Phishing Lessons

Norton Safe Web Lays An Egg

Monday, January 5th, 2015

User’s of any Norton product (owned by Symantec) are running into some very strange errors when trying to access OnlyMyEmail’s web site lately.

In fact, they’re being told that we’re a malicious infected malware site and cannot be trusted.

Pretty startling, given our beyond stellar reputation as the most accurate spam filtering system on the Internet since we launched in 2003, winning awards from PC Magazine, PC World and blocking more spam than any other filter ever tested by the Virus Bulletin VBSpam Competition.

What dangerous and malicious ill-willed behavior are we up to over here recently?

more »

OpenSSL Heartbleed Exploit: What To Know

Friday, April 11th, 2014

We’ve had questions regarding OnlyMyEmail’s spam filtering and email hosting services and how they might be affected by the recent HeartBleed exploit within OpenSSL software.

As soon as the exploit was announced, OnlyMyEmail reviewed all of our systems and found that none of them have ever run any version of OpenSSL vulnerable to this exploit.

More information on the exploit itself from http://heartbleed.com/

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

As a result of this bug, it is possible that passwords on affected hosts are compromised, so it’s a good idea to change your password if the service in question is an issue.  This Mashable article has a fairly comprehensive list of all the major services that are suggesting you change your password.

According to this article the exploit was a result of an honest mistake and not part of a deliberate attempt to compromise the security of OpenSSL.  The article also indicates that this bug has existed in OpenSSL since New Years Eve 2011.

Given the length of time that this bug has existed, and the fact that using this exploit is undetectable,  it is quite possible that cyber criminals have been using this exploit for some time to gather information.  Thus it’s a good idea to change your passwords on affected sites (and any sites that share that password) just to be safe.

ADP Payroll Invoice Spam/Virus

Monday, January 27th, 2014

There’s a very successful spam campaign out now spoofing legitimate ADP payroll invoice emails. They most commonly arrive as:

Subject:     Payroll Invoice
From:     “payroll@adp.com”

In reality, they come from previously infected personal computers spanning the globe.

An example of the above:

‘from 60-240-131-86.static.tpgi.com.au ([60.240.131.86])

(envelope-from <photojournalistvi@wetleather.com>)

It doesn’t take a trained email professional to realize that’s not ADP emailing.

more »

Your AT&T wireless bill is ready to view

Sunday, March 10th, 2013

A lot of spam and Phishing campaigns rely upon tricking the recipient into thinking they’ve received a billing error, from an otherwise legitimate source.  The latest of these claim to be from ATT Wireless, and arrive with realistic sending addresses and subject lines, such as:

Subject:     Your AT&T wireless bill is ready to view

From:     “AT&T Customer Care” <icare7@amcustomercare.att-mail.com>

In reality, the sending addresses are spoofed, and these are instead sent by previously infected computers and hijacked servers, but that fact is not readily apparent to the typical email user.

What makes these types of emails so convincing is that the spammers are doing a much better job than they used to in terms of making these faked billing emails appear legitimate, such as this example we’ve seen a lot of lately:

more »

Receipt for your PayPal payment to WHO?

Monday, March 4th, 2013

We fondly remember the days when PayPal Phishing frauds were easily spotted by their subject line alone. The urgent warnings about your compromised account made identity theft emails almost trivial to identify.

But, as with all things technology, the lame Phishing attempts too have evolved, and they’re snaring even users with moderate technology skills. The latest evolution of the PayPal identity theft fraud relies on the user’s reaction to what appears to be a standard account notice. The subject line is a receipt for payment, but to a seller with which you have not conducted a valid transaction, such as:

Subject:     Receipt for your PayPal payment to Soo Duk Lee

The email itself contains standard language like:

You sent a payment of $149.49 USD to Soo Duk Lee (commercializesa8@datkin.net)

Thanks for using PayPal. To see all the transaction details, log in to your PayPal account.

and

It may take a few moments for this transaction to appear in your account.

Here’s a complete copy of such a fraud:

more »

The Better Business Bureau Trojan Horse

Thursday, February 21st, 2013

With the fake Better Business Bureau Trojan Horse campaign, we find yet another infectious email that is socially engineered so well, that users often release such messages from quarantine; even after spam filtering has clearly identified the emails as a Virus carrying Trojan Horse.

The emails typically arrive with spoofed headers such as:

Subject:     FW: Complaint Case 091921
From:     “Better Business Bureau” <Kerri_Rucker@newyork.bbb.org>

In order to appear legitimate and to try and evade simple spam filtering systems, the Complaint Case number will be randomized, and the spoofed sending email address will vary as well.

The content will include vague yet serious sounding allegations, such as:

The Better Business Bureau has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position.

A full copy of such the bogus email:

more »

Another VBSpam Competition First Place Finish

Sunday, January 20th, 2013

For the thirteenth consecutive evaluation, OnlyMyEmail has again blocked more spam than any other filtering system in the Virus Bulletin VBSpam Challenge and secured yet another first place finish.

The latest competition ran for 16 consecutive days, during which, OnlyMyEmail’s MX-Defender accurately filtered out more spam than all other competitors tested, again missing just 1 single spam email out of 92,166 total. This represents a spam capture rate of 99.9989%.

By comparison, the next best capture rate was Libra Esva which missed 44 emails in total. The third best blocking rate went to Zerospam which missed 61 spam emails from the same corpus. The worst performers, missing well over 500 spam emails included:  IBM, Sophos, SPAMfighter, Vamsoft, Spamhaus ZEN+DBL and SURBL.

more »

Your order is awaiting verification! – Staples Virus

Monday, January 14th, 2013

Sometimes spam, viruses and Trojan Horse emails are so convincing that they manage to trick users even after spam filtering has clearly identified the emails for their true nature.

The recent spate in bogus “Your order is awaiting verification!” emails claiming to be from Staples office supplies is a pretty good example.

Despite being clearly marked as viruses, we’ve seen many users attempt to resend these blocked messages to themselves, apparently believing that our blocking these messages represents a false-positive result on the part of our filtering, whereas the opposite is the case.

The emails typically arrive with spoofed headers such as:

Subject:     Your order is awaiting verification!
From:     “Staples Advantage Orders” <Order@staplesadvantage.com>

more »

REMAX “Hot Properties” Email Phishing Fraud

Sunday, November 18th, 2012

One of the most effective tactics in use by spammers today is the hijacking/theft of legitimate user’s email accounts for use in furthering spam campaigns.

There are actually four distinct reasons why it is so powerful for spammers to be able to send spam from a previously legitimate user’s email account:

  1. Once the account is stolen, the spammer’s software can read through the address book, inbox, sent mail and all other folders scraping the email addresses of people the legitimate user has corresponded with  in the past. These emails then make excellent targets for sending spam.
  2. Email from actual AOL, Gmail, Hotmail, Yahoo and other ubiquitous email services are much less likely to be blocked by spam filtering systems.
  3. Even when a spam filter correctly recognizes that an email is spam, end users often have added such senders to their Allow or White lists, thus forcing delivery from the now compromised account.
  4. Further, recipients commonly retrieve spam from their filtering system when they recognize the sending address, but don’t realize the sender’s account has been compromised.

When you add it all up, there really is no better method of getting your spam delivered, and then actually opened by the target recipient.

more »

Mailbox Closure Warning!!! – Google Docs Email Theft

Tuesday, May 29th, 2012

The latest abuse of Google Docs for email theft appears in your inbox as:

Subject:     Mailbox Closure Warning!!!

or

Subject:     WEBMAIL ADMIN.ntc

If that manages to grab your attention, the content of the message goes further:

Helpdesk requires you to upgrade webmail by Clicking

https://docs.google.com/spreadsheet/viewform?formkey=dGkzVVg4WGlMaWFpaGdYcG1wVlV4cVE6MQ

This Message is From Helpdesk. Due to our latest IP Security upgrades we have reason to believe that your webmail account was accessed by a third party. Protecting the security of your webmail account is our primary concern, we have limited access to sensitive webmail account features. Failure to revalidate, your e-mail will be blocked in 24 hours.

Thank you for your cooperation.

more »