Malware Musings

I have just been reading ‘Facebook friend added a new photo of you? Beware spammed-out malware attack‘ by SophosLabs which involves an email being sent to victims suggesting that a friend has tagged them in a photo.

The fake emails have a zip (file archive) file attached containing malicious software which, if opened, can give attackers control of Windows computers. More details, including the email format, are available in the above mentioned article on SophosLabs’ Naked Security blog.

Of course, it always pays to be vigilant when receiving emails. The protocols used to send email over the Internet do not always need the email sender to authenticate (prove their identity) themselves. That means that it is possible for anyone to send an email to you, claiming to be from Facebook, Twitter, your bank, your friend (although this could be a case of malware running on your friend’s computer and using their mail application to send the email), or even Santa Claus. Basically, the email can claim to be from anyone.

If in doubt, delete it. It is safer to accidentally delete a legitimate email (if you can contact the sender), than it is to accidentally open a malicious one, on the basis that if the email was real and from whom it claimed to be from, the sender will more than likely have a copy in their ‘Sent’ folder and be able to resend it.

However, there are a few things that you can look out for that should raise your suspicion (with quotes/examples from spam emails which I have received. I knew I kept them for a reason):

• Spelling/Grammar (‘The label of your parcel is enclosed to the letter.’)
• Emails where the Subject: line or contents don’t sound like the supposed sender wrote them, that is, they are out of character. For instance an email starting with ‘Dear Friend’ when you’ve never heard or seen the supposed sender start an email with ‘Dear’, or refer to you as ‘Friend’. Also, a number of people tend to always end their emails the same way — with their signature block. Check the bottom of the email for the supposed senders signature block to see if it matches that of other emails from the same sender (assuming the sender is one whom you often receive emails from).
• Emails from people to whom you haven’t actually given your address (‘We received your details from an investment consultant through a leading business forum.’ for instance)
• Emails that don’t seem to know who you are (‘To: You <emailaddr>’, or that start ‘Dear Friend’, or my personal favourite ‘Dear Valued Customer’ — they value you so much yet they don’t bother to personalise the email with your name)
• Any email that sounds too good to be true (‘You have won GBP615,810.00  the Super Lotto email program’)
• Any email (or web site) that claims to need personal details (‘We need your help to complete this security update by re-updating your PayPal account information’ — even more so if you don’t actually have a PayPal account to update)
• Emails with an attachment, especially if you don’t know the sender. If you do know the supposed sender, check with them that they did actually send the attachment. It is possible for malicious software to send a copy of itself from your friends’ email addresses.
• More than likely anything that tries to convince you that it isn’t a scam or spam (‘NOTE: This is not a spam or virus message.’)
• Emails that just seem to contain nonsensical or out of context text (‘Who was going to look after the cow, about to be separated from us?Young Bute would be down again with plans. Who was going to take him over the house, explain things to him intelligibly?’ — based on those sentences I would suggest not the author of the email)
• Anything that tells you not to tell anyone (‘I will like you to keep away this message from any other person around you, because we have decided to conclude this issue with you alone’)
• Anything that seems overly friendly (‘Dear Friend, I got your contact during my search for a reliable,trust worthy and honest person to introduce this transfer project with.’)

Any email exhibiting any of those qualities should get you suspicious. If in doubt, it is always safer to check with the supposed sender by sending them a new email (don’t reply to theirs as the reply can often include any malicious content that the original email contained), or calling them on the phone, using social media, etc. to confirm that they did send you the email.