Very creative spam/virus email

Almost got me this time with this one. I’ve been getting a little spam on my computer at work. Somehow they’re getting through the City’s defenses. The email domain at work is hub-city.net. I got an email this morning from register@hub-city.net with the following subject line:

DETECTED Online User Violation

and the body of the text

“Please read the attached document and follow it’s instructions.”

The email also contained an attachment hybul.zip. I’m always very careful with my computer use so this one surprised me at first. I sent the email on intact to our I.S. guys and they’re going to look into it’s source if they can. In the meantime, I thought I’d bring it to the attention of my compadres here on the forums. I thought this one was a bit more creative than the usual no-brainer spam email that I get.

Bruce

Re: Very creative spam/virus email

Thanks for the handy warning! To that I will add some of the usual cautionary things to remember. The main one is, never open attachments unless you absolutely know what to expect. Never from a stranger, and just because it claims to be from a familiar address, if you weren’t expecting anything from that person, don’t open it until you ask them. Return addresses are easy to spoof.

I get about a hundred spams a day, each, on my home and work email accounts. Currently I am very happy with both of my anti-spam products, which I’ll describe below.

Even this devious message seems to follow the unwritten rule of spammers; which is to include at least one typo or grammatical error (it’s). Usually they’re more obvious…

My current anti-spam solutions:

Work: Red Condor. This product is only available for corporate use, but is the best spam product I’ve heard of. An average of about one one spam a day gets through, but there are absolutely no false positives! That’s because their filtering software doesn’t “guess.” It only removes known junk, based on ongoing work their staffers do to identify the current junk that’s out there. Awesome.

Home: OnlyMyEmail.com. For I think $3 a month (cheap for what it does!), it works similar to Red Condor, though I’ve noticed three or four false positives in the month or so since I’ve started with the service. Your mail passes through their server, where the junk is stopped and only what they think is legit gets through. The nice thing with this (and Red Condor) is your email software never has to deal with all the junk. Instead, both services send a daily email (which you can adjust through preferences), that reports on the junk that’s been received. I read through the lists every day, and as mentioned above, have only found a few strays in the OnlyMyEmail report. Clicking on them re-sends them to me.

My email address is MINE! I’m not giving it up. Death to the spammers! They won’t go away, but hopefully the software will continue to improve, making them less and less relevant.

Re: Re: Very creative spam/virus email

Good catch, John. I hadn’t noticed that. I’m usually better than that but this one escaped.

Bruce

Re: Very creative spam/virus email

The ZIP file was likely encrypted so that it requires a password to open. Encrypted ZIP files generally can’t be opened by email scanning programs and virus scanning programs so they are more likely to get through. If it was a regular ZIP file it can easily be opened by a virus scanning program and identified for what it is.

The instructions in the attached document would give you the password and instructions on how to open the ZIP file with the password. Then it would then give instructions on how to launch the payload.

That’s just one of the tricks that some of the trojans or email worms use to try to get by the virus scanners and other email scanners.

Re: Very creative spam/virus email

Wow, that virus does look a little more confincing than others… getting a little closer to AI, I guess. I just got the following:

The big question is why didn’t clamAV see it as a virus. Maybe JC is correct on this, time to experiment.

Like John Foss mentioned, if you didn’t expect it, then don’t open it, even if it appears to be from someone you know. It’s best to contact the person to confirm that the email is for real before opening any attachments that are executables (which can come in a wide variety of file types).

Re: Re: Very creative spam/virus email

Running freshclam to get the latest virus database and then running clamav resulted in a successful finding of a virus.

[gilby@moab viruses]$ clamscan account-info.zip
account-info.zip: Worm.Mytob.CT FOUND

----------- SCAN SUMMARY -----------
Known viruses: 35499
Engine version: 0.85.1
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.05 MB
Time: 0.548 sec (0 m 0 s)

I feel like I’m fairly observant and intelligent about most things. But I hear about scams perpetrated against the growing older and elderly all the time and it makes me wonder sometimes what new creative scam will get by me and when.

This is not a scam, but I once read about a son who finally took over his elderly mother’s finances and found that she was being charged a $10 a month rental fee on her phone bill over the last many decades for a rotary-dial phone that she had once legitimally ordered but never canceled.

So two questions.

  1. How do we continue to maintain awareness as scammers become more intelligent and we either pay less attention or are unable to pay attention?
  2. What kinds of things am I missing right now that could use some awareness and examination?

I’ve heard that happen too in my extended family. I forget if it was at my parents cabin (which used to be owned by my grandparents and now given to the kids) or one of my grandparents, but the rotary phone was a rental. Probably similar to a cable modem today though. I think comcast charges $3/month to rent a cable modem.

I’ve also heard from my grandmother that she got a call from a company saying that the husband ordered something, but forgot to give the credit card info. Pretty scary on the real potential for scamming the elderly.

A little over a year ago, my parents had to deal with identity theft. My mom got a call from a furniture store telling her that the furniture that she purchased was ready for pickup… but she never ordered any furniture. Turned out that someone with a similar description to her was writing checks in her name on her checking account at many places. Mostly furniture and electronics stores and they tried to get most to be picked up when they were there. They had a fake drivers license and fake checks. Pretty scary. In fact every time you write a check to someone, you are giving away your bank account number. Checks are not safe, IMO. The bank did cover it all, but it was a huge hassle to recover from it (as if they didn’t have enough to deal with at the time with the house fire).

Both are pretty difficult questions. I think it mostly comes down to pushing verses pulling. :slight_smile: Tech terms.

Basically, pushing is bad. Pushing is where someone asks you for information. You can’t be sure if it is authentic. Pulling is where you give the information to a known source. You’ve validated the contact info with your documentation from when you created an account. They don’t call you, but you call them.

If someone calls you on the phone asking for any kind of personal info, never give it to them. Simple reply to telemarkers is that you never buy anything over the phone.

  • Know what you’re paying for. Read the bills. Read your credit card and services bills. Understand them. The more you trust, the more likely that things will slip by you.

  • Read bills, invoices, service contracts.

  • Don’t give out information. If someone is asking you for credit card, SSI or other information, ask yourself (not them) why they need it.

  • If you’ve been using the same phone company since the days of rented rotary phones, switch! Otherwise have a look at your phone bill. I’m sure it was there all those years…

I just switched long distance services again. We don’t make a lot of long distance calls and instead use our cell phones during the free nights and weekends time instead. So I searched the Internet years ago and ended up with Zone LD.

We had a thread about companies that pack on the fees once upon a time. Zone just initiated a $3.00 monthly fee last February for something, I don’t remember what. So I researched and switched again. Now I’m with Total Call International.

Here’s one way. I wonder for a moment if an offer is legit, then I get lots more of the same spam/scam, only different variations:

from: TargetDealz@mx1827.tt03.com

Sams Club / Costco GiftCard OfferConfirmation #3658-VBEC5735
To: Member #4031 Email: (again, my email address)@yahoo.com

We have been trying to reach you in order to deliver your free Sams Club / Costco Gift Card.

from: TargetDealz@v7.emastr.com

Home Depot GiftCard OrderConfirmation #3658-VBEC5735
To: Member #4031 Email: (my email address)@yahoo.com

We have been trying to reach you in order to deliver your free Home Depot Gift Card.

More free Home Depot cards from:
TargetDealz@mx20139.tt03.com
freegiftsdirectupdates@freegiftworld-updates.com
TargetDealz@mx1944.tt02.com (also offered free Costco card)
giftcard@tathree.net
IncentivePromotions@sunnynydls.com

…it goes on, and on, and on, and on…

I was going to quote “BEN WAS HERE!!!” and then comment on how appropriate a comment that was in a thread about identity theft (and such). But that text wasn’t available for quoting. Somehow the software must have recognised it as non-genuine yoopers-speak, and mark it as non-quotable, since I obviously cannot quote yoopers on something he didn’t say in the first place.

Klaas Bil

:slight_smile:

Re: Re: Re: Very creative spam/virus email

and additional… just be aware the config of clamav has an option enabled that prevents files larger of a certain size to be scanned. It’s to keep the systems load not too high. By default it’s pretty low, and by default it’s enabled. Virus makers do know this, so they could fill the zip with junk just to get over this default limit. In that case it will reach the end-user (who always should have a virus scanner themself, and never trust anything).

I’ve been getting the same type of SPAM (the original one Yoopers posted about) on my unicyclist e-mail lately, about 2-3 a day. The senders’ addresses all end in @unicyclist.com with usernames like:

support
admin
administrator
info
mail
register
service
webmaster

…though none of these are on the list of unicyclist.com members. The various subject titles are:

  • Important Notification
  • DETECTED Online User Violation
  • WARNING Your Email Account Will Be Closed
  • Your Account is Suspended For Security Reasons
  • Account Alert
  • …and a few with just random characters

Anyone else experiencing this?

I’m getting quite a bit of that on my Yahoo accounts, especially from “Paypal”, but it’s to be expected there as I use the email address for online registrations and such.

What’s interesting is that I continue to get responses to my vehicle for sale as listed on Yahoo Autos. No legit responses, instead all say, “I’m buying this for a client and we’ll pay you via cashier’s check.” I tell them cash only and personal visit to sign the title.

I also called my bank to see if there was a way to tell if a cashier’s check was legitimate or not. She instructed me to call the originating lending organization to see if they have the carbon copy there and that all accounts are accounted for. Of course that’s all before I let the vehicle drive away.

Good advice!