The Sharks Are Circling

Internet malwareWe are under attack.
There is an increasing volume of spam, mostly aimed at business e-mail addresses, carrying a malicious payload via an attached file.  The attachment contain some executable element (usually a macro that runs when the file is opened).  The worst of the malicious payloads are ransomware – hijacking the computer and locking the user out pending payment of a ransom.

We have four lines of defence.  The first is e-mail filtering.  It isn’t very good.
I just completed my tax return on Her Majesty’s Revenue and Customs web site.  At the end of the process, HMRC sent me a confirmation e-mail, essentially just giving me a reference number, with a link to the HMRC web site.  That confirmation e-mail was filtered out as junk, whereas the filtering was perfectly happy to let through an e-mail with this header:Spam example 1

Or a similar one, in which HMRC appear to have contracted their services overseas:Spam example 2

Automated filtering suffers from both false positives and undetected negatives. The second line of filtering is the user, who has to cope with messages like:Spam example 3

That e-mail address is more plausible than the HMRC spoofs but bears no relation to the person name or the supposed company.  It is part of the bombardment of quasi-business e-mails, most of which have attachments disguised as financial instruments – invoices, statements of account and the like.  The following is a better example; it spoofs a sender e-mail address consistently and the body of the e-mail takes the Ian Fleming approach, disguising the big lie in plausible levels of detail.  (In this case, its biggest failing was that it was sent to a non-existent address and was therefore swept into our junk mail dungeon.)Spam example 4

In theory, there are two levels of security beyond the inbox that might still save us from the worst of the scams, but I never want to put those to the test – and there is something simple that business people can do to defeat the scammers.
The assumption made by the scammers is that the e-mail is coming into a busy financial office.  The e-mail doesn’t contain enough information for the transaction to be recognisable and therefore the recipient will open the attachment to find out what it’s about.  The e-mail is written as though there is a prior history, but that history is never specified.
All that is needed to defeat this – to prove that a business e-mail is genuine – is to have some common verifiable evidence of history in the body of the e-mail so that the provenance can be checked without opening the attachment.

So, if you send out e-mails with, for example, remittance advice notes attached, then make sure your subject line or e-mail body contain a verifiable reference to a purchase order or invoice number.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.