Nastygram: 'A new settings file'
Security Fix is debuting "Nastygram," a short, hopefully regular feature alerting readers about some of the latest, sneakier e-mail scams. Each report will include a graphic at the top like the one in this blog post, which explains what readers should do with these missives.
One particularly insidious and persistent nastygram of late is a message that will look like it was sent by your company's internal IT folks, and carries the subject "A new settings file for the [insert address of someone on your employer's network]". To increase the appearance of legitimacy, the message includes your company's domain name throughout the message. The link embedded in the message is made to appear as though it will take you somewhere on your employer's domain.
In the old days, you could tell where a link was leading just by hovering over it with your mouse. Nowadays, the bad guys make their links long enough so that the real destination domain gets pushed off the screen. But if you were to cut and paste the link into a text editor, you'd see your company's domain is not the real destination in this particular scam link. Remember, the most important component in a link is the last domain name in it. In this example e-mail, the destination domain is vvverfe.co.uk (bolded):
The actual destination site tries to load the Zeus/Zbot Trojan onto your system, which is an advanced strain of malicious software designed to steal online banking passwords and other credentials.
Below is a redacted snapshot of what this e-mail looked like in my Outlook inbox:
October 23, 2009; 11:35 AM ET
Categories: Latest Warnings , Safety Tips | Tags: a new settings file, nastygram, zeus
Save & Share: Previous: E-Banking on a Locked Down PC, Part II
Next: FBI: Cyber crooks stole $40M from U.S. small, mid-sized firms
Posted by: Bartolo1 | October 23, 2009 1:35 PM | Report abuse
Posted by: chopinecale | October 23, 2009 3:14 PM | Report abuse
Posted by: chopinecale | October 23, 2009 3:16 PM | Report abuse
Posted by: figgy_va | October 23, 2009 3:38 PM | Report abuse
Posted by: nojunkmail2 | October 23, 2009 4:32 PM | Report abuse
Posted by: BTKrebs | October 23, 2009 5:30 PM | Report abuse
Posted by: firstname.lastname@example.org | October 25, 2009 9:23 AM | Report abuse
Posted by: Rixstep | October 26, 2009 5:35 PM | Report abuse
Posted by: michaeldetroit | October 28, 2009 12:21 PM | Report abuse
The comments to this entry are closed.