The Spam Cryer » Anti-Virus

Swine Flu Phishing Attacks and Email Scams

Shaun — Mon, 27 Apr 2009 21:37:22 +0000

US-CERT is aware of public reports of email scams circulating related to the Swine Flu. The attacks arrive via an unsolicited email message typically containing a subject line related to the Swine Flu. These email messages may contain a link or an attachment. If users click on this link or open the attachment, they may be directed to a phishing website or exposed to malicious code.

US-CERT encourages users to take the following measures to protect themselves:

Do not follow unsolicited web links or attachments in email messages.
Maintain up-to-date antivirus software.
Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

Maintaining up-to-date anti-virus is vital. Some appliances, like the Barracuda Spam & Virus Firewalls that are used by CudaMail.com to filter mail are updated on a constant basis.

US-CERT will provide additional details as they become available.

Relevant Url(s):

http://www.us-cert.gov/cas/tips/ST04-014.html

http://www.avertlabs.com/research/blog/index.php/2009/04/27/swine-flue-spam/

http://www.us-cert.gov/reading_room/emailscams_0905.pdf

US-CERT: Waledac Trojan Horse Spam Campaign Circulating

Shaun — Thu, 09 Apr 2009 16:17:31 +0000

Original release date: March 17, 2009 at 9:08 am Last revised: March 17, 2009 at 9:08 am

US-CERT is aware of public reports of malicious code circulating via spam email messages related to bogus terror attacks in the recipient’s local area. These messages use subject lines implying that a fatal bomb attack has occurred near the recipient and contain a link to “breaking news.”

Users who click on the link will be taken to a site posing as a Reuters news article that contains a bogus news story about the fatal bomb attack. The systems serving the bogus news story check a visiting user’s IP address to obtain a geographical location to insert a nearby placename into the bogus article. The articles also contain links to video content, claiming that the latest Flash Player is required to view the video.

If users attempt to update or install the Flash Player from the link provided in the article, their systems may become infected with malicious code.

US-CERT encourages users and administrators to take the following preventative measures to help mitigate the security risks:
* Install antivirus software, and keep the virus signatures up to
date.
* Do not follow unsolicited links and do not open unsolicited email
messages.
* Use caution when visiting untrusted websites.
* Use caution when downloading and installing applications.
* Obtain software applications and updates directly from the
vendor’s website.
* Refer to the Recognizing and Avoiding Email Scams (pdf) document
for more information on avoiding email scams.
* Refer to the Avoiding Social Engineering and Phishing Attacks
document for more information on social engineering attacks.

Relevant Url(s):

====
This entry is available at
http://www.us-cert.gov/current/index.html#waledac_trojan_horse_spam_campaign

Should mail servers keep ‘office hours’?

admin — Fri, 12 Dec 2008 20:39:50 +0000

Should your mail server have ‘office hours’?

You turn off the lights at night, turn down the HVAC and forward the phones to an answering service but you leave the mail server running 24 x 7. While it is getting more common to be working in a 24 x 7 shop for some industries (IT support has always had odd hours) how many legitimate business related e-mail do you get after midnight or on the weekend? The reason I ask is that I reviewed the mail logs for a few companies and found that most of the time no legitimate e-mail comes through after hours. Nada, Zip, Zilch. There were a few marketing messages but primarily what does come through in the wee hours of the night -Spam, spam and more spam. Just like the Monty Python sketch it is spam with spam and a side of spam with extra spam if you want it.

This has led me to the idea of setting up ‘office hours’ for inbound e-mail.

I know that the FortiGate firewall’s we use and suggest to customers have an easy to implement ‘schedule’ feature for each firewall policy. I have used this feature before to limit access to certain features like the SSL-VPN for business hours. Why leave the door open to a hacker after hours. Using a schedule to block this feature is like pulling down the security bars you see in the mall. Using this same feature you could restrict inbound e-mail to reasonable hours. Open the SMTP port an hour or two before the office opens and cut it off after 10:00 PM or whatever is reasonable for your company. If the sending mail server is legitimate it will re-try and either succeed when your mail server is available or bounce the message back to the sender. If it is a spammer they will either waste time trying to connect to a mail server that can’t respond or just skip past your mail server and go on to someone else. This has the added advantage of giving your anti-spam service time to catch up to the latest campaigns and be ready for them when the doors open in the morning. Note that this is just for inbound e-mail and not outbound so your Network Management Systems – like WhatsUp Gold – can still send you a page after midnight if there is an issue on your network after hours.

What do you think – is this a workable approach?

- Shaun

Merry Malware – Tis the season for postcards

admin — Fri, 12 Dec 2008 20:31:55 +0000

Well it’s that time of year again when your thoughts turn to family and friends and you want to ‘reach out’ to them with a nice greeting card – either Xmas or New Years. If you get or give an electronic version all the better as you save on postage and don’t have to wait for snail mail.

We aren’t the only ones thinking of others at this time of year and by that I mean the malware writers. Every year at the holidays we see an upsurge of ‘postcard ware’ based malware. They look like a e-card from a loved one so you are enticed to open them up and while some do display a pretty picture or a play a nice tune in the background they are infecting your pc.

Some recent sample are posted on the Microsoft Malware blog so you can see the pictures without having to get infected.

http://blogs.technet.com/mmpc/archive/2008/12/02/merry-malware.aspx

http://blogs.technet.com/mmpc/archive/2008/12/04/o-come-all-ye-malware.aspx

While many of the e-cards sent at this time of the year are legitimate and sent with the best of intentions it is up to you to double check with the supposed sender if they really did send you one and if you don’t recognize the from e-mail address then don’t open it no matter how tempting it looks.

- Shaun

It pays to get a second opinion on Free Online Virus Scanners

admin — Mon, 08 Dec 2008 16:50:44 +0000

You have renewed your anti-virus product faithfully, visit the patch site for your operating system regularly and practice what you believe is safe surfing habits, don’t notice your system running slow but it is still a great idea to get a second opinion.

Once in a while – say every 6 months – why not get a second opinion on if your computer is infected with something that your existing anti-virus product may have missed? It is also handy to have a list like this just in case you do notice something wrong with your computer (slowdown or unexpected pop-ups or error messages) and your existing up to date AV solution doesn’t set off the warning sirens.

Free Online Virus Scanners (in no particular order):

The above online scanners may not be able to remove something nasty – they do want you to upgrade to the full products after all – but they will give you an good idea if there is something nasty lurking on your computer. Where one will tell you your infected the next may be able to quarantine the infection – that is why there are so many links. Watch out for ‘market speak’ or some hype as most online scanners will report browser tracking cookies as an infection when in reality they are harmless text files that do not contain computer code.

Keep your computer infection free and not a member of the bot army.

- Shaun