...the more they remain the same. It's sometimes too easy to forget that it's not all about the technical analysis of malware. Often, it doesn't matter how startlingly sophisticated or innovative malware is: if the social engineering hits the spot, and technical defences fail, as all too often they do, that's enough. Depressingly, the engineering doesn't have to be great either: over the years, I've noticed (as have the bad guys) that the same ploys work over and over again.
Of course, I have a couple of recent examples in mind. There have been reports on many mailing lists this week about an email that purports to come from the Department of Justice. There are variations in the exact wording, but a typical one includes (beneath a DoJ banner) text like this:
Dear Mr. [Targeted individuals name] ,
A complaint has been filled against the company you are affiliated to ( [Company Name] ) in regards to the domain of business activity.
The complaint was filled by Mr. James Palmer on 25/02/2008 and has been forwarded to us and the IRS .
Complaint Case Number: #[case number] Date: [date]
A copy of the original complaint and the contact information of Mr. James Palmer has been attached to this e-mail.Please print and keep this copy for your personal records.
There's more to it, of course. And very similar messages have long been received, apparently from other official bodies. The attached complaint document is actually a zipped and packed executable that downloads and drops various objects onto your system that you really don't want. Spear phishing meets mass mailer social engineering meets bang-up-to-date obfuscation. And, while the English isn't perfect, it's not the conspicuously "foreign" English we've become accustomed to see in low-grade phishing emails.
The English in this 419-style email is rather rougher, but I guess you don't necessarily expect literary polish from a hitman.
I am very sorry for you Xxxxxx, is a pity that this is how your life is going to end as soon as you don't comply. As you can see there is no need of introducing myself to you because I don't have any business with you, my duty as I am mailing you now is just to KILL you and I have to do it as I have already been paid for that.
[...]
Get back to me now if you are ready to pay some fees to spare your life, $10,000 is all you need to spend You will first of all pay $5,000 then I will send a tape to you which i recorded every discusion in made with the person who wanted you dead and as soon as you get the tape, you will pay the remaining $5,000. If you are not ready for my help, then I will carry on with my job straight-up
[...]
Nice. Of course some of the detail changes, such as the sum demanded. Incidentally, while I routinely anonymise this sort of thing when I use it for blogs and alerts, I didn't change the recipient's name in this one. Either a lot of people are called Xxxxxx, or the extortionist on this occasion couldn't be bothered to replace a placeholder. Nonetheless, a lot of people have been disturbed by this one, which has been seen from time to time for some years now. And that, I suppose, is the point. The world is full of people, some of them highly educated, who don't raise their implausibility shields when they put on their cyberspace suits.
David Harley
Research Author
