Thanks to Fraser Howard of SophosLabs for his work on this article.
We often hear people saying, “I back myself to spot all the phishes that come my way.”
That’s because many phishing emails contain tell-tale mistakes that arouse suspicion.
Sometimes, there’s a phrase that a native speaker of your language would simply never use, or a truly unusual spelling mistake, or a phone number in the wrong format.
Often, emails that are supposed to be addressed to you as a paying customer start with the impersonal salutation Dear Sir/Madam.
Or they refer to your address only in a very vague and unlikely way, such as Sydney, New South Wales or West Midlands, England.
Unfortunately, if that’s all you are looking out for, you may be at risk from phishing campaigns that put in even the slightest extra effort to “look right.”
Here’s an example that we saw recently that took sufficiently many people by surprise that the BBC went as far as publishing a general warning about it.
When preparing this article, we limited ourselves to a random selection of emails from this campaign, which had targeted people all over the UK, only to find that our sample included someone from Abingdon in Oxfordshire, our very own neck of the woods:
Make no mistake, there are numerous things wrong with this email.
Residents of the UK are entirely used to British currency and its quirky symbol, so they’d write £, not GBP. (And the pound sign goes first, like an American $1, not at the end, like a French 1€.)
Dates in the UK are written with the day first, and often (very annoyingly) with just two digits for the year, as they are here, but they’re usually separated with strokes, so that today would be 14/04/16 rather than 14.04.16.
Writing “forward the payment and transfer the amount” is not only repetitious but confusing; the words “original invoice” should probably have a pronoun or an article such as “your” or “the”; and so on.
But the addresses are spot on in their look, and, as far as we know, are also spot on in correctness.
Our guess, from their consistency in format across this phishing campaign, is that they’re standardised addresses acquired from some earlier data breach.
They were certainly enough to get your attention if you received one of these emails.
The amounts and the names of the creditors vary through the campaign, and they often don’t quite look right, because some of the charges seem unlikely given the services allegedly being billed, so we suspect they’ve been generated randomly.
Neverthless, they’re realistic enough to get you worried about a debt you apparently haven’t paid.
The web links are spread all over the place, but the ones in our random sample all seemed to be perfectly legitimate sites that had been hacked to provide trustworthy-enough landing pages for the crooks.
Hard to find fault
It’s hard to find fault with any recipients who clicked through, given that they probably only wanted to find out more about the alleged debt in order to contest it.
After all, the minor orthographic errors listed above are hardly unusual these days.
Many companies outsource tasks such as support, invoicing, payment processing and debt collection, perhaps using global service providers overseas that don’t follow local usage patterns perfectly anyway.
If you did click through, you’d reach a surprisingly simple but clever trick, no doubt implemented by the crooks to frustrate automatic investigation and analysis by security companies:
CAPTCHAs are widely disliked but hardly unusual these days.
After solving the CAPTCHA, a well-informed user would, we hope, go no further, and delete the ZIP as suspicious.
That’s because the ZIP files used in this campaign contained a .SCR file, rather than the document or spreadsheet you might expect.
The ZIPs in this case are blocked by Sophos products as Mal/DrodZp-A.
The SCR files are blocked as Troj/Ransom-CSQ.
Strictly speaking, .SCR files are Windows screensavers, but screensavers are actually just a special sort of Windows application, so the download is actually asking you to unzip and run a program, not to view a document.
If you’re cautious about files like .DOC and .PDF in unsolicited emails, you should be trebly cautious of Windows executables (software programs).
You won’t be surprised to see what happens if you keep on going and open the .SCR file:
The Maktub ransomware (blocked by Sophos as Troj/Ransom-CSQ) follows the common pattern we have written about many times before: it scrambles your files with an encryption key known only to the crooks, and then offers to sell you back the key.
Interestingly, to distract your attention while the ransomware is doing its thing, and to give the impression that the .SCR file you just ran was a document after all, the malware fires up Microsoft Word and opens up what’s known as a decoy document that is hidden inside the malware:
There are no grammatical errors in this one, because the crooks simply ripped it off from Google (who, ironically, ended up in hot water because the new privacy policy was too vague):
What to do?
We’ve published an article entitled How to stay protected against ransomware to help you out with the ransomware part of this story:
Don’t forget, however, that the crooks behind a campaign like this can vary their malware payload whenever they like.
All they have to do is to change the contents of the ZIP file on one or more of the hacked computers from which they are “borrowing” bandwidth and server space.
They can vary the malware they serve up based on the time, your location, the browser you’re using, the operating system version you’re running, all of which are typically given away by your browser when you click a link.
(Even if that data weren’t provided as a matter of course by your browser, remember that, in this case, the crooks already know where you live.)
Consider the following precautions:
- Block or quarantine unusual files combinations at your email and web gateways, such as SCR-inside-ZIP files. In the unlikely event that someone you know asks you to trust a peculiar file of that sort, consider contacting them personally, for example by phone, to make sure it really came from them.
- Don’t rely on contact information provided along with a suspicious invoice to investigate whether the content is suspicious. Use a search engine or existing correspondence from the company to figure out which phone numbers or email addresses to use.
- Keep in mind that phishing emails don’t become legitimate simply by avoiding glaring errors. Targeted attacks don’t need a lot of personal information to look believable – and, anyway, the crooks can avoid language errors simply by ripping off professional writing from legitimate companies.
If in doubt…chuck it out.
By the way, if you’re still not convinced that cybercrooks and malware are a problem in the Linux world, have a listen to our When Penguins Attack podcast:
LISTEN NOW
(Audio player not working? Download MP3, listen on Soundcloud, or read the transcript.)
Image of snail mail courtesy of Shutterstock.
Anonymous
Microsoft probably ought to make it harder to install screensaver files. How many people download new screensavers these days? Of course, then they’d just pick some other format to distribute their ransomware.
Matt
You’re working too hard. Debt collection can’t be done via email, at least in the U.S.
Paul Ducklin
I’ve tried to verify your claim that debt collection can’t be done via email in the USA, but as far as I can tell, that’s not true.
My (admittedly brief) reading suggests that many debt collectors don’t use email, at least not for anything relating to settling a debt, presaumbly because they arent comfortable with the legal strength of any arrangements they reach by email.
Perhaps that means that if they do contact you by email you are legally entitled to ignore them, but that’s not the same as saying that *any* mail claiming to relate to a debt or an invoice must automatically be a fraud. Any US attorneys here who could comment on this?
jkwilborn
As a retired police officer, I can give my view of this. How do you know who is getting this e-mail? No way to legally determine if the item has been accepted by the proper person. Generally, you must notify them before any action (civil) can be taken.
delayedthoughtengineering
I was surprised at the implied suggestion to flag a message based on a strange date or currency format. I have received official documents in the past that had bizarre date formats, including the period delimiters shown in the document in this article. Further, I have received multiple official documents that replaced the prefix “$” with the suffix “USD”.
The worst part has to be when you call into the official organization that sent the document, to verify its legitimacy, only to be told that the account has been sent to an agency, and being politely and firmly told that they can no longer discuss the matter with you, at all. Click.
Hello? Are you still there? What agency? What is their phone number? Hello?
Paul Ducklin
Actually, I made the same point in the article: “[T]he minor orthographic errors listed above are hardly unusual these days. Many companies outsource tasks such as support, invoicing, payment processing and debt collection, perhaps using global service providers overseas that don’t follow local usage patterns perfectly anyway.”
I don’t know what to suggest, other than that you consider reporting this sort of thing to the FTC, see what happens.
Bryan
“If you did click through, you’d reach a surprisingly simple but clever trick, no doubt implemented by the crooks to frustrate automatic investigation and analysis by security companies”
Don’t forget that apparent inconveniences like this are generally placed in front of things we *want*, so in an odd way it actually adds credibility to the ruse.
Great article Duck–lots of snake-oil antidote to swallow–thanks for the scoop.
Paul Ducklin
I agree. It’s almost though a CAPTCHA legitimises a download, by signalling that it must be important enough to need protecting from crooks.
(The CAPTCHA in he screenshot really seems to work: putting in fake answers, whether close to correct or miles away, didn’t release the file. I don’t know if the simple CAPTCHA backend – I’m guessing some sort of PHP script uploaded to the hacked server – is something the crooks wrote for their own purposes, or if it’s some publicly available code from somewhere.)
jkwilborn
Linux is far from secure from malware. The user base would not produce the kind of returns (money) that they get from the Windows user base. Can’t beat the ol’ standard backups!
After listening to the audio, it seems like they are discussing what distribution methods they were are using, not infected systems? If it’s operating properly it’s just doing what it’s supposed to do.
It should be titled “Malware Distribution via Servers” (which is also a stretch, as the server isn’t ‘infected’) instead of “Malware on Linux”…
Chris
I had one of these emails, although Gmail was clever enough to dump it into “Spam”, so my guard was already up when I read it. The inclusion of correct name and address details did make me sit up and take notice (I’d love to know where those came from!), although I wasn’t tempted to click the link. For one thing, the link (in my case) was to a Spanish web hosting company (odd!). For another, the name of the alleged debt recovery company isn’t mentioned in the email, which seems implausible – they only mention the company they claim to be acting for. Finally, the message title was simply my name rather than anything relating to what the message was supposed to be about. This is overdoing the “personal information” spin if you ask me.
Overall this is definitely a step “forward” (i.e. in the bad direction) in the sophistication of phishing attempts, in my limited experience.
Another twist – in the email I received, the email address of the sender included Glasgow, as in “false-name@something-something-glasgow.co.uk”. I did a lot of internet searching looking for hotels in Glasgow in the few days run up to the email arriving. Coincidence or not? I’d be interested in anyone else’s thoughts; I don’t know enough about this stuff to understand whether the crooks could somehow also be aware of recent browsing habits, or maybe the personal information was hacked from a travel website. Or they just picked at random and got lucky.
Paul Ducklin
I’m inclined to treat the “Glasgow” connection as a co-incidence.
The regularity in format of the addresses in the samples I saw suggests that the information that the crooks acquired came from some database where everyone’s address had been standardised. It doesn’t look like anything that was acquired directly from your recent use of your own computer.