The fraudsters are constantly coming up with innovative ways to deceive innocent users of the Internet. Symantec recently observed an increase in phishing attacks facilitated by spam email messages that are targeted towards a popular email client application. The spam message requests the intended victims to re-configure the email client application by clicking on the link provided in the email. The phishing spam messages previously in circulation had a malicious file attached as a setup for the bogus update.
The recent spam email messages, in an attempt to make appear legitimate, also provide a contact number for any queries regarding the update:
“If you have received this message in error, please notify us immediately by calling (310) xxx-6428 and destroy the related message.”
The spam emails have bogus From and Subject headers such as (but not limited to):
From: Mlcrosoft Outlook
Subject: Please re-configure your Microsoft Outlook again!
Subject: Outlook Express Setup Notification
If the link in the recent fraud email messages is clicked, it takes the intended victim to a phishing Web page that falsely claims to be from the software product team, notifying the users of the recently released update for the software:
As we can see in the above snapshot, the phishing Web page asks the intended victim to download an important update for the email application (KB910721), which is in fact a malicious application file developed by the fraudsters. The Web page also mentions that the update is critical and will update the email application to the latest version with the highest level of stability and security.
Some of the phishing URLs observed so far are:
(The domain names of the URLs have been removed)
hxxp://XXXXXX.1ikij.net/XXXXXX/isapdl/default.aspx
hxxp:// XXXXXX.1ljfki1.com/XXXXXX/isapdl/default.aspx
hxxp:// XXXXXX.fekkil.net/XXXXXX/isapdl/default.aspx
hxxp://hyweasqx.net/microxxxxxxxxxupdate/isapdl/default.aspx/ofxxxxp-KB910721-FullFile-ENU.exe
hxxp://hyweasqx.com/microxxxxxiceupdate/isapdl/default.aspx/ofxxxxp-KB910721-FullFile-ENU.exe
After clicking on the link, the following window appears which prompts the user to Run/Save the file.
In the case of a user unfortunately downloading and installing the malicious file, it further requests that the intended victim reconfigures the email account and requests the user's credentials, such as the email account username, password, and the mailserver name—the most critical part of the fraud. This provides fraudsters complete access to the user's email account, which facilitates the theft of important personal information (for example, credit card numbers, social security numbers, bank account numbers, etc.).
Unlike traditional phishing attacks targeted towards social networking or online-banking websites, user login credentials are not sufficient to gain control of an email client application. The mail server information is also required to gain access to the intended victim's mail account. This would enable the fraudsters to track email and steal critical information, or even use it for further spamming activities.
The malicious file in some of the links was detected as W32.SillyFDC. The malicious code may also attempt to copy itself to removable drives as well as create the following file so that the worm runs every time the removable drive is attached to a computer:
[REMOVABLE DRIVE]:\Autorun.inf
So, what can you do to protect yourself and your information? Always maintain a level of caution regarding any messages from within a website or that appear to be sent by a website. If you do click a link, double-check the actual domain that is shown at the top of the page. It’s a best practice to type the direct Web address directly into your address bar rather than rely upon links from a message.
1. Maintain an up-to-date browser and operating system. Use security software such as Norton Internet Security 2009. Check out Web safety services such as Norton Safe Web, where a community of Web users collaborates to report dangerous phishing and malware sites.
2. Be suspicious of requests to enter your account name and password.
3. Do not open suspicious attachments or links unless you are completely sure of the authenticity of the source of communication.
Also, Microsoft has an online policy regarding the type of fraudulent emails that have been discussed here. Users can review the Microsoft policy, here: http://www.microsoft.com/protect/yourself/phishing/msemail.mspx
*Note: My thanks to the co-author of this post, Ashish Diwakar.