by Barracuda Labs
In slasher movies, there’s often a scene where terrified teenagers try to trace the phone calls of a homicidal maniac only to discover that the phone calls are coming from inside the building.
A recent spam case that was referred to the Lab reminded us of one of those scenes and underscored the fact that everyone should be suspicious of unsolicited emails. This is especially true of unsolicited emails that ask you to run something on your computer, no matter WHO they come from at any time.
In this particular case, the spam emails were sent to users within a medium-sized professional firm. They were carefully crafted to appear to be an Adobe security update originally sent to the Assistant Director of Information Technology and then individually forwarded from her. (Names and domains in the message have been changed.)
The bulk of the message looks like a security update from Adobe regarding vulnerability CVE-2010-0193. The linked executable actually is a malicious file that installs a Trojan backdoor program. The linked .PDF also contains a clickable link to the Trojan. Adobe already has reported this spam campaign here:
http://blogs.adobe.com/psirt/2010/05/alert_adobe_security_update_em.html
What’s particularly interesting is just above the forwarded message. The information about the sender of the email – Jane Doe, Assistant Director of Information Technology, JaneDoe@phished.com – is ‘real’ data, most likely harvested from elsewhere on the Internet, and would appear to be normal to co-workers within her company. Her email address is used in the body of the forwarded message as well, making it appear that it really was sent directly to Jane and then she is forwarding it along. Except that she isn’t.
The ‘From’ field of the email has been spoofed (i.e., faked), something spammers easily can do. Instead, examination of the internal email headers reveals that the entire message was sent from a compromised computer in West Virginia.
It is common for spam to be sent with faked ‘From’ data; however, this case takes that even a step further. The ‘From’ name was chosen specifically in order to gain the trust of the users at phished.com who received the messages. This was a deliberate and targeted batch of spam, sometimes called “spear” phishing, which demonstrates just how clever the bad guys are and just how cautious we as users have to be.
Barracuda Spam Firewalls block these emails.
Below are various screenshots of the targeted attack in action.
The targeted email seemingly coming from inside the organization.
The spoofed "from" address, which appears to be correct.
The .PDF mentioned in the email message that contains a malicious link.
Malicious file in action: the presumed software license agreement.
Malicious file in action: setup wizard.
Malicious file in action: accepting terms of the license agreement.
Malicious file in action: ready to install.
Malicious file in action: prompt to reboot.
Malicious file in action: execution complete.
