Have you been targeted by Fraud emails?

Tags: :
Lately, we have seen an uptick of fraudulent emails. The fraudulent emails are only sent to one or two people in highly targeted attacks. First they locate the names of high level executives, Then "spoofed" message are sent allegedly from these executives to people empowered to disburse money  They hope the recipient will act quickly to please the executive and send money before realizing it is a spoofed message.

Many of the messages "pretend" to be internal, but that are really from external sources but use the display name of a senior executive, or that have ReplyTo to an outside domain.

For example, one attack could have this sender:

"Bill Gates" <bill.gates@micros0ft.com>

In most email systems, the display name is all you see, so a reply might miss the fact that the message is going outside the organization.

Have any of you been attacked like this? Or in other ways?

I would love to see some samples to see the variations on this attack. Post them below, or send to my email address frank_paolino@maysoft.com


Poodle + Domino SSL = Mail Problems

Tags: :
If  you use Domino today, you effectively cannot use SSL for email (SMTP) until the promised IBM fix is available. Here is why: The fix vendors applied that patched the POODLE vulnerability broke communications with Domino servers that use SSL. These patched servers will start a secure (SSL) SMTP session but will not fall back to plain text. This means messages queued up in mail.box for sending outbound, or mail queued up at the sender that will not be received by you.

The best non-technical explanation that I can give is that the STARTTLS command that the two SMTP servers use to negotiate a secure connections cannot agree on a protocol and the negotiation fails, so the message transfer fails.

Vendors like ProofPoint (pphosted.com) would not fall back to plain text no matter what my Domino settings were. And I tried 10 different combinations. Once a session started with SSL, Domino offers (before the promised fix) no acceptable fallback path, so the session ends without a successful mail transfer.

The only option that works before the IBM fix is released is to disable SSL for Inbound and Outbound messages.

In summary, messages transfers that start out as plain text will be transferred. Messages that start out as secure will not be transferred.

This is suboptimal (like having a leg cut off is suboptimal) but messages will flow.

Tip:  We like to use this service called http://www.kloth.net/services/dig.php to check MX records for problems with message transfer:

A picture named M2


IBM and Apple focus on the Enterprise

Tags: :
Apple is working with IBM to push into the enterprise space. Apple really has mainly focused on the consumer market, but products like IBM Traveler have made BYOD a reality.

Now, with IBM, Apple is going to focus on large enterprises.

Tim Cook gets a corporate partner with a great enterprise player to promote Apple as enterprise ready.

Ginny Rometti mentioned security, which is an overwhelming concern with BYOD. If Apple and IBM make new offerings that satisy IT departments, this should make Android very nervous, and of course make Blackberry start looking at its exit options.

All in all, a very interesting partnership.


CryptorBit Virus

Tags: :
There is a new and improved version of CryptoLocker. Version 1.0 made the makers of this ransomware a lot of money, and this version 2.0 is, I predict, just one of many new "feature enhanced" releases. Judging by the Bitcoin activity, there are a lot of "willing" victims out there paying to get their files back.  

BleepingComputer is doing a great job documenting this, so I will point you there for good advice and a possible free fix made by Nathan Scott called the DecrypterFixer that unscrambles the 512 byte headers of these files. If you like his work, or it saves your files, he has a PayPal link for donations. If he saved my bacon, $20 would be an amount I would "tip" him.


Required reminder: Backup your files, use a good anti-virus software, don't open attachments that contain exe files, or launch exe files from zip archives.


Time-lapse of Product Showcase Taken from my GoPro Camera

Tags: :
I wanted to have a little fun at #IBMConnect so I put a GoPro camera over our booth on the Product Showcase and snapped pictures of all of our visitors over 4 days.

The Product Showcase was certainly "energized", so I choose suitable music in the "William Tell Overture".


Refrigerators Now Send Spam as Well as Keeping it Cold

Tags: :  
Refrigerators now do more than keep spam, that tasty treat,  cold, they also send spam, the electronic email version.

That is the story of a compromised refrigerator that sends cold "spam" to unsuspecting users via it's internet connection.

Viruses makers will try to add anything to their botnets, and the latest attack on "refrigerators" does not surprise me at all. The target of this attack was a refrigerator model running a flavor of Linux that had not been hardened or protected against malware, and was allegedly sending out lots of spam.

A picture named M2

There was no proof from Proofpoint of the actual source refrigerator in the article, making some at Ars Technica question the veracity of the story. Either way it is only a question of time before these Internet connected devices start doing more than laundry. With ipv6, which has 3.4 x 1038 addresses (that is 3,400 trillion  trillion  trillion addresses), which means any item can have an ip address. If there are soon 10 billion people in the world, we could tag more than 100 trillion trillion items each with an ipv6 address, so these won't run out unless we want to start tagging stars in the sky.

Make no mistake about it: The virus makers are targeting any Target (pun intended) that they can, in an attempt to:
  • Steal money
  • Steal your identity
  • Steal your wallet (bitcoin users know this problem very well)
  • Steal your data (credit card numbers, for example)
  • Hold you for Ransom

If these don't work, they will infect your device and use it to send more spam or malware.

The moral of the story is that in an always-connected world every device is contantly being probed for weaknesses to find an entry point to launch an attack.


Increase in Virus Activity

Tags: :
The increase in recent Virus activity has been noticeable, and the sophisticated techniques the virus makers use to evade detection make the job of stopping them that much more challenging. Many times, a new message appears and I ask "Is this some new attempt to get me to infect my machine"? Many of my customers ask me the same question, so I put a live stream of recently caught viruses subjects and attachment names on our website. (Obviously, I did not put the viruses, just their names).  Clicking on the wordle that I created out of the names will bring you to a list of recent viruses blocked.

A picture named M2

Here is a sampling of the viruses recently caught by SpamSentinel Anti-Virus.


Virus Names translated from Chinese

Tags: :
I was interested in what the .XLS attachments were in the SpamSentinel quarantine, so I made a view, extracted the contents (minus the XLS extension) and let Google translate show my what these attachments REALLY say.  Like some spam subjects, many of these sound like zen inspired quotes. Here are a few of my favorites:

To manage or to leadership
Become Devil coach
Management does not manage tired

Here is the results of my search for virus attachment wisdom:


To read the list, you must go to my blogspot blog, The Chinese characters were causing problems with my blog template.


Notice to Appear in Court

Tags: :
Yes, the title of the blog appears scary and that is what the senders of the email want, to scare you into opening the message and reading the body, then launching the phony "notice".

Here is a sample of a phony notice that appears to come from JonesDay.

A picture named M2

Here are the Law firms that were spoofed in these virus outbreaks, and a sampling of the from addresses that were used. To be perfectly clear, these messages are spoofing the law firms, trying to get the recipient to open them, and have no relationship to the actual law firms. The virus senders rotate through a list of reputable law firms in the hope of getting past the virus filters and tempting their target into opening the message.

Spoofed Law firm name: Baker Botts
"Notice to Appear" <manager@bakerbotts.com>
"Notice to Appear" <appear_support.5@bakerbotts.com>
"Notice to Appear" <service.753@bakerbotts.com>
"Notice to Appear" <ticket469@bakerbotts.com>
"Notice to Appear" <no_reply@bakerbotts.com>
"Notice to Appear" <appear_support.7@bakerbotts.com>
"Notice to Appear" <information@bakerbotts.com>
"Notice to Appear" <appear_528@bakerbotts.com>
"Notice to Appear" <manager@bakerbotts.com>

Spoofed Law firm name:
Covington and Burling
"Court Notice WA" <support405@cov.com>
"Court Notice WA" <your_notice@cov.com>
"Court Notice WA" <notice_support.7@cov.com>
"Court Notice WA" <support382@cov.com>
"Court Notice WA" <aa.support369@cov.com>
"Court Notice WA" <information@cov.com>
"Court Notice WA" <service.734@cov.com>
"Court Notice WA" <information@cov.com>
"Court Notice WA" <manager@cov.com>
"Court Notice WA" <your_notice@cov.com>

Spoofed Law firm name:
Jones Day
"Notice to Appear" <ticket_support.7@jonesday.com>

"Notice to Appear" <personal.information@jonesday.com>
"Notice to Appear" <service.615@jonesday.com>
"Notice to Appear" <service.723@jonesday.com>
"Notice to Appear" <ticket_248@jonesday.com>
"Notice to Appear" <help420@jonesday.com>
"Notice to Appear" <ticket_service@jonesday.com>
"Notice to Appear" <your_ticket@jonesday.com>
"Notice to Appear" <service.301@jonesday.com>
"Notice to Appear" <ticket_609@jonesday.com>
"Notice to Appear" <ticket_support.2@jonesday.com>
"Notice to Appear" <ticket_support.2@jonesday.com>
"Notice to Appear" <support.8@jonesday.com>
"Notice to Appear" <ticket020@jonesday.com>
"Notice to Appear" <order.723@jonesday.com>
"Notice to Appear" <ticket_162@jonesday.com>

Spoofed Law firm name: Latham and Watkins
"Notice to Appear" <ticket_support.3@lw.com>

"Notice to Appear" <support838@lw.com>
"Notice to Appear" <service.252@lw.com>
"Notice to Appear" <ticket340@lw.com>
"Notice to Appear" <help432@lw.com>
"Notice to Appear" <ticket_support.4@lw.com>
"Notice to Appear" <ticket_support.7@lw.com>
"Notice to Appear" <service@lw.com>
"Notice to Appear" <service_ticket@lw.com>
"Notice to Appear" <support.5@lw.com>
"Notice to Appear" <service_ticket@lw.com>
"Notice to Appear" <information@lw.com>
"Notice to Appear" <no_reply@lw.com>
"Notice to Appear" <support.9@lw.com>
"Notice to Appear" <ticket_support.5@lw.com>

Spoofed Law firm name: McDermott Will & Emery
"Notice to Appear" <manager@mwe.com>

"Notice to Appear" <ticket_support.5@mwe.com>
"Notice to Appear" <ticket_service@mwe.com>
"Notice to Appear" <ticket_support.6@mwe.com>
"Notice to Appear" <support.6@mwe.com>
"Notice to Appear" <service@mwe.com>
"Notice to Appear" <support.2@mwe.com>
"Notice to Appear" <ticket_support.2@mwe.com>
"Notice to Appear" <support.6@mwe.com>

Spoofed Law firm name: Orrick
"Court Notice Orrick" <support.4@orrick.com>
"Court Notice Orrick" <your_notice@orrick.com>
"Court Notice Orrick" <service_notice@orrick.com>
"Court Notice Orrick" <service.959@orrick.com>
"Court Notice Orrick" <support.6@orrick.com>
"Court Notice Orrick" <support.7@orrick.com>
"Court Notice Orrick" <your_notice@orrick.com>
"Court Notice Orrick" <support.3@orrick.com>
"Court Notice Orrick" <support.3@orrick.com>
"Court Notice Orrick" <support.4@orrick.com>
"Court Notice Orrick" <notice_service@orrick.com>
"Court Notice Orrick" <order.510@orrick.com>
"Court Notice Orrick" <notice_support.5@orrick.com>
"Court Notice Orrick" <information@orrick.com>
"Court Notice Orrick" <notice706@orrick.com>
"Court Notice Orrick" <support.8@orrick.com>

Opening the messages. Don't try this at home (or the office)!

I took one message and loaded my Virus Testing Workstation, which is a virtual machine that I can infect then delete the machine.

A picture named M3

Here is one of the viruses that was caught as a ZIP file.

A picture named M4

Here is the attachment, which is disguised as a Word document, but is actually an executable file:

A picture named M5

As there was no response when I clicked the attachment, I clicked it again, so I infected the machine twice. Notice in the task manager, they use the file name to avoid suspicion and preventing some people from closing it.

A picture named M6

When I did close it, I got this error.

A picture named M7

I didn't try to dig into the mechanism of infection, or wait 24-48 hours and see what damage they did to my virtual machine, but that will be a subject for another post.

Download File


Blocking EXE attachments is working great!

Tags: :
We have advised customers of SpamSentinel for the last month to block EXE attachments, even (especially!) inside zip files.

I have been monitoring the results on one of our servers, and they are spectacular in catching new virus outbreaks before their "signatures" are recorded. These are "zero hour" zero hour viruses, fresh off the computers of the virus makers.

Here is a screenshot showing the recent patterns, piggybacking on popular email types, like airline ticket confirmations, order confirmations, purchase orders and private photos.

All of these zip files contain EXE files inside that want to infect your machine in your haste to open them.
Subject Dangerous Attachment
Re: Interested to purchase order details.zip
Re: Interested to purchase order details.zip
Private photo IMG6299082757-JPG.zip
Your order is ready US_Airways_E-Ticket_NO36049.zip
Fedex Team Track code 4734-02741-6535 Track_1764-78103-4529.zip
Ticket #7727  is ready AA_Airlines_E-Ticket_ID08655.zip
Your ticket AA_Airlines_E-Ticket_ID58270.zip
Ticket #8469  is ready AA_Airlines_E-Ticket_ID07194.zip
Order #3198 is processed AA_Airlines_E-Ticket_ID26928.zip
Your ticket AA_Airlines_E-Ticket_ID07268.zip
Your order #NR0106 is processed AA_Airlines_E-Ticket_ID81660.zip
Fedex Team Track code 3001-14706-5033 Track_1764-78103-4529.zip
Your order #3170 is processed AA_Airlines_E-Ticket_ID79506.zip
Thank you for your order AA_Airlines_E-Ticket_ID81254.zip
The order is ready AA_Airlines_E-Ticket_ID36241.zip
Your order # NR15-2662 has been completed US_Airways_E-Ticket_NO37925.zip
Seen this picture? IMG5810314307-JPG.zip
Kindly send us the Proforma Invoice Asap. Food items.pdf.zip
Order #NR7704 US_Airways_E-Ticket_NO26131.zip
Your order # NR15-5845 has been completed US_Airways_E-Ticket_NO08933.zip
Payment advice Payslip.zip
Our PO attached PO.zip
Enquiry REW233.zip
Fedex Team Track code 4740-07014-6833 Track_1764-78103-4529.zip
FedEx Shipment Department Track code 4436-58788-5840 Track_1764-78103-4529.zip
Thank you for your order US_Airways_E-Ticket_NO78203.zip
FedEx Shipment Department Track code 3107-43181-8785 Track_1764-78103-4529.zip
FedEx Express Track code 5624-34586-7353 Track_1764-78103-4529.zip
Download your ticket #1797 US_Airways_E-Ticket_NO36208.zip
FEDEX  EXPRESS SHIPMENTS Track code 1238-50488-7111 Track_1764-78103-4529.zip
Order #NR4312 is processed Ticket_Delta_AirLines_Print_doc_1657.zip
Download your ticket #NR9798 Ticket_Delta_AirLines_Print_doc_4026.zip
P.O. 634563 Order Order Sample 1-.zip
FedEx Shipment Department Track code 5041-68031-6666 Track_1764-78103-4529.zip


I have a view of all of these in my Quarantine.nsf. Many show "undisclosed-recipients" which means this was a BCC attack, as below:

A picture named M2

This one contained more than 9 recipients from different organizations:

A picture named M3

I opened a few of the messages (not the attachments!) and found typical patters.

This one is "not personalized" which is often a clue.

A picture named M4

This one is allegedly a FedEx Track Code, they even made up a fake number, but it is sent to 20 people. Did we all receive that same package?

A picture named M5

This one breaks all the rules:
1. No SendTo
2. Contains a Zip with an EXE inside
3. Not personalized
4. Signature incomplete.

A picture named M6

Take a look at this one. Can you now identify why this is a very suspicious email?

A picture named M7



View Frank Paolino's profile on LinkedIn


Frank Paolino