I'm seeing a new pattern of malicious emails in my inbox. The body of the email message is nothing but a link to a blog at blogspot.com. The subject is a single word such as: Hey, Ave or Hallo.
One message linked to uyxmwrmxaxquiuxti.blogspot.com.
My browser stayed there for only a second before getting re-directed to xykribwams.com which claims to be My Canadian Pharmacy.
This is a great example of the value you can get from the Flagfox extension for Firefox (which I wrote about back in July). Flagfox shows that xykribwams.com is actually in Taiwan.
Another message linked to svhtuxcngrwg.blogspot.com. Blogger, however, caught this one as you can see below.
Should you run into a spam blog at Blogger, report it here.
A third message linked to rxqesyeagquzabjagdlokqafmnd.blogspot.com. Blogger also warned that this one was a possible violator of their terms of service.
Despite the warning from Blogger, I clicked through to see both of the last two sites. Each was redirected to the same place as the first one, xykribwams.com.
Abusing Google Docs
On a somewhat related note, another spam message employed another new (to me at least) tactic. The link in the email message went to
docs.google.com/View?docID=dw2rvb4_0d3cv77d6
Everybody likes Google Docs, so this page is unlikely to set of any alarms. Clicking on a link in the page takes the spam victim to the actual website pharmsdirectfull.com, which also claims to be a Canadian Pharmacy.
Flagfox shows that this site is in South Korea.
I purposely didn't mention the "From" address for any of these email messages because you should never consider it when judging a message. It's very easy to forge the From address.
See a summary of all my Defensive Computing postings.
I have a lot of e-mail addresses and thus attract my fair share of unwanted and malicious e-mail. The latest malware spreading e-mail to land in my in-boxes has purported to be from the package delivery company UPS. Thursday, I received two of these, but there have been other similar messages recently.
As you can see in the picture below, it came with an attached ZIP file.
A malicious email that was not from the UPS package delivery company
ZIP files are commonly used as a container to transmit malicious software. The number in the name of the ZIP file is probably there to evade detection by antivirus software; the numbers were different in the two messages received Thursday.
The ZIP file contained a single EXE called UPSInvoice_997612.exe. I uploaded the file to VirusTotal.com, where 4 of the 36 antivirus applications detected it as malicious.
As I've noted before: never decide to trust an e-mail message based on the sender. It is very easy to forge the "From" address when sending e-mail.
And, hopefully by now it should go without saying, Windows users should never run an executable file sent by e-mail. Mac and Linux users (including the many new Netbook Linux users) can ignore this warning.
See a summary of all my Defensive Computing postings.
On the Internet people lie to you all the time. Back in April, I wrote that the most important aspect of Defensive Computing may very well be skepticism.
For the second time in the last few days, I received a phony e-mail message purporting to be from the package delivery company UPS. A skeptical person would have deleted the message, and good thing too, because odds are that anti-malware software on a Windows* computer would not have protected the trusting or inexperienced user that believed the scam.
The first thing to be skeptical of is the From address. Never trust the From address in an e-mail message, it is easily forged. Digging into the e-mail headers showed that the message, shown below, actually came from a computer at IP address 121.139.93.144.
Civilians (meaning someone not involved in law enforcement) cannot reliably trace an IP address to a city, let alone an exact address. However, tracing it to a country is, I believe, reliable: the message came from Korea.**
Subject: Problems with delivery
Unfortunately we were not able to deliver postal package you sent on September the 1st in time because the recipient's address is not correct. Please print out the invoice copy attached and collect the package at our office
Thank you for your attention!
Your United Postal Service
http://www.ups.com
The attached file, ups_invoice.zip contained a single file, ups_invoice.exe.
The interesting thing here is the constant struggle of anti-malware companies to keep up with the latest malicious software.
I sent the EXE file to Virus Total and they had already seen it. Of the 36 anti-malware products they scanned it with, only 14 (39 percent) correctly flagged ups_invoice.exe as something to avoid. Among the free anti-malware programs, Avira's AntiVir correctly flagged it as bad, but Avast and AVG did not. McAfee missed it, as did NOD32, Panda, PC Tools, Sunbelt and Trend Micro.
Yes, this message was amateurish and a number of things give it away as phony. However, the next one may not be so obvious and anti-malware software will always be imperfect. Thus, skepticism may be your best defense.
Update September 12, 2008: Two more of these came today. Neither even bothered hiding the EXE file inside a zip file. I sent one of them to VirusTotal and, again, they had seen it before, this time about 20 hours prior to my uploading it. Initially, 17 out of 37 anti-malware products (46%) detected it as suspicious. When I requested VirusTotal to scan it again, 17 out of 36 products (47%) detected it as malicious. Beats me what happened to that missing anti-malware product.
*As is the norm, Mac and Linux users would have been protected as the malicious software was Windows based.
**The message initially passed through an e-mail server run by servage.net, which was probably innocent in all this.
See a summary of all my Defensive Computing postings.
In response to the recent DNS problems on the Internet I had earlier suggested changing some network configuration parameters to use the free OpenDNS service.
As I did this myself for a number of machines that I maintain, the question arose of verifying the change. That is, how can someone, particularly a non-technical computer user, ensure that their computer is configured to use OpenDNS?
This is, it turns out, remarkably easy.
Go to www.opendns.com. At the top of the home page, just under the tabs, there will be a message whose content depends on whether the computer is using OpenDNS or not.
If the computer is not using OpenDNS, the message reads: "Start using the world's largest and fastest-growing DNS service. Make your network safer, faster, smarter and more reliable. It's free." See a full size image.
If the computer is using OpenDNS, the message reads: "You're using OpenDNS. Thanks! You are now navigating the Internet safer, faster, smarter and more reliably than ever before." See a full size image.
Update: According to the company, this should work for all operating systems.
See a summary of all my Defensive Computing postings.
All companies have computer problems, how they deal with them separates the men from the boys.
Netflix
When I was away from home recently for an extended period of time, I tried to change the shipping address on my Netflix account. What should have been trivial became a problem because the Netflix web site made assumptions about the format of the address that didn't apply in my case. Every time I entered the address, their system reformatted it. I could not, for the life of me, figure out how to enter the correct address, so I contacted someone at Netflix for help. The person I spoke with sympathized and offered a way to fudge things to get the good data past their system filters. What I remember from the experience is the good customer service, not the problem.
Over the time I have been a Netflix customer, they repeatedly showed themselves interested in providing great customer service in other ways too. Thus, I trust they are telling me the whole story. Recently, I ordered their Roku box for watching movies over the Internet. I didn't care a lot about online movies and at $100 the price just about matched how much I cared. I could have taken it or left it. But, because I trusted the company wouldn't have any hidden gotchas, I ordered it.
Now, Netflix is all over the news for a massive system failure that affected all 55 of their distribution centers. Here too, what I'll remember is not the screw-up, but the way they handled it. After all, computer systems fail, it happens to everyone. Before I knew there was a problem, Netflix sent an email message apologizing. That makes an impression. And, now that the problem has been fixed, they are offering a 15% rebate on the monthly fee to affected customers. The take-away from this, at least for me, is that they dealt with the problem honestly and fairly.*
Amazon
Amazon.com offers a file storage service called S3 (Simple Storage Service). Not long ago it suffered an outage of a few hours. I don't use S3 so my interest was marginal, but I did run across the after-the-fact accounting of the problem from Amazon. It was fairly technical and explained the internal functioning of the system in a clear way and detailed what when wrong and how the problem was unanticipated. They explained how they fixed the immediate problem and the steps they would take to prevent a recurrence in the future.
I was impressed with how Amazon came clean, even Netflix is mum on the technical details of their problem. This inspires confidence and if I ever need a web service that Amazon offers, I would not hesitate to use them.
Netflix and Amazon stand in stark contrast to the companies described a few days ago in the Wall Street Journal.
Credit Card Breaches
Recently the US government charged men in five countries with stealing credit cards from a number of retailers. The poster boy for this credit card and ID theft ring was TJX, the corporation behind the T.J.Maxx, Marshalls, HomeGoods and A.J. Wright retail chains. The breach of their computer systems has been extensively publicized, it was even featured on 60 Minutes. From what I've learned, their computer security was disgraceful. But, at least they came clean.
The crime ring in question hit other outfits besides TJX. In Some Stores Quiet Over Card Breach three Wall Street Journal reporters describe how other companies didn't tell their customers about the data theft.
Boston Market and Forever 21 "never told their customers because they never confirmed data were stolen from them".
Of course, it can be impossible to tell if data was copied. Certainly bad guys getting credit numbers over a WiFi network wouldn't leave any trace, and neither would other types of breaches. According to the New York Times, BJ's Wholesale Club, the Sports Authority, OfficeMax, DSW and Barnes & Noble had their wireless networks breached.
The Journal reports that OfficeMax, Barnes and Noble and Sports Authority "wouldn't say whether they made consumer disclosures".
The best companies at disclosure were BJ's Wholesale Club, DSW and Dave and Buster's. Each disclosed the breach to their customers shortly after they became aware of it.
There is more detail in the article and it's definitely worth reading to form your own opinion on which companies you can trust and which you can't.
*Still, Netflix needs some better computer nerds. Speaking as a techie, a three day outage is inexcusable. No doubt, more than one thing went wrong to cause such an extended problem. Human error is likely on the list as is poor up-front planning.
See a summary of all my Defensive Computing postings.
The front page of the New York Times today had a story by John Markoff, With Security at Risk, a Push to Patch the Web, about the recent bug in DNS. Being a newspaper, the focus of the story was on news rather than practical advice. In contrast, this Defensive Computing blog focuses on practical advice.
For another introduction to the problem see What you need to know about the latest DNS flaw.
For an online test that tells you if your computer is vulnerable to the DNS flaw see The best test for vulnerability to the DNS flaw. The fact that there are online vulnerability tests wasn't even mentioned in the newspaper.
If your computer is vulnerable to the problem, see A cheatsheet for defending against the DNS flaw.
Markoff warned about the potential danger of the DNS flaw with:
"It could allow a criminal to redirect Web traffic secretly, so that a person typing a bank's actual Web address would be sent to an impostor site set up to steal the user's name and password. The user might have no clue about the misdirection... "
Firefox 3 users have a much better chance of being informed about misdirections as a result of the DNS flaw - if, they are willing to tweak the browser a bit.
In Firefox 3 gotcha: No more yellow address bars, I wrote about how to restore the yellow address bar to indicate a secure web page. This was a feature in Firefox 2 that got dropped in version 3.
If you prefer to think of green as good and yellow as a warning, then you can read Make Firefox 3 use green for secure web pages where I explain how to change the secure page color in the address bar from yellow to green.
Even further information about secure web pages is available with another Firefox 3 configuration change. See Firefox 3: Expand the Site Identification button on HTTPS pages to learn how to enable a feature that displays the secure website name in a blue button right next to the address bar.
The end results is an address bar that looks like the below for secure web pages. If this is how secure web pages display, it makes it much harder for the bad guys to fool you by mis-directing you to a scam copy of a website.
Below is the same web page displayed in Internet Explorer 7. Something such as the missing "S" in the protocol name, which flags a secure web page, can be easily missed.
Update July 31:The above screen shot from Internet Explorer 7 is from an instance with the phishing filter turned off. When this filter is turned on, IE7 works much like the tweaked copy of Firefox 3, that is, the address bar turns green and there is an extra button on the right with additional information about the secure page.
See a summary of all my Defensive Computing postings.
Recently I wrote about Flagfox, a simple Firefox extension that puts a flag in the corner of the browser window indicating the country where the website being viewed resides. Hovering the mouse over the flag displays the IP address (explanation below) of the website and clicking the flag brings up more details, including the city where the site is located.
This can be important because there are many ways to be tricked into thinking you are at, for example, a bank website, when you are really viewing a well-crafted, scam copy designed to steal personal information. Flagfox can go a long way toward verifying that you are really looking at the website you expect. Anyone doing financial transactions online would be well served to use it.
When banks explain why their websites are safe and secure, they focus on the SSL encryption used to transmit data over the Internet. That's only part of the puzzle however. We can encrypt data and send it to the bad guys too. That's where Flagfox can help.
The problem is verifying the physical location of legitimate websites.
For example, on my computer, Flagfox reports that the login page for Capital One credit cards is in McLean, Virginia. Is this the real site, or, has my computer been compromised such that I'm looking at a phony copy?
The only way to verify the location is to ask the bank. So that's what I've been doing.
On July 3rd, I contacted eight banks asking where their websites were physically located. In some cases I emailed, in other cases I filled in a form on their website. In each case I pointed to my previous blog posting and asked for a comment. The banks I contacted were: Citibank, Chase, Washington Mutual, Bank of America, Wells Fargo, Wachovia, HSBC and Capital One.
About IP Addresses
Flagfox determines the country based on the IP address of the website. Every computer on the Internet is reachable by a unique number called an IP address (a single IP address often front-ends multiple computers, but that's another topic).
It is impossible for the computer(s) running a website to hide their IP address. Just as the Flagfox extension displays it, so too can any Internet-aware software that cares to do so. And, just like you can learn the IP address of a website, the website also knows your IP address. To see this in action, go to ipchicken.com.
Thus, one way to detect scam websites would be for financial companies to publicize the IP address(es) of their website. Customers could put a yellow sticky on their monitor with the IP address and verify it with Flagfox before logging in to the website.
The Bank of America did just that. They wrote back that their website uses these three IP addresses:
171.161.161.173
171.159.193.173
171.159.65.173
But, IP addresses are for computers not for people. Humans are better off dealing with countries, states and cities. Capital One credit card customers would, I'm sure, prefer to remember McLean, Virginia rather than the IP address 208.80.48.53.
It has been two days since I contacted the eight banks (yes, it's a holiday in the U.S., but bank websites don't do holidays). Three haven't responded at all. Four responded with canned messages that failed to address the topic. Only Bank of America seems to have read the question.
If I learn anything from these companies, I'll pass it on. If you do financial transactions online, try asking your financial institution. Can't hurt.
Update July 7, 2008: Attacking the registrar for a domain is one way to redirect people to phony websites. See this July 7th ComputerWorld article for a recent example: ICANN blames June site hijack on registrar
See a summary of all my Defensive Computing postings.
A big part of phishing scams and identity theft is fooling people into thinking they are on one website when they are actually somewhere else. The technical tricks to accomplish this include lookalike and phony domain names, zapping the hosts file, tricks with URLs and assorted attacks on DNS servers. What's a normal person to do?
Flagfox is an unobtrusive extension for the Firefox web browser that offers some assistance by placing a flag in the bottom right corner of the Firefox window. The flag (shown below) indicates the country where the website physically resides.
If you don't recognize the flag, hover the mouse over it and a yellow pop-up window (below) displays the IP address of the website and the country where it resides. If you normally deal with a bank, brokerage or credit union in, for example, the United States, and one day you notice the flag is from another country, you are not at the website you thought you were.
Of course this only goes so far. If a legitimate website is in New Jersey and a phony, phishing copy of it resides in New Mexico, the flag will still be American. Before doing anything sensitive, such as banking, click on the flag to open a new tab showing a map and more precise location information such as the city and state.
This is the physical location of the website, not of the organization or person represented by the website. Although in the case of CNET and CNET.com they are the same, this is not normally the case. The New York Times, for example, runs their website out of Colorado. The website of another New York City newspaper, the Daily News is in Texas. Our third local newspaper, the New York Post, hosts their site in Massachusetts.
In all but two cases that I tried, Flagfox was able to pinpoint a location based on the IP address. However, it didn't know where CNN.com or TomsHardware.com were located.
The point is to be aware of where the important websites that you deal with are located. Customers of Citibank, for example, would be safer if they verified that the website was in New York City before signing in.
But where are the bank websites? Only the banks know for sure. For example, my computer showed Citibank.com as being in New York City, but if my machine was compromised, I could be looking at a scam site imitating Citibank while the real site is elsewhere.
For Flagfox to be most effective, banks, brokerages and credit unions would have to publicize the physical location of their websites. I'll contact a few and see what they say...
Update July 2, 2008: If Flagfox can't locate a website based on the IP address, there are other options. Two websites that I've used often for this are www.ip-adress.com/ipaddresstolocation and www.ip2location.com/demo.aspx.
For more on this same subject, see my next posting Verifying legitimate bank websites
I recently wrote about another Firefox tweak Firefox 3: Expand the Site Identification button on HTTPS pages which also helps with verifying the true identity of a website.
See a summary of all my Defensive Computing postings.
I recently found myself in an airport terminal with a laptop and time to kill. Not knowing what the Wi-Fi options were, I let Windows XP search for available wireless networks. As you can see below, one of the networks was called "Free Public WiFi". If this happens to you, don't connect to a network like this.
The first two networks are each labeled "Unsecured wireless network". Fine. But the Free Public WiFi network is described by Windows as an "Unsecured computer-to-computer network". As the name implies, this network connects to a computer run by a total stranger somewhere nearby in the terminal.
Normally, wireless networks are created, run, and governed by a router. But, two Wi-Fi-enabled computers can talk directly to each other without the need for a router-based network. Another term for this type of network is "ad-hoc". Personally, I've never needed or used an ad-hoc computer-to-computer network.
How unusual are computer-to-computer networks? I live in Manhattan, surrounded by large apartment buildings. At home, my laptop picks up 28 wireless networks. Not one of them is a computer-to-computer network.
Why would someone set up a computer-to-computer network in an airport terminal? Most likely, it is good for them and bad for you. For one thing, the network name seems a bit too obvious. Who, in an airport terminal, doesn't want free public Wi-Fi? It's like asking a child if they want candy.
I always configure laptops to only connect to router-based networks and suggest you do so, too. Windows XP has a configuration option, shown below, that controls the type of networks it talks to.
You get to this window with: Control Panel -> Network Connections -> Wireless Networks tab -> Advanced button. Router based networks are referred to as "infrastructure" or "access point" networks.
Knowing that my laptop wouldn't connect to an ad-hoc network, I tried it anyway. The result is the warning shown below.
Unfortunately, lots of software competes to control the Wi-Fi connection on laptop computers. In the examples above, Windows XP was controlling the network. Your laptop may have software from the company that made the computer controlling the wireless network. Or, your Wi-Fi environment may be controlled by software from the company that made the Wi-Fi adapter hardware or by an outside party altogether. This other software may or may not have an option to avoid computer-to-computer networks. If it doesn't, hopefully it will at least identify the type of network it detects.
Update May 14, 2008: For an explanation of where some of these computer-to-computer networks come from see Free Public WiFi SSID. The important point here is that when you are looking through the list of available wireless networks that you be on the lookout for ad-hoc computer-to-computer networks as opposed to normal, router-based (infrastructure) networks. If the software you use to scan for available networks does not indicate the type of network, you may want to use different software. As more people become aware of this particular network name, a bad guy may simply use another enticing name.
See a summary of all my Defensive Computing postings.
Last week I wrote that skepticism may be the most important thing you bring with you when dealing with the Internet. A few days later in the Wall Street Journal, Walter Mossberg said basically the same thing - "...the most insidious Internet security problems today rely on human gullibility, not tricky software."
His article, How to Avoid Cons That Can Lead to Identity Theft, included this advice "Don't click on links to offers for free software or goods that you receive in an email, especially from a sender or company you've never heard of."
The problem with this advice is twofold. First, the From address of an email message is very easily forged. You may get a scam message that seems like it came from a company you know, but really didn't. Also, identifying a company you know has its own issues.
Suppose, for example, you got an email message about a really cheap price for a subscription to the Wall Street Journal. The phony From address could well be subscriptions@wsj.com. Suppose too, that the scam sent you to the www.wsj.biz web site.
Many people know that the online version of the Wall Street Journal is wsj.com. But, wsj.biz has nothing at all to do with the newspaper or with Dow Jones. It belongs to Marc Gaines and the web page that currently displays is a temporary one that GoDaddy provides for their customers. The point being, Mr. Gaines, can do whatever he likes with that website, including tricking people into thinking it offers cheap subscriptions to the newspaper. What better way to learn personal information such as name, address, phone number and credit card number? Perfect for identity theft.
Just because a famous company owns the .com domain, it implies nothing at all about other domains.
In the case of the Wall Street Journal, Dow Jones owns wsj.net and wsj.us. However, wsj.info belongs to Seth Wilkof who is looking to sell it. Wsj.org is also a scam-in-waiting. Today, it is a temporary default web page, but it belongs to someone named Natalia Skuridina.
Even someone who doesn't know that wsj.com is the Wall Street Journal, certainly knows the organization behind wallstreetjournal.com. That's easy. But what about wallstreetjournal.net? And wallstreetjournal.org? They both belong to Dow Jones, but, that's where the good news ends.
It is not clear who owns wallstreetjournal.info, but Dow Jones definitely does not own wallstreetjournal.us or wallstreetjournal.biz.
You can see who registered a domain by doing a WHOIS lookup at the website of any registrar. For example, at Network Solutions, go to networksolutions.com/whois and at Regster.com go to register.com/whois.rcmx.
I focused on the Wall Street Journal, only because Walter Mossberg writes for the paper. The concept though, applies universally. I get bitten by it myself. Two websites that I visit are www.speakeasy.net and www.witopia.net. I don't, however, visit them often enough to train my fingers to type .net instead of .com. Neither company owns the .com version of their domain name.
See a summary of all my Defensive Computing postings.
