Be skeptical or be a victim

On the Internet people lie to you all the time. Back in April, I wrote that the most important aspect of Defensive Computing may very well be skepticism.

For the second time in the last few days, I received a phony e-mail message purporting to be from the package delivery company UPS. A skeptical person would have deleted the message, and good thing too, because odds are that anti-malware software on a Windows* computer would not have protected the trusting or inexperienced user that believed the scam.

The first thing to be skeptical of is the From address. Never trust the From address in an e-mail message, it is easily forged. Digging into the e-mail headers showed that the message, shown below, actually came from a computer at IP address 121.139.93.144.

Civilians (meaning someone not involved in law enforcement) cannot reliably trace an IP address to a city, let alone an exact address. However, tracing it to a country is, I believe, reliable: the message came from Korea.**

Subject: Problems with delivery

Unfortunately we were not able to deliver postal package you sent on September the 1st in time because the recipient's address is not correct. Please print out the invoice copy attached and collect the package at our office

Thank you for your attention!
Your United Postal Service
http://www.ups.com

The attached file, ups_invoice.zip contained a single file, ups_invoice.exe.

The interesting thing here is the constant struggle of anti-malware companies to keep up with the latest malicious software.

I sent the EXE file to Virus Total and they had already seen it. Of the 36 anti-malware products they scanned it with, only 14 (39 percent) correctly flagged ups_invoice.exe as something to avoid. Among the free anti-malware programs, Avira's AntiVir correctly flagged it as bad, but Avast and AVG did not. McAfee missed it, as did NOD32, Panda, PC Tools, Sunbelt and Trend Micro.

Yes, this message was amateurish and a number of things give it away as phony. However, the next one may not be so obvious and anti-malware software will always be imperfect. Thus, skepticism may be your best defense.

Update September 12, 2008: Two more of these came today. Neither even bothered hiding the EXE file inside a zip file. I sent one of them to VirusTotal and, again, they had seen it before, this time about 20 hours prior to my uploading it. Initially, 17 out of 37 anti-malware products (46%) detected it as suspicious. When I requested VirusTotal to scan it again, 17 out of 36 products (47%) detected it as malicious. Beats me what happened to that missing anti-malware product.

*As is the norm, Mac and Linux users would have been protected as the malicious software was Windows based.
**The message initially passed through an e-mail server run by servage.net, which was probably innocent in all this.

See a summary of all my Defensive Computing postings.

[Michichael]

Common sense. Not so common.

[davidaharley]

You're misleading your readers by taking a VirusTotal result as a way of comparing vendor capability. VirusTotal uses commandline scanners, so products that use behaviour analysis of one sort or another on-access are disadvantaged. The guys at VT have tried to disassociate themselves from that misuse in the Hispasec blogs. You don't know if any of those products detect the malware when it actually tries to execute, which is when it matters most...

[tomstar3000]

I just got this email this morning.. the funny thing is, i know that ups.com is United Parcel Service yet they claimed to be the United States POSTAL Service.. Their url is usps.com.. funny... People still get suckered into though.