E-mail Phishing Attempts Get Trickier: Fake bounced mail and Fake mail-from-scanner

Posted on 2 minute read

× This article was imported from this blog's previous content management system (WordPress), and may have errors in formatting and functionality. If you find these errors are a significant barrier to understanding the article, please let me know.

Two phishing ((I think these would be classified as spear phishing as defined by Webopedia: "A type of phishing attack that focuses on a single user or department within an organization, addressed from someone within the company in a position of trust and requesting information such as login IDs and passwords. Spear phishing scams will often appear to be from a company's own human resources or technical support divisions and may ask employees to update their username and passwords. Once hackers get this data they can gain entry into secured networks. Another type of spear phishing attack will ask users to click on a link, which deploys spyware that can thieve data.")) attempts made it through the work spam filter earlier this month, and they show the creativity of bad guys as they try to get access to your machine. The attempts at social engineering were interesting enough I thought I'd describe them here. We're getting pretty close the line where we can't tell a legitimate e-mail from ones with nasty side effects.

The Fake Bounced Message

This message has the appearance of being a bounced e-mail from a server called 'cyber.net.pk'.
[caption id="attachment_3460" align="aligncenter" width="617" caption="Screenshot of a fake bounced e-mail message."]Screenshot of a fake bounced e-mail message.[/caption]
There is, in fact, a server called 'cyber.net.pk' (.pk is the country code for Pakistan), but if you look at the IP address in the headers of the message it is actually a computer in China (127.72.91.188, or "188.91.72.124.board.xm.fj.dynamic.163data.com.cn").

Received: from cyber.net.pk (124.72.91.188) by mail.lyrasis.org (10.10.10.2) with Microsoft SMTP Server id 8.1.436.0; Sun, 16 Oct 2011 06:48:44 -0400

The payload is in the 'document.zip' file. I downloaded it without opening it, and uploaded it to the Microsoft Malware Protection Center. It told me that it was a version of Mydoom -- an old e-mail worm that installs a backdoor on your computer. Mydoom is listed on Wikipedia as dating from early 2004, so maybe this isn't all new -- but this is the first one I've seen leak through the e-mail firewall in quite some time.

Fake Scanner-to-Email Message

This one piggybacks on the capabilities of newer networked scanners and all-in-one printers to send copies of documents by e-mail.
[caption id="attachment_3461" align="aligncenter" width="619" caption="Screenshot of a fake e-mail message from a networked scanner."]Screenshot of a fake e-mail message from a networked scanner.[/caption]
This one looks like a document from one of our internal HP printers. The give-away here, though, is that the message asks the user to follow a link to retrieve the document. The real hardware just sends the document as an attachment. (There also isn't such a thing as an HP Officejet 88824A.) It isn't beyond the capabilities, though, for bad guys to combine this attack path with the document attachment one above and make you think you were received a document from a network scanner. The lesson to be learned here, I expect, is that you shouldn't open documents that appear to come from networked scanners unless you have sent the document yourself. If it appears to come from someone else, call that person and ask if they really sent it.

In short -- be careful out there everyone, and if you see something suspicious or unexpected, ask someone about it. (Oh, and keep your anti-virus and internet security software updated!)