• another one phishing for a bite

    From August Abolins@2:221/360 to All on Tue Mar 31 22:02:01 2020
    Received another suspicious email with a "Resumé" attachment just now.

    No password version.

    I renamed the file:

    XXXXJohn Smith Resume.xls

    Send it to VirusTotal. Only ONE engine of many detected this thing.


    TACHYON == Trojan/XF.Downloader.Gen


    I looked inside the file and noticed a few clues in the clear (but I obscured a few things here with #### so no one inadvertently clicks on a link):

    C:\XTHbSJX\hQPDpQm\yNuMyDc.dl

    http://march262020.####/files/bot.dll

    URLDownloadToFileA

    http://march262020.####/files/bot.dll

    rundll32.exe,DllRegisterServer

    http://march262020.####/files

    CreateDirectory

    ShellExecute

    /bot.dll

    Excel 4.0 Macros


    Very telling! Seems to me, that the simplest infection mechanism can still find
    an unsuspecting victim.

    The domain reference above pointed to:

    Source: whois.apnic.net (APNIC serves the Asia Pacific region)
    IP Address: 170.106.11.8

    But it arrived via Germany:

    X-EN-OrigIP: 194.25.134.80 <== via RIPE
    Received: from fwd17.aul.t-online.de (fwd17.aul.t-online.de [172.20.27.64])
    Received: from t-online.de ([64.145.94.242]) by fwd17.t-online.de

    Sneaky buggers, eh?

    --- TB68.4.1/Win7
    * Origin: nntp://rbb.fidonet.fi - Lake Ylo - Finland (2:221/360.0)
  • From mark lewis@1:3634/12 to August Abolins on Tue Mar 31 15:58:22 2020
    Re: another one phishing for a bite
    By: August Abolins to All on Tue Mar 31 2020 22:02:01


    (but I obscured a few things here with #### so no one inadvertently clicks
    on a link):

    just change http to hxxp or similar ;)


    )\/(ark
    --- SBBSecho 3.10-Linux
    * Origin: SouthEast Star Mail HUB - SESTAR (1:3634/12)
  • From August Abolins@2:221/1.58 to mark lewis on Tue Mar 31 16:59:00 2020
    Hello mark!

    ** 31.03.20 - 15:58, mark lewis wrote to August Abolins:

    (but I obscured a few things here with #### so no one inadvertently
    clicks on a link):

    just change http to hxxp or similar ;)


    Six or one half dozen of the other. :)

    I actually contemplated obfuscating the http:// part, but obviously I
    changed my mind.


    ../|ug

    --- OpenXP 5.0.43
    * Origin: /|ug's Point, Ont. CANADA (2:221/1.58)
  • From mark lewis@1:3634/12 to August Abolins on Tue Mar 31 18:30:55 2020
    Re: another one phishing for a bite
    By: August Abolins to mark lewis on Tue Mar 31 2020 16:59:00


    (but I obscured a few things here with #### so no one inadvertently
    clicks on a link):

    just change http to hxxp or similar ;)

    Six or one half dozen of the other. :)

    not really because now others of us cannot look up that information and set blocks or filters in our IDS/IPS ;)

    I actually contemplated obfuscating the http:// part, but obviously I changed my mind.

    i guess... we cannot see that from here ;) LOL


    )\/(ark
    --- SBBSecho 3.10-Linux
    * Origin: SouthEast Star Mail HUB - SESTAR (1:3634/12)
  • From August Abolins@2:221/1.58 to mark lewis on Tue Mar 31 20:33:00 2020
    Hello mark!

    ** 31.03.20 - 18:30, mark lewis wrote to August Abolins:

    (but I obscured a few things here with #### so no one inadvertently
    clicks on a link):

    just change http to hxxp or similar ;)

    Six or one half dozen of the other. :)

    not really because now others of us cannot look up that information and
    set blocks or filters in our IDS/IPS ;)

    Oh.. I see. Good point. But couldn't http://march262020.* work in a filter?

    But, FYI, replace "####" with "club". No point keeping it a secret if
    the goal is to help protect others.

    BTW, although it is far easier to just drop the phishing email/attachment with the delete key, we can parse the file, extract the clear-text and
    share the http:// strings found therein.

    Obviously, the macro in the original .xls file relied on Excel functions
    to run a macro to fetch a bot from a website and launch the payload.


    ../|ug

    --- OpenXP 5.0.43
    * Origin: /|ug's Point, Ont. CANADA (2:221/1.58)
  • From mark lewis@1:3634/12 to August Abolins on Wed Apr 1 09:36:19 2020
    Re: another one phishing for a bite
    By: August Abolins to mark lewis on Tue Mar 31 2020 20:33:00


    not really because now others of us cannot look up that
    information and set blocks or filters in our IDS/IPS ;)

    Oh.. I see. Good point. But couldn't http://march262020.* work in a
    filter?


    that depends on the language used... IDS/IPS do not use DOS style... neither does clamav, dspam, or similar content scanners...


    But, FYI, replace "####" with "club". No point keeping it a
    secret if the goal is to help protect others.


    thanks...


    BTW, although it is far easier to just drop the phishing
    email/attachment with the delete key, we can parse the file,
    extract the clear-text and share the http:// strings found
    therein.


    or our content scanner can detect the byte sequences and pass or fail the item...


    Obviously, the macro in the original .xls file relied on Excel
    functions to run a macro to fetch a bot from a website and launch
    the payload.


    yep... this is why the setting to allow macros and/or executing startup macros should be OFF these days...


    )\/(ark
    --- SBBSecho 3.10-Linux
    * Origin: SouthEast Star Mail HUB - SESTAR (1:3634/12)
  • From August Abolins@2:221/360 to mark lewis on Wed Apr 1 19:24:19 2020
    On 01/04/2020 9:36 a.m., mark lewis : August Abolins wrote:

     AA>> Obviously, the macro in the original .xls file relied on Excel
     AA>> functions to run a macro to fetch a bot from a website and launch
     AA>> the payload.

    yep... this is why the setting to allow macros and/or executing startup macros should be OFF these days...

    OFF seems to the default in Excel 2007:

    [+] Disable all macros except digitally signed macros This setting is the same as the Disable all macros with notification option, except that if the macro is digitally signed by a trusted publisher, the macro can run if you have already trusted the publisher. If you have not trusted the publisher, you are notified. That way, you can choose to enable those signed macros or trust the publisher. All unsigned macros are disabled without notification.

    I wonder what the setting is for newer editions of the Office progs. Maybe the ..bot kiddies are targeting a version that allows full functionality unless disabled. Sneaky buggers.

    --- TB68.4.1/Win7
    * Origin: nntp://rbb.fidonet.fi - Lake Ylo - Finland (2:221/360.0)
  • From Daniel@1:340/7 to August Abolins on Tue Apr 7 00:03:10 2020
    Re: another one phishing for a bite
    By: August Abolins to All on Tue Mar 31 2020 10:02 pm

    Good job. I love doing that on the rare occasion I get an attachment. with xls I like to save them as zip files, then extract the components and dig around. It's silly simple how some of these trojans work.

    We don't usually see them at work since I administer our content analysis system and it soaks everything up.
    Daniel Traechin
    --- SBBSecho 3.10-Win32
    * Origin: Digital Distortion: digdist.synchro.net (1:340/7)
  • From August Abolins@2:221/1.58 to Daniel on Tue Apr 7 20:14:00 2020
    Hello Daniel!

    ** 07.04.20 - 00:03, Daniel wrote to August Abolins:

    Good job. I love doing that on the rare occasion I get an attachment. with
    xls I like to save them as zip files, then extract the components and dig
    around. It's silly simple how some of these trojans work.

    I think the originators deserve a reciprocation of their own medicine.

    I have toyed with the idea of replying to the ones that request payment,
    and just send back a message that says, details of payment "are ENCLOSED
    in the attachment. Password is the same as you provided: 1234" ..and send back the file.

    Many of these emails are so stupid. I despise those things. There should
    be a away to block them right at the ISP/server side. I would rather not have them delivered to my mailbox in the first place. Why can't ISP's
    block certain ip addresses right on the spot?

    For example, I just received another blatantly stupid email:

    ====[begin]====

    National Publication & Community of Professionals


    Dear Valued Candidate,

    Congratulations! You have been nominated for a spot in the 2020
    Professional Who's Who publication. Starting the New Year with this level
    of recognition, branding, and respect will help improve and accelerate
    your career.

    Please click here to update your professional profile.

    <h##p://
    www.landchimney.icu/ngciwnnkm/sxbrsa299506ffche/ DSEUPz2Pi5NzueG4_Al7eVyhpwSnBCBbwg5Ajju-YVw/ IQ8F8MJNPbbBwAj8KFO4xAi1FSWVS5ATDaZwBDpKL- aLTdGHchtIyBOogxjmk_Z2bga5uenmVAmLSc5WCCMlK_CtaiD8hE4m48AGRM91zfMqWEToT2aR 0JiVf9BTrc2c>

    Include all your credentials and accomplishments. We want
    to be sure we have the most accurate information for our publication team.

    ====[end]====

    Part of the message header is:

    Return-Path: <incidents@landchimney.icu>
    Delivery-date: Tue, 07 Apr 2020 11:18:35 -0400
    Received: from landchimney.icu ([93.177.102.132])
    X-EN-OrigIP: 93.177.102.132
    From: " Dorothy" <incidents@landchimney.icu>
    Date: Tue, 07 Apr 2020 10:14:22 -0500
    Subject: "Final steps" to your application approval!


    It would be ideal to simply filter 93.177.*.* to the bit-bucket and leave
    my own email program alone. I simply hate having to waste my own data
    quota to even deal with them.


    We don't usually see them at work since I administer our content analysis
    system and it soaks everything up.

    If I could automate a bit-bucket request to my ISP to "soak up"
    93.177.*.*, that would be something useful for our computers to do.


    ../|ug

    --- OpenXP 5.0.43
    * Origin: /|ug's Point, Ont. CANADA (2:221/1.58)
  • From Richard Menedetter@2:310/31 to August Abolins on Wed Apr 8 08:07:52 2020
    Hi August!

    07 Apr 2020 20:14, from August Abolins -> Daniel:

    I think the originators deserve a reciprocation of their own medicine.

    I have toyed with the idea of replying to the ones that request
    payment, and just send back a message that says, details of payment
    "are ENCLOSED in the attachment. Password is the same as you
    provided: 1234" ..and send back the file.

    And what should that do??
    THEY know what they are doing.
    THEY can deal with it nicely.

    This is much better, and funnier:
    https://www.youtube.com/watch?v=_QdPW8JrYzQ

    Many of these emails are so stupid. I despise those things. There
    should be a away to block them right at the ISP/server side. I would rather not have them delivered to my mailbox in the first place. Why can't ISP's block certain ip addresses right on the spot?

    On what basis should they do so??

    But there is a really easy and extremely effective way!
    Greylisting.

    It is extremely simple, and since I use it the spam mails dissappeared.

    It simply refuses the first delivery of the mail.
    The RFC says you need to retry, but the spambots never do.
    In effect that gets rid of them.
    The price you pay is a slight delay for every mail that you receive from a new address.

    The other/additional method is to set up SpamAssassin.
    It scores the mail and if the score is too high it does not accept it.
    But it is much more complicated to set up and maintain.

    CU, Ricsi

    ... All I ask is a chance to prove that money can't make me happy.
    --- GoldED+/LNX
    * Origin: Don't cloud the issue with logic. (2:310/31)
  • From Daniel@1:340/7 to August Abolins on Thu Apr 9 01:12:40 2020
    Re: another one phishing for a bite
    By: August Abolins to Daniel on Tue Apr 07 2020 08:14 pm

    Many of these emails are so stupid. I despise those things. There should
    be a away to block them right at the ISP/server side. I would rather not have them delivered to my mailbox in the first place. Why can't ISP's
    block certain ip addresses right on the spot?

    I've spent quite a bit of my career in information security. Problem is, alot of them use SMTP services that have been maliciously taken over and used to spend phishing and spam campaigns. The community tends to blacklist them and work with the owners to clean their servers and lock them down.

    Many of these servers are used for legitimate business and can impact other people. So, alot of ISP's don't block them for that reason.

    I host my own mail server, so I subscribe to black hole lists. They keep updated listings of malicious services and remove them when clean. If my server receives an email from it, I never get it.

    At my work, whenever I verify a spam campaign is hitting our employees, I send the email to our mail admins and they create filters.

    That way, the emails are caught by content and then blocked. Then, you're not blocking legitimate emails.

    Daniel Traechin
    --- SBBSecho 3.10-Win32
    * Origin: Digital Distortion: digdist.synchro.net (1:340/7)
  • From August Abolins@2:221/1.58 to Daniel on Thu Apr 9 09:20:00 2020
    Hello Daniel!

    ** 07.04.20 - 00:03, Daniel wrote to August Abolins:

    Good job. I love doing that on the rare occasion I get an attachment. with
    xls I like to save them as zip files, then extract the components and dig
    around. It's silly simple how some of these trojans work.

    I just received one that VirusTotal nor my local scanner detect any fault with.

    But the email is:

    Hey,
    I'm James Smith and I'm interested in a position at your company.
    I think I would be a wonderful to your company.
    I've added a copy of my resume.


    Thank you!

    --
    James Smith

    And the attached file is: James Smith Resume.xls (169kb)

    A binary look at it doesn't reveal any clues at all. The vast majority of the chars are totally non-ascii.

    The salient parts of the header are:

    Received: from o3.2e.shared.sendgrid.net ([50.31.60.24])
    X-EN-OrigIP: 50.31.60.24
    Received: from t-online.de (unknown)
    From: "James Smith" <63@jdscentral.com>
    Subject: Job
    Message-ID: <4269CC6C.3461899@jdscentral.com>
    Date: Thu, 09 Apr 2020 11:15:42 +0000 (UTC)
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101
    Thunderbird/38.0.0

    Meanwhile, I discovered https://www.joesandbox.com/ Looks impressive.
    Does anyone here use that?

    ../|ug

    --- OpenXP 5.0.43
    * Origin: /|ug's Point, Ont. CANADA (2:221/1.58)
  • From August Abolins@2:221/1.58 to Richard Menedetter on Thu Apr 9 10:31:00 2020
    Hello Richard!

    ** 08.04.20 - 08:07, Richard Menedetter wrote to August Abolins:

    I have toyed with the idea of replying to the ones that request
    payment, and just send back a message..

    And what should that do??

    Maybe start to annoy THEM?


    THEY know what they are doing.

    I imagine that they might just have a stupid "clerk" who just might be clueless enough to click.


    THEY can deal with it nicely.

    Yes.. most of this stuff is automated. Mass deliveries of these emails and then when activated by the payload, more automation takes over. I know.. it's just robot waiting for robot.


    This is much better, and funnier:
    https://www.youtube.com/watch?v=_QdPW8JrYzQ

    I remember seeing that several years ago. It was fun to see it again. Meanwhile another one of his that deals with "Unsubscribe". It's worth looking up if YT doesn't already queue it up in the side panel.

    Things like that do help to snuff out the fire of frustration that builds
    up in me.

    One thing for sure.. the spammers have succeeded in spawning a market to document these "adventures" by people who then capitalize on the rewards
    that YT provides. What's the pay-out from YT these days? $1000 per
    million hits. $100 per 100,000 hits?

    The one called "More adventures in replying to scam.." by the same fellow seems even funnier. It has a great finale!

    I can relate when he says that "part of me just wants to annoy THEM as
    much as they annoy US."

    This one by another fellow is pretty good too:


    "OK - Let's Tell The Scammer I Already Have The Money"

    https://www.youtube.com/watch?v=9eYdGGfObKk


    Many of these emails are so stupid. I despise those things. There
    should be a away to block them right at the ISP/server side. I would
    rather not have them delivered to my mailbox in the first place. Why
    can't ISP's block certain ip addresses right on the spot?

    On what basis should they do so??

    Invasion of privacy for one thing.

    How long would you tolerate someone knocking at your door to talk to you after you've told them to go away? And then they would just continue.

    How long would you tolerate someone pricking you with a pin at the back of your neck after you've told them to stop coming near you?

    Many other examples, but privacy is the salient point.


    But there is a really easy and extremely effective way!
    Greylisting.

    It simply refuses the first delivery of the mail...

    Very nice. Perhaps some isps already implement that without my knowing.
    But sadly, the odd spam still slips through?


    The other/additional method is to set up SpamAssassin.
    It scores the mail and if the score is too high it does not accept it.
    But it is much more complicated to set up and maintain.

    That one sounds very familiar. Good to know that there are solutions that ISPs can implement. But whatever is being done, is not good enough.


    ../|ug

    --- OpenXP 5.0.43
    * Origin: /|ug's Point, Ont. CANADA (2:221/1.58)
  • From Richard Menedetter@2:310/31 to August Abolins on Thu Apr 9 19:20:28 2020
    Hi August!

    09 Apr 2020 10:31, from August Abolins -> Richard Menedetter:

    I have toyed with the idea of replying to the ones that request
    payment, and just send back a message..
    And what should that do??
    Maybe start to annoy THEM?

    Nope :)

    This is much better, and funnier:
    https://www.youtube.com/watch?v=_QdPW8JrYzQ

    I remember seeing that several years ago. It was fun to see it again.

    This one has nothing to do with spam, but I think it is quit funny: https://www.youtube.com/watch?v=f5d8pVg3Qtg

    How long would you tolerate someone pricking you with a pin at the
    back of your neck after you've told them to stop coming near you?

    Just use greylisting and/or a baysian spam filter

    The other/additional method is to set up SpamAssassin.
    It scores the mail and if the score is too high it does not accept
    it. But it is much more complicated to set up and maintain.
    That one sounds very familiar. Good to know that there are solutions
    that ISPs can implement. But whatever is being done, is not good
    enough.

    Change your mail provider :)

    CU, Ricsi

    ... My Chili recipe is in violation of the nuclear proliferation treaty.
    --- GoldED+/LNX
    * Origin: If you can't make it work, make a statistic of it. (2:310/31)
  • From August Abolins@2:221/1.58 to Richard Menedetter on Thu Apr 9 16:21:00 2020
    Hello Richard!

    ** 09.04.20 - 19:20, Richard Menedetter wrote to August Abolins:

    This one has nothing to do with spam, but I think it is quit funny:
    https://www.youtube.com/watch?v=f5d8pVg3Qtg

    Getting "Video unavailable - The uploader has not made this video
    available in your country."


    ../|ug

    --- OpenXP 5.0.43
    * Origin: /|ug's Point, Ont. CANADA (2:221/1.58)
  • From August Abolins@2:221/1.58 to Richard Menedetter on Thu Apr 9 17:56:00 2020
    Hello Richard!

    ** 09.04.20 - 19:20, Richard Menedetter wrote to August Abolins:

    Maybe start to annoy THEM?

    Nope :)

    "Annoy" them back is truly the best approach. This guy is hilarious:

    "Telephone spam_scam problem_ Bring in the robots. _ Roger Anderson _ TEDxNaperville"

    https://www.youtube.com/watch?v=UXVJ4JQ3SUw

    Too funny!

    The phone service he mentions at the end sounds like fun to give a try.

    I had an uncle who tackled these things with humour and style. "Thank you
    for calling. I don't get out very much. Do you get out much? I'd love to tell you about my aunt in the old country..." ..and he would just keep talking or tell a story.

    I do something similar, but instead of talking, I just tell them I need to check the door.. or that I have a call coming in on the other line.. and I place the caller on hold. There are long periods when the phone is wonderfully free of telemarketers. But when they reoccur, a polite
    "Please hold" routine seems to start reducing them again.


    That one sounds very familiar. Good to know that there are solutions
    that ISPs can implement. But whatever is being done, is not good
    enough.

    Change your mail provider :)

    Most of them seem to get "caught" and moved to the Junk folder on the ISP webmail side. With basic pop/smtp I don't get bothered by the Junk folder contents. But when I occassionally require to use the webmail login,
    there is a great satisfaction to delete the Junk folder in bulk.


    ../|ug

    --- OpenXP 5.0.43
    * Origin: /|ug's Point, Ont. CANADA (2:221/1.58)
  • From mark lewis@1:3634/12 to August Abolins on Thu Apr 9 18:42:22 2020
    Re: another one phishing for a bite
    By: August Abolins to Richard Menedetter on Thu Apr 09 2020 16:21:00


    This one has nothing to do with spam, but I think it is quit funny:
    https://www.youtube.com/watch?v=f5d8pVg3Qtg

    Getting "Video unavailable - The uploader has not made this video available in your country."

    it is a vid from Conan, the night time TV talk show guy with red hair... it loads fine here... it should load fine for you up there in canada... at least, that's where you were the last i recall... i think... maybe...


    )\/(ark
    --- SBBSecho 3.10-Linux
    * Origin: SouthEast Star Mail HUB - SESTAR (1:3634/12)
  • From Richard Menedetter@2:310/31 to August Abolins on Fri Apr 10 06:19:28 2020
    Hi August!

    09 Apr 2020 16:21, from August Abolins -> Richard Menedetter:

    This one has nothing to do with spam, but I think it is quit
    funny:
    https://www.youtube.com/watch?v=f5d8pVg3Qtg
    Getting "Video unavailable - The uploader has not made this video available in your country."

    It is called "James Veitch Is A Terrible Roommate".
    Maybe you can find it somewhere.

    CU, Ricsi

    ... I took up exercising so that I could hear heavy breathing again.
    --- GoldED+/LNX
    * Origin: If plugging it in doesn't help, turn it on. (2:310/31)
  • From Daniel@1:340/7 to August Abolins on Fri Apr 10 00:53:41 2020
    Re: another one phishing for a bite
    By: August Abolins to Daniel on Thu Apr 09 2020 09:20 am

    I use nxtoolbox to have it pick apart the header. If the xls didn't have anything in it and if virustotal didn't detect anything, it's no guarantee it's clean either. The email address in the header is fake as hell.

    Daniel Traechin
    --- SBBSecho 3.10-Win32
    * Origin: Digital Distortion: digdist.synchro.net (1:340/7)
  • From August Abolins@2:221/360 to mark lewis on Sat Apr 11 19:41:26 2020
    On 09/04/2020 6:42 p.m., mark lewis : August Abolins wrote:

    https://www.youtube.com/watch?v=f5d8pVg3Qtg

    Getting "Video unavailable - The uploader has not made this
    video available in your country."

    it is a vid from Conan, the night time TV talk show guy with red
    hair... it loads fine here... it should load fine for you up
    there in canada... at least, that's where you were the last i
    recall... i think... maybe...

    :)

    Physically in Canada (at this time), but hopping bitwise between Italy, Finland,
    and Australia too much? :( I can get confused.

    I've seen a few other JV's videos. I get the jist. Good for him to have monetized his adventures with YT.



    --
    Quoted with Reformator/Quoter. Info = https://tinyurl.com/sxnhuxc

    --- TB68.4.1/Win7
    * Origin: nntp://rbb.fidonet.fi - Lake Ylo - Finland (2:221/360.0)