Is it Spam?

Is it spam? DHL package delivery phishing

DHLphishPackage delivery services to both business and home are common events in this age of online commerce. Services like UPS, DHL and Fedex deliver thousands of packages daily. To compete, these services use email to provide customers with package tracking and problem resolution. These correspondences are low hanging fruit for phishers.

Today's example is a recent attack against DHL that was crafted well enough to initially evade desktop and gateway antispam measures.  

The subject line, About your package with DHL, is intended to raise curiosity. 

The sender contains the string dhllogistics. Phishers know that users often read only what they expect or want to see and exploit familiar brands. In this case, the phisher also includes both this string and onmicrosoft to make the email address credible. 

The message draws victims into the phishing scam by claiming that an attempt to deliver a package failed. This is the lure: the composition of this message is similar to typical correspondence from delivery services: you want the package so you'll oblige DHL by reading the attachment.

The phisher further attempts to make the message credible by including a confidentiality caution: why would such a statement be present if the mail weren't legitimate!

A trojan PDF

The hook to this phish is the attachment, DHL.pdf, which the recipient opens if they click on "Here". 

In my phishing awareness training, I encourage our users to

  • Be suspicious of any attachment
  • Contact IT to report the suspicious email 
  • Upload the attachment to service like VirusTotal to see whether this file has been analyzed.

In this case, the file had indeed been analyzed and reported as a phish. You can copy-paste the image hyperlink below to read the full report.


DHL-phish-VT

To learn how a phish of this kind works, I often submit one of VirusTotal's Results  to a search engine (here, PDF_MALPHISH.BYX), or I'll visit the Antivirus vendor and search its threat encyclopedia. In this case, I find from Trend Micro that the attachment is a trojan. When a victim opens the attachment, he is directed to a fake Adobe site where he's asked to disclose login information  to "unlock" the secure PDF file. Again, you can copy-paste the image hyperlink below to read the full report.

DHL-phish-Tmicro

Takeaways

Be suspicious. Don't click on embedded links or open attachments if you have the least suspicion about the message. Report suspicious email to your IT staff or to the Anti Phishing Working Group reporting page.

Lastly, take the opportunity that your suspicion creates to conduct a simple investigation of the kind I've illustrated here. Spam and phishing are constantly evolving to cause users to react without thinking or investigating. A few minutes invested over time will make you informed, aware, and more resilient to phishing or spam.

 


Is it Spam? A 419 Scam Moves to Skype

I recently received a Skype contact invitation from a Benjamin Debrah that seemed to be a 419  scam, also known as an advanced fee fraud. I hadn't seen scams on Skype until now so I decided to probe a bit. 

Skype419

419imagesearchI grabbed the image of the alleged Barclay's employee in Ghana and used Google image search to find a match to the kindly looking elderly gentleman. Unsurprisingly, I came up with  email scam alerts at scamwarners.com and romancescam.com, several likely bogus LinkedIn profiles in Ghana and UK, and the likely real name of the innocent victim associated with the photo used by the fraudster (Robert Ritch).

The scam message, while stylized or personalized somewhat, in all cases laments the passing of a relative in "a deadly earthquake that occurred on May 12, 2008 in Sicilian province of China" (I kid you not).  Or March 2011 in Japan. Ah, it was the Sichuan province. In all cases, the fraudster is trying to elicit your response. If you do respond, he'll discuss arrangements for transferring the funds, but will likely ask for a fee in advance to complete the transfer arrangements. If you were to send funds to the fraudster, perhaps through a money wire, you would in all likelihood never hear from him again. The fee in advance is what the fraudster hopes to earn through his efforts.

What should you do if you receive scam or fraud contacts or requests in Skype?

  1. Do not accept the contact or engage in a chat or call with anyone you suspect may be attempting to scam you.
  2. Block the contact.
  3. Report the contact to Skype. According to this page, "The Skype Name of the blocked person is stored by us once they are reported for abuse, but the content, such as IM messages or the contact request itself, is not."
  4. In the US, you can contact the FBI. You can of course join grass roots efforts and contact any of the scam reporting sites like those I've mentioned earlier.