One Click Away

One thing I see over and over again is the e-mail from friends that obviously reveals that their e-mail addressbooks have been compromised. Blast, after blast, after blast. The consequences of having viruses, malware, trojans, or worms on your computer really don’t fully weigh in with most people. Botnets, ransomware, extortion – you name it. It’s all there. Your digital life is at someone else’s mercy.

While an undergraduate in the computer engineering department, we used an e-mail program called Pine. It is text based only, used for actually sending text (e-mail). It purpose was to display text, and allow you to reply with text. Pretty simple, right? I have always appreciated this elegance, subconciously ignoring its real power and value.

Fast forward to today. In many ways, people consume software like crows collect shiny things. We’re attracted to the latest bells, knobs, widgets, and features that a salesperson says we need. What has happened is that e-mail has turned from a messaging system with text, to a platform that is so integrated with your computer, that attacks and infestations are now trivial. People are happy to have these shiny things, and are willing to install incredibly complex and often weak security products to combat attacks via e-mail. Make no mistake, this industry has a lot of money involved, and it will *never* go away.

What I am about to say will, no doubt, will be laughable by most: dumb your e-mail down, and use a text only reader again – you will be better off in the end. The reason I say this is due to a recent e-mail I received. It was well crafted, appearing to be from a large social networking site, stating that my account had been locked due to a login from an odd computer (site redacted):

Date: Sat, 11 Feb 2017 08:20:00 -0500
From: [large socialmedia] no-reply@accounts.compromised.[large socialmedia].com
Subject: [large socialmedia] account compromised
Parts/Attachments:
   1 Shown     17 lines  Text (charset: ISO-8859-1)
   2          162 KB     {application/octet-stream}
   3 Shown      1 lines  Text
----------------------------------------

Dear [large socialmedia] user,

Your [large socialmedia] account was recently logged into from a computer,
mobile device or other location you've never used
before. For your protection, we've temporarily locked your account your
account until you can review this activity and make sure no one
is using your account without your permission.

Did you log into [large socialmedia] from a new device or an unsual location?

- If this was not you, please download attached file and follow the
instructions provided to help you control
your account information.


Thanks,
[large socialmedia] Security Team


    [ Part 2, {application/octet-stream}/UNKNOWN (Name: ]
    [ "COMPROMISED11022017.zip") 162 KB. ]
    [ Cannot display this part. Press "V" then "S" to save in a file. ]

    [ Part 3: "Attached Text" ]

Obviously this is an easy one, in the fact that it misspells unusual as unsual. But to people pay attention? I didn’t initially. I was just on the large social media company’s web site. Could this be real? Well, the simplest answer was to log back in, which I did. Guess what? It wasn’t locked.

Taking a look at the attachment using hexdump on Linux, and taking a look at the bits:

$ unzip COMPROMISED11022017.zip
$ hexdump -C COMPROMISED11022017.exe | less

I looked for the string “exe” and guess what pops up? Hand.exe. Doing a quick search of hand.exe yields this link:

http://www.threatexpert.com/files/hand.exe.html

The obvious is true: another attack via e-mail. The protection from a text based reader is that one cannot “click” on the attachment. It forces you to examine what you are doing, requiring extra steps. This is a small price to pay, one which I am happy to do. You should be too.

Comments are closed.