Here are some examples of phishing emails, and how to detect them.
I’ve put up some basic information about detecting phishing emails. The outlook is not bleak, as some would expect. Based on internal data, over 98% of recipients do not respond to phishing emails.
In a few days I’ll put up some examples of actual phishing emails, and point how the features that betray their malicious intent. There will also be an article on more technical methods of analyzing suspicious emails.
I’ve posted before about external hard drives with built-in encryption. These devices have their own keypad to enter the password/decryption key. If you should happen to connect it to a computer infected with a keystroke logger, the key will not be revealed (although such a computer may have other malware installed on it!)
- Apricorn Aegis Padlock 3
- Rocstor Rocsafe MX
- Lenovo ThinkPad USB 3.0 Secure Drive
- DataLocker DL3
Update: Graham Cluley at Sophos has also blogged about this email variant, with some additional detail.
A new variant of the “Do [Something Important] by opening the attached file” scam has arrived. The goal is to trick you into running the malware that is attached. While most Antivirus software will detect and prevent you from running known malware, 100% accuracy is impossible, and new malware variants may not be detected whey they have just been released. Here’s what the email looks like:
Subject: The police investigation is under way now. You’ll be really sorry about what you have done.
Do you know who posted these photos online?? This is strange cause there’s your FB acc there. Why did you do it and how did you get my photos?? This is a crime actually do you know?? I put one photo in attachment. We have to clear this thing or else I’ll have to contact my lawer!
Edit: 9:29am 13 Apr 2012 – Apple have just released “Java for OS X Lion 2012-003” – a security update that removes the most common variants of the Flashback malware, and also configures the Java web plug-in to disable the automatic execution of Java applets. Users may re-enable automatic execution of Java applets using the Java Preferences application. If the Java web plug-in detects that no applets have been run for an extended period of time it will again disable Java applets.
A new variant of Java-based malware dubbed “Flashback” has been spreading rapidly on OSX – some reports suggested over 550 thousand Macs were infected as of 4 April 2012. It gains a foothold on a vulnerable system and can be used to download more malware at a later date.
There has been lots of publicity about Flashback, mainly because Apple contributed significantly to the problem by release a fix 8 weeks late. Ed Bott summarizes the situation very well in a blog post at zdnet.com.
It is caused by attackers exploiting several bugs in Java to trigger a “drive-by” infection of vulnerable computers. This means viewing a malicious website is enough to infect your computer. Java is used to run various applications and comes built in to most Apple computers. The official Apple support document (HT5228) is very brief – and only notes that that “Java for OS X Lion 2012-002 and Java for Mac OS X 10.6 Update 7” fixes multiple vulnerabilities in Java 1.6.0_29. While Java is made by Oracle, Apple manages Java updates to OSX independently.
- Macs and OSX should not be viewed as “more secure” than Windows or other operating systems, especially since Apple has a history of being slow in releasing security fixes.
- Antivirus software should be installed on all computers – it is cost effective protection against most threats.
What you should do:
- Update immediately – on OSX go to the Apple Menu > Software Update.
- If you use OS X 10.5 or earlier, disable the Java plugin in your web browser, as Apple does not appear to be updating Java on these platforms. Instructions for Safari, Firefox, and Chrome.
- Consider installing Antivirus software on your Mac. There are many products to choose from, made by reputable vendors like Sophos, F-Secure, and Kapersky.
Detection and removal (Technical users only):
- Check the DYLD_INSERT_LIBRARIES environment variable in web browsers, or visit flashbackcheck.com or www.drweb.com/flashback/?lng=en to detect infected computers.
- Rebuild infected machines from known good media. Cleanup should only be opted for where a rebuild is prohibitively costly
- Manually cleanup the infection, or use a removal tool: We know of tools from Apple (via Software Update), Kapersky and F-Secure.
We’ve just updated the Common Internet Scams page with a new and unusual scam that’s recently been seen around the world. Known as the “hit man” or “Assassin” scam, this email essentially claims that the senders are going to kill you – contact them immediately if you want to live.
We suspect the obvious – contact them and they will ask for money. Ignore the email. However, if you do feel threatened, contact your local law enforcement agency. An example of these emails is below:
Subject: You have been betrayed by your Friend
You have been betrayed!!! Its a pity that this how your life is goingto come to an end as your death had already been paid for by someone who is very close to you from all investigations.
I have ordered 3 (three) of my men to monitor every move of you and make sure you are not out of sight till the date of your assassination.
According to the report I gets, you seem to be innocent about what you have been accuse but I have no business with that, so thats why am contacting you to know if truly you are innocent and how much you value your life.
Get back to me if you sure want to live on, ignore this mail only if you feel its a joke or just a threat.
Dont forget your days on earth are numbered, so you have the chance to live if only you will comply with me.
WARNING: Tell no one about this mail to you because he or she might just be the person who wants you dead, and if that happens, I will be aware and am going to make sure you DIE instantly.
I will give you every detail of where to be and how to take any actions be it legal or illegal, thats only when I read from you.
You need to stay calm and act unaware of this situation and follow instructions because any move you make that is suspicious; you will DIE as your days are numbered.
Just published a page listing some common internet scams that the Information Security Office often gets asked about. It’s just a wall of text at the moment, but I’ll add some annotated screenshots over the next few weeks to better illustrate each type of scam.
So you would insert the Live USB drive, restart the computer, and it would startup the Tails Linux Operating Sustem. You can encrypt any files you create with built-in tools, and any internet traffic is anonymised. When you’re done, shut down and remove the USB drive.
The concept is fantastic! There are far too many uses to list – from the noble and important goals of safeguarding communications within a repressive government, to simply protecting your privacy when using public WiFi (e.g. At a hotel, Starbucks or McDonalds).
It’s only version 0.10 at the moment (meaning there is a lot of work still to be done), but I’ll be following this closely. Check out the various ways you can support this project.
Technical Stuff: Astute readers will correctly note that you’re still vulnerable to hardware intrusions like keyloggers if you use untrusted hardware. Regardless, some protection (e.g. Tor network) of your activity is better than nothing. There are also various methods of avoiding keyloggers if you suspect hardware tampering – like using on-screen keyboards (incidentally, Tails ships with one).