send it to us by mail or fax. The address and the fax number are at the bottom of the declaration form.

Kind regards,
Grover Sterling
Your Customs Service

or

Dear Sirs,

We have received a parcel for you, sent from France on July 9. Please fill out the customs declaration attached to this message and send it to us by mail or fax. The address and the fax number are at the bottom of the declaration form.

Kind regards,
Casey Rhoades
Your Customs Service

The giveaway, as always, is that they are not addressed to you by name, and they come from unlikely e-mail addresses (typically harvested from infected computers). The two above came from Customs Service <lvsgjjo@bluegrassgroup.com> and Customs Service <cwq@blmbuilders.com> but each one will be different.

At the time of writing, these were not detected as malicious by AVG 8.0 (and nor by Symantec, Norton, McAfee, Avast, Ewido, F-Prot, Kaspersky or Panda). Just delete them.

If you have run the attachment (by double-clicking the contents of the zip file, typically) you’ll soon start getting warnings that “Your computer is infected” and inviting you to download software to clear it. The warnings are part of the infection, and the software it wants you to download will makes matters much worse. Don’t download anything, and contact someone who can help you remove the infection.

PS: I’m seeing a lot of fake airline ticket sales today (20 August). They typically start:

Hello,
Thank you for using our new service “Buy flight ticket Online” on our website.
Your account has been created:

and then go on to give login details for a website whose address is not stated (!) and say your credit card has been charged for some amount (usually about $650). A “ticket” is attached.

The usual things give it away: not addressed to a specific person; dodgy attachment (this one is called Ticket_N141-SK.zip and contains a file called Ticket_N141-SK.exe — a file ending in .exe is a program, and this one is instantly detected by AVG 8.0 as containing trojan Pakes.AFL).

Be careful not to run Ticket_N141-SK.exe, and just delete the e-mail and its attachment.

(Aug 23)  Sophos reports yet another variant, “Statement of Fees 2008/09”, whose attachment is sneakily named “Fees_2008-2009.doc______________.exe”.   They hope you’ll think it’s a Word document (.doc) not a program (.exe).   As Sophos says, “Don’t let curiosity get the better of you – don’t open the attachment if you didn’t order the package, or the tickets, or the contract, or the accommodation … or whatever else they’ll come up with next.”

“Phishing” scams

One of the things to watch out for in your e-mail is the notorious “phishing spam”: this is spam that tries to get you to log in to your online bank or similar. The aim is to direct you to a fake web site which will look exactly like your real bank and invite you to type in your security details. Once you type in your details, of course, you’ve given them to the spammer, not the bank, and they will then be used to drain money from your account.

Phishing attempts are pretty easy to detect with a minimum of knowledge. There’s no point in checking who the e-mail seems to be from — it’s perfectly simple to send e-mail that looks like it comes from whoever you choose. Three danger signs to check for:

1. Not addressed to you personally. My bank would always write to “Dear Paul Doherty” or “Dear Mr Doherty”, and would also include my postcode, account number or some other information not given in my e-mail address. Spammers only have your e-mail address, so they invariably write to “Dear Customer” or similar, or to no-one at all.

2. Poor English. Most phishing spammers aren’t English, so they write it with a phrase book, and it usually shows.

3. Link in the e-mail is misleading. You need a little knowledge to check this, but it’s the clincher. The spammer will want to make any link look as if it goes to the bank, but really it must go to an imitation website.

One thing everyone should know is how to check what website a link really goes to, and how to decode a website address.

Different e-mail programs show the real place a link goes to in different ways: find out how yours does it. Mine does it if I just hover the mouse over the link. Check that address carefully — even if it looks like it goes to barclays.co.uk, a common trick is to register a fake website with a similar name: nationvide instead of nationwide, paypa1 instead of paypal, RB0S instead of RBOS.

Mostly, though, spammers just rely on people not being able to work out what website is being referred to. Here’s how to check it: starting from the left and just after http://, scan to the right until you find another slash (/) – stop there. If the bit immediately to the left of that has three letters (typically .com) that and the word immediately before it is the (international) website address. If if has two letters (typically .cn or .ru) that and the two words before it is the (national) website address. (.cn is China and .ru is Russia.) And If there are no words, just numbers, it’s suspicious by definition.

Here’s three recent examples (click to enlarge).

Abbey phishing spam

1. Addressed to generic name.

2. Suspect English (“launch the procedure of the member login update”, “does apologize for any inconvenience caused to you and is very grateful for your help”) and too many exclamation marks.

3. Link is actually to website xml48.com — the “ref” probably identifies the e-mail address that fell for this trick, so that it can be targeted with more attacks, which is why I’ve obscured it.

4. Why would a genuine bank write “If you are not a client of Abbey National Internet Banking please ignore this letter!” – it would know who its customers were.


Paypal Phishing spamp

1. It’s addressed to generic “Dear PayPal user”.

2. The English is OK on this one (but it says “Us” instead of “Contact Us”).

3. The website is 193.254.185.39 — all numbers, no words, very suspicious. (And, if you know, ~engelbert is the directory of a user called Engelbert — probably someone whose account has been hacked by the spammer and used to host the fake site).

4. There is no “To” address.


RBS phishing spam

1. Not addressed to anyone specific.

2. Suspect English (“As of that result”)

3. Website is novacom.zaural.ru — a Russian site.


Fake anti-virus programs

This is an old post from 2008, but it’s still very relevant. The screenshots are out of date, but they give the idea.

Sadly, there’s more fake anti-malware programs out there than there are real ones. (Malware is a general term for viruses, trojans, spyware, and so on.) Often a small infection sneaks on to your PC (usually because you’ve clicked unwisely on an e-mail message or downloaded something unfortunate from a website). This infection then starts popping up messages that look like Windows is warning you that your PC is infected, and inviting you to download something to scan it and remove the infection. This often looks like it might be from Microsoft.

If you download the advertised software — because that’s what this is, sneaky advertising — it will make matters much worse. The software will probably invite you to send money or enter credit card details, it will pretend to find lots of infections that you don’t really have, and it will probably add more infections.

Here’s some screenshots of a common one (courtesy of Bleeping Computer). Click on any picture for a bigger image:

Antivirus Xp

Screenshot

Screenshot

Screenshot

This sort of thing is, sadly, very common. If you think your PC is infected, you should take professional advice unless you are quite sure you know what you’re doing. Downloading stuff like this will make matters worse, not better. With the right knowledge and tools, however, this sort of thing is usually pretty straightforward to remove.

There’s a list of rogue sites and software here, but it’s now more than a year out of date. It will give you some idea of how many fake sites there are, and how much fake software there is, however. This one has a website:

website

website

The website is hosted on a computer in China, and registered to a — probably fake — company (Goya Interco LLC) with a claimed address in Finland. The domain was registered on 17 June 2008. The website is superficially convincing, but there are some tell-tale features:

  • Spelling mistakes: establishement, 100’000, realiable
  • Slightly curious English and grammar
  • Unfeasible claims: “Since its first establishement in 2001, antivirusxp2008 …”
  • No company name, address or contact details (all contact is by filling in a web form — no e-mail addresses or telephone numbers are given).

It looks good though, and is a good reason why you should not judge by appearances.

A very similar fake removal program is analysed here.

Firefox Add-ons

When Firefox updated itself to 2.0.0.14 recently, I found that many of my add-ons stopped working, among them Adblock and the British English Dictionary. Message shown on Tools | Add-ons was “Incompatible with this version of Firefox”.

This turned out not to be true. Re-installing them was painless and got them all working again.

AVG Update

AVG 8.0 is now out.

There is a free version at http://free.grisoft.com

This is the procedure I generally follow:

1. Download Version 8 from here.

2. Uninstall the current version (typically 7.5).

3. Restart the PC.

4. Install the new version by running the downloaded file.

I choose NOT to install the “Security Toolbar” when asked.

The new version seems to be a useful improvement — it runs quicker than 7.5 on my PC and also searches for spyware (and tracking cookies) which 7.5 didn’t.

AVG adds some anti-spyware features from Ewido (AVG has bought Ewido) which 7.5 didn’t have; for that reason earlier versions of Ewido need to uninstalled before AVG 8.0 can be installed. The AVG 8.0 installation process checks for their presence and will warn you if it finds them.