Pages

Thursday, September 25, 2014

Clever Phish

I received this email yesterday (links altered for safety).

From: info@gruppobertoli.it
Thanks for shopping with us today! Your purchase will be processed shortly.
BILLING DETAILS
Purchase Number: SGF578308436
Order Date: 7.46 Thu, Sep 18, 2014
Customer Email: charles@example.com
Outright Purchase: 4687 USD
Get details
Please click the link provided at the top to get more info about this issue.

Of course, I checked the domain and I'd never heard of it. But nothing came up immediately when searching "gruppo bertoli spam". I was pretty sure it was a phishing email, but it was possible someone stole my identity. Unlikely, though, given the weirdness of the email.

Next, I hovered over link to see source. It's a DropBox location. I opened IE in InPrivate Browsing mode for some added safety. Next, I copied the link and pasted into the URL. (I've obfuscated the link so it doesn't work anymore.)

https://www.dropbox.com/s/XXXXXzddrc2a4k/Order_AA9883.zip?dl=1

I removed the file part of the path, just to see if the DropBox folder would open. Nope. So, I can see they want me to download a zip file. I'm OK with that, because I won't open it yet.

I downloaded the zip file, then opened—but didn’t extract!—it using 7-zip. Huh. At first glance it's a PDF—with a funny extension. Also, the packed size is the same as the file size. But this might be true for a PDF since they’re binary files, and besides most people won't open in 7-zip, they’ll use Windows Explorer.

image

OK. I extracted the file but, of course, didn’t double click it to open.

Now, I looked at the file in Windows Explorer and it really does look like a PDF. 

image

Why? Because the clever bastards have added a bunch of spaces to hide the real extension. Here's the real file name.

"PAYMENT DETAILS.PDF                                                                                _27102.scr"

Windows (and Mac) by default don't show extensions, anyway, so many will be fooled by a file that advertises itself as a PDF. What's worse, most people don't show their file listings in Detail view, so they wouldn't see the Type, which is the giveaway.

What is it really? It's a screen saver. If I'd launched it...well, who knows? A screensaver can install trojan viruses. Hopefully my Windows Defender would have kicked in, but no guarantee.

This was a good reminder lesson to me. These jerks used the psychology of stage magic: misdirection and plausibility. It looks real, until it's not.

No comments:

Post a Comment