An RBA Hoax Email: Somewhat childish

I received a confused email from the Reserve Bank of Australia (RBA). It was a hoax, that I have since reported as a phishing attempt, but it was interesting to look at how it was structured, and the clues that it offers as to whom it may have come from.

Let's take a closer look.

It's from the RBA? No, it's about the RBA? What is this?

From the screen snippet above you can see what was waiting in my inbox.  It appeared to be an email, from 'Emma', with the subject being Reserve Bank of Australia. We can also see that it has an attachment. These things should start ringing some alarm bells. It has an attachment, it is about a financial institution that does not deal with private citizens accounts, and it is from someone I do not know.

I'm confused. What is this about?

As we explore further, you'll see that this email in itself was also confused.

So, apart from the strange subject line, we can also see that the sender of the email is attempting to hide their identity. Whilst the name their email offers is 'Emma', one of the email addresses it is using is 'Liam@aapt.net.au', but it is being sent via another domain.

Who ever Emma/Liam is, they have not paid for quality data on which to launch their scam campaign. Clearly they do not have my name (yet), but their do have my email address. That is not anything to worry about as that is not a secret. But, it should clearly identify this as a scam. If this really was from the RBA or ay other financial institution that would have a legitimate reason to send me an email, they would know my name.

Next we have some oddities in the grammar of the email content: Doubled-up words like "history history". Odd phrases such as "breakdown of payment delays", and "lawsuit against you on the suit" which make no sense in the context they are presented.

Then there is the threat that the RBA will use their "law enforcement bodies". Given that the RBA has lawyers, but does not have police nor other enforcement specialists, this really is out of context again.

This scam email sticks out particularly because, whilst the text is confused, contradictory and makes little sense, there are no spelling errors. Combined with the Signature line which does not use a persons name, but the name of the RBA itself, tends to suggest that whoever compiled this is from an English speaking background, or at least had the preparation to use a spell-checker. However, they do not seem to be mature, or worldly enough to understand what the RBA is, how it operates, nor how grown-ups doing business really communicate.

A peak under the covers.

Going down into the raw data of the email (view original or view source) gives a few more clues.

The message ID does not match the supposed senders email domain. Normally this would raise flags with the Google spam filters.  Not sure why it did not on this occasion.

The scammer has attempted to obfuscate the trail in a cheap way. The reply-to address and domain are different to the From address details. This would be a cheap way of initially obfuscating any follow up.  However the fact that such a cheap option is being used, suggests that the scammer(s) have limited resources. Perhaps they are just starting out. Perhaps their names are Liam and Olivia.

What is the payload?

We know that the download link was a big green arrow - an image.  Looking through the HTML code behind the email, we find the image. It has a reference to an Internet URL. Clicking on the image would download a file called "instructions.zip". Zip files can hide malicious scripts if the target has very weak security scanners. Most reputable anti-malware scanners have the ability to interrogate the contents of zip files. This tactic is either counting on one or more victims to have no protection, or to have options to scan zip files turned off to prevent a drain on resources.

If this is so amateur, why bother writing about it?

Yes this scam is amateur. If my assertions that this is a small group of 'scipt-kiddies' is true, then this post may actually help them to do a better job next time. So why write it? As much as I have slammed the childish nature of this scam, it did not get picked up by the GMail scanners. I did not find it in my Spam folder - it was in my Inbox folder. Sometimes the tools that we rely upon to protect us are so finely tuned to find high-grade professional scams, they will miss the juvenile scams.

Be alert. Use the best protection that you can reasonably afford to help you, but do not rely upon it entirely. Always ask questions for yourself. #ASKOUTLOUD

YouCanHasJob!: A closer look at a job-offer-scam email

Today, something suspect slipped through the Gmail spam scanners, and made it into my Inbox. That is highly unusual. I decided to take a closer look to try and discover why. Along the way, I’ll point out the obvious clues to these fake job offers.

Why does someone want to offer you a job?

Not just someone, a complete stranger.
They do not want to pay you any money. That much is certain.
They are more interested in what they can get from you. These emails are generally phishing attacks. They are phishing to see what they can get from you:

• Personal details if you send them your resume they’ll generally gain a lot of useful information. This may lead to them having further communications with you and asking further questions, particularly if you have recently worked for an interesting employer.
• Professional knowledge – assuming that you recently worked for an interesting corporate or government client, the scammers might start asking questions about your time there, in a hope that you might be clumsy enough to disclose information that may allow them to attempt attacks against that organisation.
• Banking details – to start working they may ask you to make an initial payment for registration, or to pay for supplies, or they may ask for your bank details to be able to initiate payments. Never do this unless you have verified who they are, and that they are a legitimate employer.
• Time – they may offer you a trial period, likely they have no intention of offering you permanent work. They just want to make the most of your efforts during the trial period, then you’ll never hear from them again. They just wanted you as a temporary digital slave.
• A combination and as much of all the above as they can possibly get.

You have mail!

Well, I have an odd email. It appears to be from someone named “Virginia Wolf”. Wasn’t she a famous author? Even if this was the author, there is no reason for her to be contacting me. The use of this name is to trick the unwary into thinking that possibly they may know the sender, and hence open the email.

The second oddity that sticks out is that the subject of the email is my name. I like my name. A serious employer who is genuinely interested in a professional arrangement with me would make sure that they get my name right, including appropriate capitalisation.

So What is this?

As I am using a web based email service to view my emails, I know that I can go a little further in investigating these emails. If I was reading this through Outlook on my desktop, or another desktop email client such as Thunderbird, where the email and any potentially nasty payload has downloaded to my computer already, I would simply delete the email at this point. Since I am viewing the email as it is opened on a server somewhere else in the world, I feel a bit more comfortable about reading further.

Immediately I see the email address of this supposed “Virginia Wolf”. ‘torresczrsandragz’ is the first part of the email address. Lets stop and think, what serious business person is going to have an email address like that? No one. It is too hard for people to remember, too difficult to tell them quickly. This may be a real email address, but it does not belong to anyone conducting a legitimate business, unless they are brain dead. Furthermore, the domain part of the email is “@outlook.com”. This tells me that they are not emailing me from a business email account. They are using a randomly created email account, or pretending to be using an Outlook webmail account.

Perhaps the first impressions were bad, but it can only get better, right? Wrong

If you can do so safely, reading through the email a little can provide further clues.

The whole text is bogus, and poorly written. Let me pick some particularly good examples:

We are one of the top international distributors of the variety of goods

At no point is any identification of an organisation/employer made. If this was a legitimate offer, the employer would disclose their corporate identity, particularly if they were a big international company. There is also no definition in the email of a group, set or category of goods that this supposed employer markets – so “the variety of goods” is both a lie and bad grammar.

If you are sure enough to try and become a member of one of the most prospective enterprises in Australia,

If you are sure enough to what…? This sentence is very poorly worded. If they were a large international employer serious about doing business in Australia, they would pay one of their staff to get the wording correct, or at least pay for an outsourced resource to do a quality job.

Unfortunately, we are not able to invite the applicants outside Australia. Thus you have to be either a resident, or a legal permission to work for applying.

“we are not able to invite the applicants outside Australia” could mean a number of things. Might mean that there is not any international travel involved in the job. “Thus you have to be either a resident”, of Australia we assume. “or a legal permission to work for applying”, this makes zero sense in so many ways. How can a person also be a form of legal permission? And the sentence structure is defective at best.

Your tasks will involve:

- communicating with customers from the USA, Asian and European countries, assisting to build the trading process as smooth as possible for them; again, very bad grammar

- processing the information, mostly related to the sales;processing ‘the’ information… bad grammar

- assisting the sales office with different problems;

- and, last but not least, offering the articles. offering articles?

We are ready to provide a monthly rate of 8000aud per month for a job on a permanent basis. If you prefer to be more flexible, you can choose the short hours type of a job...

“type of a job” - bad grammar

, with the wage up to 4000aud per month. These figures do not involve various encouragements to be obtained for excellent results.

You must pass a test period before being employed permanently. 

This line is the clincher. What it should tell you immediately is that at best you will work your butt off for the trial period, then you will not pass the test, and they will never pay you.

Your skills should include:

Our chief demand is good access to the Internet from your PC or laptop. 

Lets read that again, “our chief demand is good access to the Internet from your PC or laptop”. This is the single most truthful statement in this email. These scammers want to gain access to and control over my computer. What for? Don’t know. But the next sentence might tell us a bit about how they would do it.

You must have certain MS Excel skills as well as the software programs installed.  

This reads as if you don’t have Microsoft Excel installed, do not apply. Most likely that this email is first stage of a campaign, the second stage is that when someone applies for the job the scammers are almost guaranteed that the applicant has Microsoft Excel on their computer, and there is the chance that the scammers could send an Excel spreadsheet, possibly a timesheet, which happens to have embedded malware.

We are waiting for receiving your reply...

bad grammar again 

and we are eager to give your career a good start in a wonderful and creative team guided by a charismatic leader.

Is this an invitation for a job or to become a member of a religious sect?

Not convinced its a scam? Check the finer details

Still think a complete stranger from a mystery organisation, who has English writing and comprehension skills less than that of your average sixth-grader, is offering you full-time employment from the comforts of home for $96,000 a year? Perhaps you should look into the technical details of the email. Let’s explore the source of the message.

Now we are looking at the finer details. Let’s get some data about who this is coming from. Looking at the source data of the email, we can see that there is an IP address of the sender.

Let’s take that IP address (40.92.12.18) and see who owns it. Using the IP Lookup tools at www.ip-address.org.

If we type in the IP address and search, it comes back with what looks to be the name of what might be a legitimate email server in Microsoft’s Outlook.com infrastructure. However this does not match the server/domain details given in the message ID of the email: BY2PR12MB0292.namprd12.prod.outlook.com .

So, lets look at this problem the other way and do a Reverse IP Lookup. Initially the full server name of "BY2PR12MB0292.namprd12.prod.outlook.com" does not resolve to an IP address. Piece by piece we strip it down - “namprd12.prod.outlook.com”, then “prod.outlook.com” - still no resolution to an IP address. Finally “outlook.com” resolves to Microsoft Azure in Des Moines, Iowa, with an IP address of 40.97.128.194 . Given that Outlook.com is a well known webmail service provider, this is an expected result.

But this is odd. Our IP Lookup and our Reverse IP Lookup results give conflicting information. Whilst there is an outside chance that it is all legitimate, there is a greater chance that these scammers have managed to successfully spoof the IP address from the Microsoft infrastructure and apply it to their own server, or worse, they have hacked the Outlook.com servers. Suffice to say, these results do not give us a warm and fuzzy safe feeling.

If my assertions regards the address spoofing are even close to being correct this is likely why the GMail spam scanners did not send this email straight to my spam folder.

What to do next?

The next thing to do is to report this scam. At a bare minimum, this should be reported to your ISP or webmail provider. This will enable your webmail/ISP provider to block such emails better in future. Gmail provide an easy way to do this.

I would however, encourage you to go further and report such emails to your relevant national cyber crime authorities. In Australia that is ScamWatch.gov.au. If you have already fallen victim to such an email, gather what evidence you can and report it to ACORN.gov.au - the Australian Cyber-crime Online Reporting Network.

Wanna Cry?: That’s not the best way to deal with a cyber attack.

Looking inside the recent worldwide ransomware attack.

In the last few days, the computing world experienced the one of the largest cyber attacks. Reports to date indicate that the Wanna Cry ransomware has infected Windows 10 computers in more than 100 countries. It has successfully attacked computers in Britain’s National Health Service (NHS), causing a number of hospitals to delay surgeries, and to put their emergency departments on bypass as they could not access patient files.

Typically, many media outlets across the globe have grabbed at this story, and have talked up this attack, providing unnecessary hype. Even media here in Australia is trying to frame this as a cyber attack on Britain’s hospitals, because it gets their articles exposure. But what is the real truth behind this.

What is this malware?

The name of this malware is, “Wanna Cry” (or “WannaCry”), also called “WannaCryptor” and “WannaDecryptor”. It is a form of ransomware. But it is different to many other ransomware attacks.

It has the same effect as other ransomware attacks – the desktop PC is infected, copies of the user’s data files are encrypted rendering them worthless to the owner without the decryption key. The perpetrators may unlock the files with their decryption key in exchange for a ransom payment, but there is no guarantee that they will play nice.

How this attack differs from other ransomware is in its method of delivery. Most ransomware to date has been delivered like a poisoned sweet – a link in an email or webpage, that when clicked downloads the malware to the user’s computer. Wanna Cry however uses its NSA heritage to advantage – it is essentially a weaponised form of ransomware, that seeks out vulnerable computers and chooses to attack them. Further to this, Wanna Cry also exhibits worm-like behaviour, using infected PCs to search for other vulnerable PCs on their network for more attacks to occur – essentially it is capable of pack hunting.

The ransomware payload is also quite advanced. It is reportedly capable of encrypting users files that are on connected external hard-drives (including thumb drives), and on cloud storage such as Dropbox and One Drive.

Was it a targeted attack?

Given that Windows computers in more than 100 countries around the globe have been infected within a short period of time, this suggests that the NHS was not specifically targeted. Malware researchers have been able to determine that the heart of Wanna Cry is an exploit developed by the NSA, which was leaked to the world by the hacker team, the Shadow Brokers. To put it simply, an exploit is a tool that is made to specifically break into computers that have a pre-existing vulnerability. All the computers that have been infected would have shared this vulnerability; they were Windows computers, they did not have the most recent patches, and their anti-malware applications did not detect and stop the Wanna Cry attack.

So what can we say for certain about the targets of this attack? Anyone with an un-patched Windows 10 system.

Can we rule out this being an attack against British hospitals? No, but it would appear to be a less likely scenario. Given how the attack was carried out, it would appear that the hackers who conducted the attack were prototyping what they could do, finding out who was vulnerable.

Has the attack stopped?

Yes, for now. A malware researcher investigating the behaviour of Wanna Cry noticed that the ransomware was reporting back to a number of servers, one of which was not part of a registered domain. To be able to track the spread of the ransomware better, he registered the domain name and set up his own server. Inadvertently, this stopped the ransomeware. The ransomware had been configured not to successfully connect to a server at the unregistered domain, as if it were in a sand-boxed environment. Connection to this new server tricked the malware into thinking that it was no longer in the sand-box and shut it down.

This revelation could suggest that this attack was just a test. Perhaps it was perpetrated by a state-based actor (an intelligence agency for example) who wanted to see how good the tools that were liberated from the NSA were, but to still be able to kill off their test at some point. Perhaps the perpetrators were a criminal element who want to sell their new tools, giving a potential buyer a taste of what they can do. Perhaps it was a team of hackers who made some mistakes.

Either way, one thing is certain, now that the World has learned of Wanna Cry, and the weakness in how it was used this time, you can bet that there will be future attempts to use Wanna Cry or a variation of it where the current weakness will be removed.

Can my anti-malware suite stop Wanna Cry?

Reports suggest that the most recent versions of Kaspersky Labs and BitDefender anti-malware suites are capable of stopping Wanna Cry if they have the latest malware definitions (regularly updated).

How do I protect myself from Wanna Cry?

The steps to protect you and your data from ransomware such as Wanna Cry are relatively simple, but have their costs, in terms of time and money. They are however far cheaper and will cost you less time than falling victim to such attacks.

1. Install Windows security patches, and setup automatic downloading and installation of Windows patches.
2. Back up your data on offline hard drives. The ransomware will encrypt files on any connected external drives such as a USB thumb drive, as well as any network or cloud file stores. So, connect your external drive or thumb drive, backup your files, disconnect your drive. Repeat on a weekly basis - or monthly if you don't use your computer that much.
3. Patch and update your software and make sure you have all Windows updates on your machine.
4. Use a reputable security suite. To check for recommended products, or to see how effective your current anti-malware is, check out the Anti-Virus Comparative – Real World Protection Test results for March 2017, available at: https://www.av-comparatives.org/wp-content/uploads/2017/04/avc_factsheet2017_03.pdf
5. If you still feel uncertain, or in the dark, talk with your local computer specialist.

Using a VPN makes more sense day by day.

Tech Republic - Why top ISPs don't think your web history or app usage is sensitive information.

With efforts by telcos to monetise what their customers do online and the average citizen's privacy under growing threat, using a VPN to anonymise and encrypt your activities is no longer paranoia - it's a necessity.

Ransomware 'in good faith?' What the?

Scammers never do anything in good faith, unless it is to draw you in closer to do more damage.

Hackread.com - Spora ransomware infects users with good faith

Want to know more about Ransomware?

Happy New Year - Interesting events on the horizon

Happy New Year to All.

2017 is looking to be a wonderful and busy year.  I'm looking forward to kicking things off on the 21 January with my new seminar series.  The first seminar is Online Scam Awareness, at the Mechanic's Institute Hall in Binalong.  Please check the details, and if interested, call Mike L on 0414 942 397 to reserve your seat.