We've received another well-crafted e-mail attack here at PC World along the lines of the recent faked Better Business Bureau and IRS messages. This one came as a faked invoice from accounting@beckman.com at a supposed Beckman Instruments, Inc., with a Word .doc attachment named Proforma_Invoice.doc.
Only a few antivirus engines flag the attachment as dangerous, according to Virustotal.com.
Similar to previous attacks, this e-mail used the correct recipient name and business name within the subject (the BBB and IRS messages included it in the message body). Also, the message didn't have any of the usual spelling or grammatical mistakes that usually signal a phishing attack. An icon inside the document asks the reader to click it; doing so would likely attempt to download malware (we didn't try).
Another attack method analyzed by from Joe Stewart at SecureWorks prompted victims to click an e-mail link to download BBB complaint documents. The resultant file name was one of the few good tip-offs that the message was an attack and not a real complaint: the file ends with ".doc.exe," a clear attempt to trick victims into running the malware program (real Word docs won't have the .exe extension).
According to Stewart's report, one variety of the still-underway BBB attack attempts to download malware that will infect Internet Explorer and steal all the 'interactive data' sent from IE to Web sites. That can include credit card numbers and site logins, even if they're sent over an SSL connection (the malware grabs the data before it's encrypted and sent).
So set your e-mail suspicion level up a few notches. If you receive an unexpected invoice, complaint, or anything else with an attachment or link, be extremely wary of opening the attachment or clicking the link.
To sound out a suspicious e-mail, you can check the supposed e-mail sender's domain. In the case of the faked invoice, our Editor-in-Chief Harry McCracken discovered that while Beckman.com is a valid site, it's not for Beckman Instruments, Inc.
If you do get pulled in far enough to download a file, keep an eye out for anything that ends with ".doc.exe," and don't open it.
But you're much better off not opening the Word .doc at all. If the attackers manage to combine this attack with a Word zero-day vulnerability (like one from February) that can launch an attack as soon as you open a file, this will all go from bad to much, much worse.
OK, don't flame me please, cause I'm only trying to show those who are interested that there are other alternatives to being a victim.
I downloaded some application that my computer has never seen before. I changed its name from "Sequential.app" to "Sequential.doc.app" and emailed it to myself. When it came in I clicked on it, and got a message box that says "'Sequential.doc.app' is an application. Are you sure you want to open the application 'Sequential.doc.app'?" And it gave me two choices, Cancel and Open. This is what happens when someone tries to fool you into opening an application in an email on a Mac using Apple Mail. OK, now flame away, but those who want to know now know.
I reported this to Symantec and analyzed the malware itself. Without getting into too much detail, it coillects a lot of info about your PC including all browser cache, cookies and history and uploads the information (and maintains communication) over HTTP to a (comprimised?) host in Florida (208.64.137.12) and another one in China (221.195.42.67). It puts itself into the RUN key in the registry to start automatically and puts the files Microsoft.exe and Microsoft.dll into the root of C:\
Symantec did provide me with rapid release definitions before the end of the day to detect the malware and prevent it's spread. If you subscribe to those types of quick fix updates from them you'll be protected by now.
Scott Wiegel