A dozen Crypto attempts today

crypto

All of these arrived in my inbox today; many are duplicated versions of the same message with minor changes.

Dear info,
Cathleen Holcomb asked me to send you the attached Word document, which contains the final version of the report.
Please let me know if you have any trouble with the file, and please let Cathleen know if you have any questions about the contents of the report.
Kind regards
Alisa Harper
Managing Director
Notice that all of these emails begin with “Dear Info,” since the relevant address is “info@devnull.com.” This in itself should be a red flag.
Dear info:
Thank you for your email regarding your order of 21 June, and sorry for the delay in replying. I am writing to confirm receipt of your order, and to inform you that the item you requested will be delivered by 25 June at the latest. If you require more information regarding this order, please do not hesitate to contact me.
Also, our records show that we have not yet received payment for the previous order of 11 June, so I would be grateful if you could send payment as soon as possible. Please find attached the corresponding invoice.
If there is anything else you require, our company would be pleased to help. Looking forward to hearing from you soon.
Yours sincerely
Benjamin Martin
Chief Executive Officer
Information. A report. An invoice with request for payment. A spreadsheet. All looking innocuous and legitimate.
Dear info,
The reference you requested is attached.
Let me know if you have any questions.
Best regards
Erma Frederick
CEO
No matter how official emails like this look, you should verify every detail before proceeding.
Dear info,
Our records show that we have not yet received payment for the previous order #A-393685
Could you please send payment as soon as possible?
Please find attached file for details.
Yours sincerely
Jami Garrett
Mexico Key Account Director
Don’t open those attachments! They are almost certainly javascript files which will download an encryption virus or something equally vicious.
Be careful out there.
The Old Wolf has spoken.

Infect your computer from home!

From: <my email address>
To: <my email address>

Subject: Cooperarion with a large firm

Hello!

We are looking for employees working remotely.

My name is [Audra|Joni|Gus|Emily], I am the personnel manager of a large International company. (I got four of these in my mailbox today).
Most of the work you can do from home, that is, at a distance.
Salary is $2500-$5000.

If you are interested in this offer, please visit Our Site

Best regards!

If you’re careless enough to click that link (disabled above), what you’ll be taken to is this:

http://yaseminalkaya.xyz/wp-content/plugins/easy-tables-vc/xxxxxx/lib/jquery-handsontable/test/jasmine/spec/settings/

whereupon your computer will promptly be infected with an encryption virus or some other evil chicanery.

Do not respond to emails like this, and do not click embedded links!

The Old Wolf has spoken.

Not from Yahoo (scam)

yahoo

“Your Mail version is outdated.” “Upgrade your account now.”

Never follow links like this that ask you to enter your email username and password. Would you hand your credit card to a criminal? Don’t give access to your Yahoo, Gmail, Hotmail, or other accounts to scammers.

If  you have loved ones who are not especially tech-savvy, please protect them from this kind of jiggery-pokery.

Be safe out there.

The Old Wolf has spoken.

Malware Payloads

Chapa NO MALWARE

I’ve noticed a lot of malicious emails coming through to one of my addresses lately – interestingly enough not at Gmail, which may even filter these things out before they are even sent to Spam – but to one of my private email addresses. Here are two examples:

Dear info,

Many thanks for your card payment. Please find payment confirmation attached below. Should you have any queries, please do not hesitate to contact Credit Control Team.

Best regards

Dena Carpenter
Director Audit Services
Attachment: 851E2_info_43A8AE.rar
And this one:
Dear info,
Please check the bill in attachment.
In order to avoid fine you have to pay in 48 hours.
Best regards
Antonia Snider
Executive Director Sales Account Management Training Performance Support
Attachment: info_e-bill_669770.zip
Both of these emails came with compressed attachments, one a .zip file and one a .rar file. Inside each was a document with the extension “.js,” meaning it’s a javascript file which would automatically run once the file was clicked on to see the “invoice”or “bill.”

DO NOT DO THIS.

From Microsoft’s Malware Protection Center:

Payload: Downloads malware or unwanted software

This threat can download other malware and unwanted software onto your PC. We have seen it download the following threats:

  • PWS:Win32/Fareit
  • Ransom:Win32/Crowti.A

Connects to a remote host

We have seen this threat connect to a remote host, including:
  • davis1.ru using port 80
Malware can connect to a remote host to do any of the following:

  • Check for an Internet connection
  • Download and run files (including updates or other malware)
  • Report a new infection to its author
  • Receive configuration or other data
  • Receive instructions from a malicious hacker
  • Search for your PC location
  • Upload information taken from your PC
  • Validate a digital certificate

We have seen this threat access online content, including:

  • two.jpg
  • one.jpg

Another similar threat is 097M/Donoff. This Microsoft Article shows many types of emails that are being sent out to try to get people to run this malware. One of my emails contained Win32/Penzievs, which is so new that Microsoft has no technical details on it yet.

Working at Carbonite™, we have seen many customers who have been infected by the Cryptolocker virus and similar encryption programs. Almost all of these vicious payloads come as email attachments that are opened by the unwary. While having good anti-virus protection and a rcloud-based backup system that protects multiple versions of your files is good insurance, the best procedure is never to open attachments from unknown sources, no matter how legitimate they look. Especially always avoid “.exe,” “.com,” “.zip,” and “.rar” files.

Be careful out there. Protect yourself and your loved ones.

The Old Wolf has spoken.

 

Never “Verify Your Email.”

No email service will send you a message asking you to provide your address and password, or other financial data. They just won’t.

yahoo

This email is bogus. Note the red circle next to the “click to validate” link – that’s a warning from WOT (Web of Trust) that indicates the website is not to be trusted.

If you’re foolish enough to click the link, which goes to http://bookinghh.myfreesitehost.com/smluptt/wadohjom.htm (NOT a Yahoo website), you’ll get this:

Yahoo2

If you fill out this information, scammers now have access to your email account, and they will use it to steal information or send out criminal spam.

Never do this. Be careful out there.

The Old Wolf has spoken.

Phishing: Watch those URLs

Today in my Yahoo! mail account:

Yahoo

If you click that “Sign In” link, you get taken to

http://www.oficinadentalpr.com/includes/drpbx/db/obfuscated.php

which is apparently a dental office in Brazil. (I tried contacting them to let them know that their website had been compromised, but their contact page seems to be malfunctioning.)

Edit: As of today, the entire “Oficina Dental” account has been suspended. Either they got infected and their ISP suspended them on general principles, or the whole page was a sleazy front for this scam operation. We’ll never know.

At any rate, this is what you get:

Yahoo2

Which leads you to the regular “Enter your critical personal information and credit card and bank data” page.

The ongoing lesson: Don’t click embedded links in emails. Just don’t.

The Old Wolf has spoken.

Why you *never* click embedded links in your email

Scam

See that link to “Capital One” there in the body of the email? It will actually take you to an entirely different website that just looks like it’s from Capital One.

Scam2

Congratulations, you’ve just handed the key to your bank account and your email account to thieves, probably in Eastern Europe or Africa.

One would think people would understand this by now, but there are a lot of folks who use computers who really don’t get below the level of Lolcats or Pinterest, and they need to be protected. Phishing scams are still rampant because phishing scams are still profitable. Far too many people are duped by websites like the one above, and happily hand over their information to criminals either online or via telephone.

2012-02-24-ScamArtist

If you are just learning about computers, this is Rule Number One about emails:

NEVER CLICK ON EMBEDDED LINKS IN AN EMAIL – ALWAYS TYPE THE WEB ADDRESS DIRECTLY INTO YOUR URL BAR.

I can’t emphasize that enough.

Not only are you at risk of losing your money or your identity, but you could seriously damage your computer files, for example, if you carelessly open an attachment which contains evil software like Cryptolocker.

If you are computer-savvy and have loved ones who are not, or who might be vulnerable to this sort of thing, please educate them and watch over them.

Be careful out there.

The Old Wolf has spoken.