Spammers know this and have been increasingly presenting malware as if it were a resume, hoping that the recipient will be so curious about a potential applicant that they open or run something that they shouldn’t.

The Barracuda Labs spam monitoring center has detected a recent increase in the amount of this fake resume spam from multiple sources.  While the messages are similar, the threats they carry are all different.  Here are three cautionary examples…

HTML attachment

One common feature of these fake resumes is that the spammer keeps the  message short and sweet, hoping you’ll open the attachment to see if this is that one resume they’ve been waiting for.

Of course in this case better grammar would help make the sale.   This particular message contains an HTML attachment, something our honeypots have seen a great deal of in the past week.    HTML attachments are less likely to be filtered by email scanning software that might otherwise reject binary attachments by default, and even end users who are conditioned not to open and run programs might look at a HTML file and think that it is harmless.

Except that this HTML is anything but harmless.

The attachment is 100% obfuscated malicious JavaScript.   Opening it in a browser (which is the default action when clicked) raises an alert

and sends you off to a bogus antivirus site.

Don’t open suspicious HTML attachments.   Email the sender and ask for the information in a different format, such as a Word document or text file.

RTF attachment

Since the Rich Text Format (RTF) is handled by Windows Wordpad and Microsoft Word, you wouldn’t necessarily be surprised to get an email with a resume in that format

However, it is possible to completely embed an executable program within an RTF document, and that’s what we have here.

When first opened the filename of this embedded object only partly displays.   Still, clicking on it does display a security warning that should make you think twice.   After all, a resume doesn’t normally need to be “Run”.

If you do click run, nothing seems to happen.   However, if you’re watching your internet traffic you’ll see the telltale signs of a Zeus Trojan infection.

A Zeus trojan will quietly examine your internet traffic looking for usernames and passwords, and then send them back to criminals who use them to take over online accounts.  Many cases of online banking fraud involve passwords stolen by this malware family.

ZIP attachment

The last example has the most convincing message text, and the file name of the attachment includes a persons name, making it look less threatening

But once you’ve opened the .zip attachment the alarm bells should be ringing.

A careful check of the properties of the file inside shows it is an executable, and clicking on it would run it.  As we said above, resumes do not normally need to be “Run”.   Doing so just installs a fake antimalware named SecurityTool onto your computer.

If you or your colleagues handle resumes be careful of unsolicited or unanticipated resume emails.  Examine any resume attachments carefully before opening them, and as we repeatedly stress, never press the “Run” button unless you are certain that is appropriate – it rarely is.

Barracuda Spam & Virus Firewall customers are protected from these attacks.

Dave Michmerhuizen – Barracuda Labs

Weddings are joyous affairs, happy occasions for celebration. When friends find a soulmate and announce their intentions to the world, it’s exciting. We’re thrilled for them and we want the details right away.

Well, not so fast.

Barracuda Labs spam honeypots have recently detected spammers sending multiple wedding-themed emails, hoping to catch people with their guards down.  The messages can be quite convincing, but there is no “happily ever after” in the malware that is attached to them.

Consider this wedding invitation:

"Wedding Invitation" email

If the attached “Wedding Card” is opened, it launches a fake antivirus – SecurityTool:

In addition to dropping SecurityTool on the system, the Wedding Card also downloads Trojan.Fitmu.A:

Download of password stealer

This program quietly runs in the background looking for usernames and passwords to steal.  In particular it steals FTP passwords, and stolen FTP passwords are the most common way that sites are hacked.

"Wedding Contract" email

Upon first glance and a quick scan, it could appear as your legitimate contract (of course, hopefully the users will notice if the venue is not one they have been reviewing!). If the attachment is opened, it does not appear to do anything at all.  Nothing displays.  However, more is going on behind the scenes.

The attachment is actually a Zeus Trojan, a password stealer that specializes in online banking passwords.  The traffic here shows the Trojan retrieving its configuration and checking in with its command and control server.

The bottom line? Stay alert, scrutinize emails carefully and spread the word to your friends and co-workers. Being aware of these spam attacks helps prevent their success.

Barracuda Spam & Virus Firewall, Barracuda Web Filter and Barracuda Web Filtering Service customers are protected from this attack.

Barracuda Labs spam monitoring systems have picked up a massive new spam campaign whose messages pretend to be output files from a popular Xerox office copier.

Hundreds of thousands of these messages are circulating around the globe, titled Scan from a Xerox WorkCentre Pro and containing a single .zip file attachment tagged with a random number that helps them avoid detection by anti-spam technology. In fact, Virus Total calculates detection rates at around 19.5% as referenced by certain TechHerald employees today.

The message format closely mimics the one used by a real Xerox WorkCentre Pro, except for one detail – Xerox scanners do not email their outputs using the .zip format. The WorkCentre Pro from Xerox typically scans documents to PDF, email or FTP accounts.

The message text claims that the attachment is a zipped .doc file, and the .zip file itself hides the true extension of the file contained within.  It is not until you go to open the file that you see its true nature.  It is an executable and it is not scanner output – it is a variant of Trojan Oficla.

Choosing  Run (which you should not do) seems to do nothing at all – the Trojan runs but does not display any decoy image.  Rather, it simply installs itself and gets to work in the background downloading other malware.

Samples executed at Barracuda Labs quickly start up a Spambot which sends out more copies of the same message.

As always, never trust unexpected emails, and in particular, never press the “Run” button unless you are 100% certain of what you are doing.  Word documents are “opened” and they are not “run” at any time. And, of course, always keep your security software updated on your system. If this message lands in your inbox, please delete and make sure to spread this message with your friends and colleagues.

Barracuda Spam & Virus Firewall customers are protected from this attack.

This week a new sort of spam started showing up in the Barracuda Labs Spam Honeypots – fake sender verification emails such as the one below:

Sender Verification emails ask users to verify that they sent a particular email to someone, usually by responding with another email, or as in this case, by clicking on an embedded link.

Under normal circumstances, these emails come from an email server that has been enhanced with  sender verification software as a spam-fighting measure.  While this software is not as common as it once was, these systems still are used by some businesses and ISPs.

However, the example above merely pretends to be one of these verification emails and is not from an email server at all.  Instead, it is cleverly constructed spam whose included link can take the recipient to suspicious Websites, or even offer up executable malware.

This spam appears plausible and easily can trick the unwary email user.

Close examination does reveal several tell-all signs that this email is suspicious. For starters, the name of the person supposedly emailed is missing.  Second, the domain that the email purports to come from is the same domain as that of the user, which makes no sense since the user should not need to verify himself to his own mail server.

Indeed,  one aspect of this campaign is that each spam is carefully tailored to  reference the email domain of the recipient, most likely because that domain is one the recipient knows and trusts.

The message is sent only in HTML format, and the link has varied over time. In some cases, it redirects to Canadian Pharmacy Viagra sites.  In others, the link presents the user with a Windows .EXE to run, which is a variant of the rapidly spreading TDSS rootkit.

While it is easy enough to hover over the link and see that it does not go back to the organization shown as having sent the email, many users will not question the name of the domain in the verification link.

Barracuda Spam & Virus Firewalls block these emails.  We suggest users take note and warn other email users of this new social engineering tactic.  These emails do not fight spam; they ARE spam.

Eminem still isn’t dead… at least not as of June 2010. Barracuda Labs honeypots have received thousands of copies of a new spam that is trying to take advantage of a venerable hoax that rap artist Eminem has died in a car crash, this time according to CBS news.

The entire poorly written story is contained in an image that links to a file, outlined in red above. The victims are led to believe they are clicking on a CBS story, but actually the file downloads EminemDead.exe. Running this file installs a backdoor on the victim’s computer which has very low detection rates – VirusTotal results.

This once again reiterates the importance of never running anything distributed in an email unless the source is known.

Barracuda Spam & Virus Firewalls intercept these emails, and Barracuda Web Filters block the payload.

In slasher movies, there’s often a scene where terrified teenagers try to trace the phone calls of a homicidal maniac only to discover that the phone calls are coming from inside the building.

A recent spam case that was referred to the Lab reminded us of one of those scenes and underscored the fact that everyone should be suspicious of unsolicited emails. This is especially true of unsolicited emails that ask you to run something on your computer, no matter WHO they come from at any time.

In this particular case, the spam emails were sent to users within a medium-sized professional firm. They were carefully crafted to appear to be an Adobe security update originally sent to the Assistant Director of Information Technology and then individually forwarded from her. (Names and domains in the message have been changed.)

The bulk of the message looks like a security update from Adobe regarding vulnerability CVE-2010-0193. The linked executable actually is a malicious file that installs a Trojan backdoor program. The linked .PDF also contains a clickable link to the Trojan. Adobe already has reported this spam campaign here:

http://blogs.adobe.com/psirt/2010/05/alert_adobe_security_update_em.html

What’s particularly interesting is just above the forwarded message. The information about the sender of the email – Jane Doe, Assistant Director of Information Technology, JaneDoe@phished.com – is ‘real’ data, most likely harvested from elsewhere on the Internet, and would appear to be normal to co-workers within her company. Her email address is used in the body of the forwarded message as well, making it appear that it really was sent directly to Jane and then she is forwarding it along. Except that she isn’t.

The ‘From’ field of the email has been spoofed (i.e., faked), something spammers easily can do. Instead, examination of the internal email headers reveals that the entire message was sent from a compromised computer in West Virginia.

It is common for spam to be sent with faked ‘From’ data; however, this case takes that even a step further. The ‘From’ name was chosen specifically in order to gain the trust of the users at phished.com who received the messages. This was a deliberate and targeted batch of spam, sometimes called “spear” phishing, which demonstrates just how clever the bad guys are and just how cautious we as users have to be.

Barracuda Spam Firewalls block these emails.

Below are various screenshots of the targeted attack in action.

The targeted email seemingly coming from inside the organization.

The spoofed "from" address, which appears to be correct.

The .PDF mentioned in the email message that contains a malicious link.

Malicious file in action: the presumed software license agreement.

Malicious file in action: setup wizard.

Malicious file in action: accepting terms of the license agreement.

Malicious file in action: ready to install.

Malicious file in action: prompt to reboot.

Malicious file in action: execution complete.

With the increased awareness and attention around incidents of identity theft, consumers are becoming more vigilant in how they provide personal information online. At the same time, businesses that require such information to complete a transaction also must evaluate how they collect that information online from consumers.

For example, a colleague recently forwarded the email below from Southwest requesting personal information to complete the Transportation Security Administration’s (TSA) Secure Flight verification. Because the email was sent after the flight reservation was booked, it was unclear to the recipient whether or not the email was legitimate. Upon examination, it is clear that this is a legitimate email from Southwest; however, it is one that could easily be forged by a spammer or hacker attempting to collect a user’s personal information.

As people are making final travel arrangements and gift purchases online in this last week leading up to the holidays, Barracuda Networks has compiled a number of tips to help consumers discern legitimate emails and Web sites from malicious attempts, as well as recommendations for businesses to better serve their consumers online.

Online consumer safety:

1. Real or fake? Do not click on links included in an email. Instead, type the address directly into your Internet browser.

2. Email security and anti-virus solutions up-and-running. Make sure you have a strong email security solution in place that can block spam and phishing emails as well as detect and block viruses and other malware (including malicious Web links) contained in the email. As an extra precaution, make sure your desktop anti-virus protection is up-to-date and running. This will keep any viruses/malware not sent over email from infecting your computer or adding you to a larger botnet.

3. Strong Web filtering. Having a strong Web filter in place will allow you to block access to potentially dangerous Web sites. Web filters can block downloads by file type and applications that access the Internet (i.e. IM, music services, etc.) that are often used by hackers as a means of transporting malware onto your computer.

4. When in doubt, check it out. If you receive an email from a business that you recently have done an online transaction with – retail, bank, airline, etc. – and are not sure of its authenticity, check it out. Call or email the business to verify that the request is legitimate. Also, you can go directly to that company’s Web site to look for warnings listed of recent Web scams that have targeted the business.

Helping businesses serve customers:
1. On-site, at-once. Request all necessary customer information at the time of purchase, while the consumer is on the Web site. In the case of the Southwest email, if the consumer had been directed to the “MySouthwest Account” to provide this information at the time of flight reservation and purchase, it would have expedited the process for the consumer and eliminated the need to send a follow up email that raised the suspicion of the recipient.

2. Avoid follow up email. Consumers are likely to be more suspicious of emails requesting that they log back into – or create – an account to provide personal information.

3. Provide clear instructions. If sending a follow up email to complete the transaction is unavoidable, provide a clear message to the consumer at the end of the initial online transaction – before they leave the Web site – so that they know to expect an email that will require additional information and what that required information will be.

4. Privacy Policy. Be sure to provide a privacy policy that’s easy to find and is clear on what the Web site will and won’t do with the information entered.

5. Protect customer information on your site. Businesses are responsible for ensuring that the customer information that it collects online is protected from those with malicious intent. Implementing a strong Web application firewall protects the business Web site from being hacked and customer information from being stolen.

The underlying goal here is to enure that businesses that legitimately require user information receive it in a timely and secure fashion. That will keep the bad guys out of consumer’s wallets and bank accounts, and from stealing their identities.

If you look at the email you will see that we have identified the hyperlinks take you to a legitimate Southwest domain. We know it is a legitimate Web site because the URL contains the Southwest domain.