Network News

X My Profile
View More Activity

Nastygram: 'A new settings file'

delete.JPG

Security Fix is debuting "Nastygram," a short, hopefully regular feature alerting readers about some of the latest, sneakier e-mail scams. Each report will include a graphic at the top like the one in this blog post, which explains what readers should do with these missives.

One particularly insidious and persistent nastygram of late is a message that will look like it was sent by your company's internal IT folks, and carries the subject "A new settings file for the [insert address of someone on your employer's network]". To increase the appearance of legitimacy, the message includes your company's domain name throughout the message. The link embedded in the message is made to appear as though it will take you somewhere on your employer's domain.

In the old days, you could tell where a link was leading just by hovering over it with your mouse. Nowadays, the bad guys make their links long enough so that the real destination domain gets pushed off the screen. But if you were to cut and paste the link into a text editor, you'd see your company's domain is not the real destination in this particular scam link. Remember, the most important component in a link is the last domain name in it. In this example e-mail, the destination domain is vvverfe.co.uk (bolded):

https://webmail.wpni.com/exchweb/bin/redir.asp?URL=http://wpni.com.vvverfe.co.uk/owa/service_directory/settings.php?email=[redacted]@wpni.com%26from=wpni.com%26fromname=[redacted]

The actual destination site tries to load the Zeus/Zbot Trojan onto your system, which is an advanced strain of malicious software designed to steal online banking passwords and other credentials.

Below is a redacted snapshot of what this e-mail looked like in my Outlook inbox:

zmailedit.jpg

By Brian Krebs  |  October 23, 2009; 11:35 AM ET
Categories:  Latest Warnings , Safety Tips  | Tags: a new settings file, nastygram, zeus  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: E-Banking on a Locked Down PC, Part II
Next: FBI: Cyber crooks stole $40M from U.S. small, mid-sized firms

Comments

Thanks very much, Brian, for what looks like a great service.

Posted by: Bartolo1 | October 23, 2009 1:35 PM | Report abuse

Another way is to do (from MS-Outlook):

File --> Send --> Page by E-mail ...

>

Then do the "hover over the link & read it carefully. ... I have many of those eMails from banks (where I have *never* done business) tell me to update, adjust, or repair my settings. ... Guess what? The final links usually point to bank branches in the Ukraine. ... Enjoy.

Posted by: chopinecale | October 23, 2009 3:14 PM | Report abuse

Well comment editor xapped the above comment ... Correction attaced:

Another way is to do (from MS-Outlook):

File --> Send --> Page by E-mail ...

-------- Open in MS-Word -------

Then do the "hover over the link & read it carefully. ... I have many of those eMails from banks (where I have *never* done business) tell me to update, adjust, or repair my settings. ... Guess what? The final links usually point to bank branches in the Ukraine. ... Enjoy.

Posted by: chopinecale | October 23, 2009 3:16 PM | Report abuse

I have to say that despite being a long-time security consultant, that link is even difficult for me to recognize as illegitimate without a deep look. Sure, those educated in the finer details of URL address forms can catch it, but the level of obfuscation is getting pretty sophisticated to make it extremely difficult for even experienced users.

Posted by: figgy_va | October 23, 2009 3:38 PM | Report abuse

Maybe I'm missing something, but I don't think "the most important component in a link is the last domain name in it". The important part of that link is right at the beginning:

https://webmail.wpni.com/exchweb/bin/redir.asp

Isn't the problem that redir.asp even exists?

Posted by: nojunkmail2 | October 23, 2009 4:32 PM | Report abuse

@nojunkmail2 -- Touche' sir. in links.
But i believe that redirection is the behavior of all OWA clients, although I'm not certain why that's the case. I'm also not sure there is anything one can do to change that behavior from the server or user side (aside from using another mail client/infrastructure).

It is true that the redirect makes it that much more difficult, but the point was to educate people about what to look for in links.

Posted by: BTKrebs | October 23, 2009 5:30 PM | Report abuse

Brian

Thank you very much.

Be looking for these future releases of Nastygram/redir.asp LOL

Posted by: brucerealtor@gmail.com | October 25, 2009 9:23 AM | Report abuse

'The final links usually point to bank branches in the Ukraine.'

I think you didn't mean this. ;)

Posted by: Rixstep | October 26, 2009 5:35 PM | Report abuse

First a small geo-political point for chopinecale. It's not 'the' Ukraine. It's a country: Ukraine. More importantly, while it's entirely possible that many of the scam emails you get are from Ukraine (it's not the most ethical land on the planet), it's quite unlikely the mail is coming from Ukrainian banks.

Posted by: michaeldetroit | October 28, 2009 12:21 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company