[Physstaff] FW: Observations on current trends in spam

[Timothy Briggs]

Hello,

Some comments from the University's network manager about current Spam...

" General advice:

Treat any message purporting to relate to some financial transaction with 
deep suspicion (if it looks plausible, confirm it by other means such as 
telephone, if it looks implausible or unknown, it's probably not genuine); 
don't open unexpected documents; don't allow macros to run in untrusted 
documents; ensure anti-virus is up to date and active."

Thanks,

Timothy

-----Original Message-----
From: compstaff-bounces at lists.strath.ac.uk [mailto:compstaff-bounces at lists.strath.ac.uk] On Behalf Of Jethro R Binks
Sent: 29 April 2016 13:48
To: Helpdesk (Curran); Helpdesk (Professional Services); compstaff at lists.strath.ac.uk
Subject: [compstaff] Observations on current trends in spam

Thought I'd alert you to some of the current trends in spam that we're seeing lately.  Unfortunately it doesn't all get blocked, as you know ...

I'm sure many of you will have experienced the end user who complains about "how much spam" they receive.  Bear in mind that the end user only sees what they get: they have no idea about the massive amounts of spam sent to them that they don't get, so their perspective is skewed.

As is usual these days, most of this originates either from compromised home computers often using varying sender addresses, or from compromised email accounts at ISPs and email providers.  The latter are often added to a block list that our mail servers consult when trying to determine whether to accept or not.  The former are much more difficult to take preventative measures against since it is effectively an infinite set.

Also, spammers have become adept at tweaking their content so it doesn't trigger enough rules to be marked as spam if it doesn't get rejected on technical criteria.  The shorter the mesage, the less there is to work with.  While we could spend time trying to adjust the rulesets, what actually generally happens unless you are very very careful is that we increase the likelihood that some legitimate mail will also get marked as spam, creating a different set of complaints.  It's always a trade-off, nothing is absolute, and changes can have unforseen consequences, so I generally take the attitude of keeping the status quo.

And, as I always say, no anti-spam system is 100% perfect; it will always miss some, and it will always incorrectly block others.  To people receiving spam, I just say, delete and forget it.

Generally, there are two separate objectives behind the sending of these messages.  The first is to deliver a payload to a computer user who will execute it, causing something bad to happen to their system: likely install some malware (maybe a keylogger or botnet client, ransomware (encrypt the system and demand payment to decrypt.  We've also had several cases of personal H: drives being encrypted)).  The second is to cause some financial transaction to be initiated presumably to the benefit of the sender and not to the receiver.


Currently I am aware of:

1. Court summons spam

Subjects like: You have been commanded to appear before Judge on 29/04/16 ef. R04001

Usually with a Word attachment, presumably with a nasty payload.  Run of these in recent weeks.

Some of the messages appear to address the recipient directly, or the attachment is named after the recipient.  I suspect this is completely algorithmic, for example one message to my address jethro.binks at strath.ac.uk starts:

"Hello Jethro Binks,"

but if it was sent to an alternative address j.r.binks at strath.ac.uk then it might start:

"Hello J R Binks".

I've seen cases where a "Mr" has been added; that might either be a lucky guess or based on some interpretation of the given name.  Or, of course, the spammers may well be using a database leeched from some website compromise.  There are enough of those going around.  Who is to know?  
But the net effect of these simple tricks is to make the message look slightly more personable and genuine.

Suggested action: delete and ignore.  If the attachment has been opened, consider the system compromised and rebuild.


2. Invoice/payments

eg:

"This is just a friendly note that University of Strathclyde's account 
with us (001022) is listed as unpaid. Our records indicate that you have a 
total obligation of £1742.00. We would appreciate it if you could clear 
this payment today, please find instructions enclosed.

Thank you – we really appreciate your business! Please send payment within 
3 days of receiving this invoice."

These ones come with a (sometimes corrupted) attached Word document 
typically with some unpleasant payload.  Sometimes contains strings like: 
"While we wait for your payment, we'll need to temporarily suspend your 
company's account. Granted this is frustrating, but we'll do all we can to 
clear things up quickly.", which doesn't sound rational to me in 
legitimate business dealings but certainly heightens the tension.

For one I looked at, the quoted phone number was that of some unrelated 
wholesaleer and the quoted VAT code did not verify.

http://www.telegraph.co.uk/finance/personalfinance/bank-accounts/11528119/Beware-invoice-email-scam-to-steal-bank-details.html

https://myonlinesecurity.co.uk/invoice-january-alastair-baird-abairdjtcp-co-uk-damaged-or-broken-office-doc-or-xls-attachment/

Suggested action: delete and ignore.  If the attachment has been opened, 
consider the system compromised and rebuild.


3. Other financial transaction

There have been more specifically targetted attacks: forged emails in the 
name of one party in the University directly targetted at another party 
fraudulently asking them to initiate a financial transaction, where both 
parties might legitimately work with finances.  These are pretty 
nefarious, but I'd hope the parties involved would exercise good practice 
and check up on the validity of any financial transfers rather then acting 
entirely based on an unsolicited email communication.  These have been 
targetted at senior people within the University.

Suggested action: report to Helpdesk


4. Extortion

Not seen any reports about that here, but messages to the effect that some 
form of DDoS attack will be launched if some number of bitcoin are not 
paid as ransom.  Some of these appear to be forgeries in the name of 
known 'hacking collectives', but who are not actually responsible for 
the threats.

https://blog.cloudflare.com/empty-ddos-threats-meet-the-armada-collective/

Suggested action: probably fraudulent in most cases, but maybe report to 
Helpdesk so we become aware if we get targetted.



5. Sexual invitation

Suggested action: delete and ignore.


General advice:

Treat any message purporting to relate to some financial transaction with 
deep suspicion (if it looks plausible, confirm it by other means such as 
telephone, if it looks implausible or unknown, it's probably not genuine); 
don't open unexpected documents; don't allow macros to run in untrusted 
documents; ensure anti-virus is up to date and active.

J.

.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
Jethro R Binks, Network Manager,
Information Services Directorate, University Of Strathclyde, Glasgow, UK

The University of Strathclyde is a charitable body, registered in
Scotland, number SC015263.