Ok, you can substitute whatever agency name you want, but the storyis nearly always the same. A little while ago I blogged about AdvancedTDS, another Mpack-type clone and mentioned how professional some ofthe malware creators are becoming.
At the other end of the spectrum, we still have a large number ofamateurs in the game. The attempts that some of them make in theirsocial engineering trickery is abysmal, to say the least. Take thisexample of a spam email:
Dear Mr./Mrs. D####### P#######
This email was sent to inform you that your complaint case#278250765 filled with the FTC was successfully registered and postedin our Business Sentinel, a business complaint database maintained bythe U. S. Federal Trade Commission. The complaint that you have filledis now accessible to certified government law enforcement andregulatory agencies in ICPEN-member countries. Government agencies mayuse this information to investigate suspect companies and individuals,uncover new scams, and spot other such illegal activities.
Because the Internet marketplace is a borderless one, sharing yourcomplaint with government agencies in different countries will helpkeep the Internet safe. It will also help prevent others fromexperiencing the problem you have.
Information submitted through the online complaint form may also beused in aggregate form to analyze and create statistics, that may bereleased to the public. This aggregate data will not contain anypersonal information.
Attached you will find a copy of your complaint. Please print a hardcopy of the complaint for your records in the upcoming investigation.
Thank you for your cooperation and we will keep you informed on the status of our investigation.
Federal Trade Commission
It’s not a bad attempt at story writing; the message and wordingsound reasonably convincing. The usual story is about a complaintreceived by the government agency mentioned. Also as usual, attached tothe email is a document name along the lines of Complaint_[severalrandom digits].doc. If the receiver falls for the trick and opens thedocument, they will see the following in the document.
View of opened Word doc
If, at this point, alarm bells have not started to go off, then I’mafraid to say you have missed some very clear telltale signs thatsomething is amiss
First there is the schoolboy error in the first word, which wouldsuggest that the author is not from a professional organization. Idoubt the scam email crafter meant to say, “Bellow is a copy of youroriginal complaint.” So, null points for the scammers on the languageskills test.
Aside from the incorrect choice of words, what about the rest of thedocument? You’ve got to ask yourself, is a government agency likely tosend something of this nature and quality? I would like to think thatour taxpayer dollars would give us civil servants able to producebetter quality output than this example. So this scam also fails thequality test.
Then there is the strange method of embedding a PDF inside a Worddocument. Now why would anybody want to do that? Why not just send thePDF on its own? Because, as it turns out, what appears to be a PDF fileis actually an executable file.
Should you try to open the embedded file, you are still given one more chance to avoid being infected.
Prompt after attempt to open PDF
Windows warns you that a program called C_Adobe.exe is about to berun. Once again there are clues to be picked up here. Why would aprogram called C_Adobe.exe run when you attempt to open a PDF file?Plus, C_Adobe.exe does not look like a legitimate application. And, ofcourse, it’s not. It is actually a downloader program that attempts todownload other files. The downloaded file drops another file which isan information stealing Trojan horse.
Had you clicked on the Run button, I’m afraid you would have justinvited a number of threats onto your computer. For most of us, commonsense will have saved us from making this mistake. Even better though,a Symantec security product would have caught the whole thing at thevery beginning.