{"id":232,"date":"2016-04-14T14:01:56","date_gmt":"2016-04-14T18:01:56","guid":{"rendered":"http:\/\/www.heliotropicsystems.com\/blog\/?p=232"},"modified":"2016-04-14T14:02:31","modified_gmt":"2016-04-14T18:02:31","slug":"this-is-not-an-april-fools-day-missive","status":"publish","type":"post","link":"https:\/\/www.heliotropicsystems.com\/blog\/index.php\/this-is-not-an-april-fools-day-missive\/","title":{"rendered":"This is not an April Fool\u2019s Day missive"},"content":{"rendered":"

There is a reason I send out regular security bulletins explicitly warning about malicious email activity and instructing you, my clients, to call me before you do anything that could have serious repercussions.\u00a0 That is because there is really bad stuff out there!<\/p>\n

I received a voice mail from a client saying she received an email from her accountant and it contained instructions for using Dropbox.\u00a0 (Dropbox is a file hosting service that offers cloud storage and file synchronization.)\u00a0 When I listened to the recording, I wasn\u2019t sure if she couldn’t follow the instructions or if she couldn’t get Dropbox to open.\u00a0 Needless to say, she sent the email to her son, and he couldn’t get it to work either.<\/p>\n

Then she called her accountant, who told her he didn’t send it, but that other clients also received the email.\u00a0 After all of that, she ended her message asking me if her computer was OK.<\/p>\n

Well, that was a tough question to answer.\u00a0 Just the same I was able to conduct some forensics into what occurred with this email \u2013 and it was most certainly malicious.<\/p>\n

Here is the text of the problematic email (unfortunately I couldn\u2019t capture the header information).<\/p>\n

\"apr1\"<\/a><\/p>\n

Now, I don\u2019t know how many times I have told you not to click on links from people you don\u2019t know, but that wasn\u2019t the case here. This sender (whose name has been erased) is known to the recipient. However, I strongly doubt that any business person she knows uses arbitrary capitalization like this. I also doubt a professional would ever send an invoice labeled as a \u201cdoc\u201d file with a \u201cjpg\u201d file type.
\n
\nWhen you hover your mouse over the link, it shows http:\/\/ow.ly\/ZZdSz. This is a form of URL (web address) shortening provided by the social site, HootSuite.<\/p>\n

The resulting link resolves to the following page:<\/p>\n

\"apr2\"<\/a><\/p>\n

On the surface this looks like a sign-in page for Dropbox. However, if you look carefully in the address bar, you do not see the address for Dropbox. What you do see is a mile of gibberish, which alerted me to the fact that this web site was not legitimate. I also realize that the majority of people who use the Internet do not look in their browser\u2019s address bar. With that mind, I plowed on.<\/p>\n

I looked at the source code for this particular web page. And while the resulting HTML code isn\u2019t anything I would expect you to understand, the most significant element is the repeated appearance of one Internet address that is used throughout. It is http:\/\/alllprotect.com, which is the source of this nonsense. Note that there are three \u201cl\u201ds in this name, which is not quite normal.<\/p>\n

I ran the utility \u201cwhois\u201d to find out information about this web site. The resulting page, from the web host GoDaddy, shows the following:<\/p>\n

\"apr3\"<\/a><\/p>\n

There may, in fact, be a person named Dominick LaGatta living at 7207 Sandy Isle Lane in Spring, Texas. But the phone number is a Carlsbad, California exchange. Yes, I know, some people move and take their cell phones with them. But most don\u2019t use a Gmail address like this person did. After all, whirldcitizen@gmail.com strikes me as something a kid would do if he was trying to act \u201ccool.\u201d<\/p>\n

This is obviously a web site that was registered to perform malicious activity and to hide the actual owner of the site.<\/p>\n

Still, in the attempt to find out all I could, I logged on to the web page using the email address, fredflintstone@bedrock.com, with a password of \u201cBarney.\u201d That produced the following Symantec alert:<\/p>\n

\"apr4\"<\/a><\/p>\n

This alert says that the web site matches the signature of a known attack. This means that Symantec has already detected this site as having malicious intent.<\/p>\n

Now, if you didn\u2019t have Symantec protection (to simulate that I deliberately ignored the warning) the web site would have downloaded a Dropbox setup file. In my test case, Symantec quarantined it immediately, having recognized it as suspect. Again, if you didn\u2019t have Symantec protection, this file would have downloaded.<\/p>\n

There is no telling what this particular file could have done to your computer, your files, or your privacy if it was actually installed on your computer. As it stands, anyone who used their email address and regular password from any of the sites shown on the bogus web page now have compromised email accounts. And that is why you must always be on the lookout for fake emails.<\/p>\n

While the only thing you can do \u2013 short of changing your email address \u2013 is to change your password, that may not be sufficient. The fact that someone responded to this web page means that particular email address is going to be a target for additional attempts for more malicious payloads in the future.<\/p>\n

So I will repeat my warning: If you ever get any mail that you are unsure about, either delete it, or contact me so that I can review the contents and let you know if it is safe or garbage.<\/p>\n

Any questions?<\/p>\n","protected":false},"excerpt":{"rendered":"

There is a reason I send out regular security bulletins explicitly warning about malicious email activity and instructing you, my clients, to call me before you do anything that could have serious repercussions.\u00a0 That is because there is really bad stuff out there! I received a voice mail from a client saying she received an …<\/span> Read More →<\/span><\/a><\/span><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[7,41,40],"tags":[],"class_list":["post-232","post","type-post","status-publish","format-standard","hentry","category-everyone","category-phishing","category-security"],"_links":{"self":[{"href":"https:\/\/www.heliotropicsystems.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/232","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.heliotropicsystems.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.heliotropicsystems.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.heliotropicsystems.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.heliotropicsystems.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=232"}],"version-history":[{"count":1,"href":"https:\/\/www.heliotropicsystems.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/232\/revisions"}],"predecessor-version":[{"id":237,"href":"https:\/\/www.heliotropicsystems.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/232\/revisions\/237"}],"wp:attachment":[{"href":"https:\/\/www.heliotropicsystems.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=232"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.heliotropicsystems.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=232"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.heliotropicsystems.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=232"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}