They Are Out to Get You
If you live in a German-speaking region, then you might have received one or two strange emails last month, which were unlike the huge amount of regular spam often seen. The first type of odd email was multiple instances of alleged invoices that were sent as email attachments by local ISPs or other service providers. The disguised attachment had a .pdf.exe double extension, which was not an invoice document at all, but a Downloader. Some people thought it was a scam asking for payment for a service that was never received (which was not true in this case), but even so the decision to immediately delete the email was the right choice.
At the end of January, another strange email made its rounds. This one claimed to come from the Bundeskriminalamt (BKA), the federal police in Germany. The email text mentioned charges against the user for downloading illegal movies and software and referred to the attachment as a fax form for statements that had to be completed as soon as possible. Of course, this document wasn't legitimate, but instead was an instance of Trojan.Magvap.
By these examples, we can see why worm authors still use cleverly crafted emails as a propagation method. Because it works! This is, by all means, nothing new. Email mass mailing worms that use social engineering tricks to get propagated have been around for years. And ever since, various user education groups have been trying to teach users not to click on unknown or suspicious email attachments. Over the years, I have seen users acting with more caution when it comes to email attachments of unusual videos sent to them by strangers. Still, as the case of Trojan.Peacomm shows, even now not all users think twice before opening attachments.
In the example of these recent emails, the social engineering trick was especially devious. If the message is of a more threatening nature, like an overdue invoice or a charge of illegal activities, many users will react to the sophisticated lie and open the attachment. The fear is just too overwhelming.
Some users might even have such a guilty conscience that they voluntarily turn themselves in, as was demonstrated by an incident in Germany in 2005 (the article is available in German). A user who received a fake message (with a Sober variant) did indeed believe that the police had traced his illegal activities. He saw only one option – to turn himself in. Unfortunately, this benefit of exposing criminals because of mass mailers is rather limited.
So, next time you are about to execute a suspicious attachment, better think twice (or turn yourself in right away if you have something to hide). And remember: just because you are not paranoid, it doesn't mean that someone is not after you! Email worm authors are definitely out to get you.