Mail that Should NOT Be Opened

Not All E-Mail Should Be Opened

Avoid Malware by Avoiding Malicious E-Mail

The longer you have had an e-mail address, the more probability you'll receive spam. If you read any of our series on The Privacy Implications of Internet Quizzes, you know that there are many unscrupulous folks out there, eager to harvest your information. Facebook like scams, phony giveaways, and the like are all set up with the express purpose of harvesting your e-mail address. Once harvested, those addresses are often sold. That results in spam.

By definition, Spam means unsolicited commercial e-mail. It is usually sent to a large number of recipients.  It has come to connote scams and shams. It is actually illegal. The US passed the CAN-SPAM Act in 2003, regulating commercial e-mail. But the Bad Guys are not known for following the laws.  Legitimate companies always include opt-out information in order to comply with the law. Spammers use it to their advantage, often including links that look like legitimate opt-out links, but that only lead to malicious content. Additionally, unsubscribing from a SPAM e-mail only confirms to the bad guy that you read your e-mails, making your address even more valuable.


Now much spam is actually harmless. By harmless, I mean it's just attempting to sell you something. That something is probably counterfeit, if it even exists to begin with. More spam actually tries to cause harm to you or your equipment. That spam is not as harmless. It may plant malware on your computer. It may try to steal your credentials, so the crooks can steal your money and/or pose as you and ruin your reputation.

Today's post is going to focus on e-mail you should not open. ALL of this mail landed in my inbox within the last week. Some of these were correctly filtered by my spam filter; others landed in my inbox, and I had to manually mark them as junk. All e-mails have been converted to screenshots, due to their malicious content. (Remember, you can click on the images to open them larger, in an "overlay.")

Mousing Activates Malware

I had a very legitimate looking e-mail land in my box. Not unusual. What WAS unusual is that it had malware set to trigger when I merely moused over the link. Now a Safe Surfer ALWAYS mouses over before clicking, to see where the link actually goes.I teach folks to do this. This scammer used Safe Surfing to his advantage.

Thankfully, my anti-virus did its job and quarantined the executable. However, the fake log-in page still loaded in my browser. A more naive individual may have actually logged in, as the scammers had cloned the Apple log-in page VERY well.  I am not naive. As a precaution, I closed everything, disconnected from the Internet, and did a FULL anti-virus scan, followed by 2 anti-malware scans.

This very legitimate Apple e-mail (pictured above) is the one I'm talking about. The date was right for a monthly, recurring payment rejection. If I actually used iTunes or had an iPhone, I might actually have been fooled, especially if this spam came in to my mobile device.  However, a close look at the "from" address should raise a flag.  (And the fact I don't currently use ANY apple services raised the biggest flag for me.)

Google Docs Spam

Google Docs Spam has been in the news lately as one avenue for catching ransomware.  The Spammers send a link to a LEGITIMATE shared document containing malware, OR they route you through a phony Google log-in screen to steal your Google credentials.  

Although I have blocked out the e-mail address in both sample screenshots, in one case, the e-mail indicated I had shared a Google Doc with myself.  I haven't.  My google docs accounts are all associated with Gmail addresses, rather than with a domain name.  In BOTH cases, the supposed sharer was a domain I owned, but had NOT associated with a Google Docs account.  Big flag.

The fact the Google Logo came through borked in the second example was another major clue.AND the fact it just said a domain shared a link with me.  Again, I own that domain, and the spam came into an e-mail associated with that domain.  I knew I hadn't shared anything recently. But just imagine if that domain was "coke.com."  A LOT better chance of a click through. And just think of all they get if they get my Google log-in...mail, wallet, video library, blogs, photos...more than enough to open several credit cards in my name and social engineer their way into most any account I have.  

The moral of the story is to NOT open any unexpected document without checking with the sender. BEFORE clicking through, whip off a quick e-mail to the supposed sharer saying "Did you share a Google Doc with me?"  This is why you also want to include a note, and probably also a warning in a separate e-mail, when you share something with someone via e-mail.  

Billing Scams

Empty e-mails, with nothing but an attachment called "bill.pdf," phony "Your bill is attached" e-mails, and other billing shams are also popular. I get hundreds of these in a week.  With few exceptions, the scammers are using file-extension hacking to get you to open a "harmless" pdf. Despite what we've been told, it is very easy to spoof an extension in an e-mail attachment.  It is also possible to inject malware in pdf, doc, docx, and even jpeg and gif files.  Many malicious attachments take advantage of scripting protocols built into e-mail readers.  If you're not expecting payroll, don't click on the "payroll.pdf" attachment out of curiosity.  Most of these attachments contain ransomware or malware of some sort.

I think my favorite phisher is the one who writes in Chinese, and links to a payment form.  Yeah, like THAT is legit! 

This one, from the Post Office, hits all of the bases. It has a malicious link, AND it warns you it wants to infect your Office too.  I LOVE how "creative" these scammers got with their domain name too. Replace the "s" with a "z"...how original!

Can I Steal Your Log-In? Your Personal Info?

PayPal, Ebay, Amazon, Google, Facebook...the list of valuable log-ins goes on.  I almost NEVER click through an e-mail to log into anything anymore. Instead, I go directly to ebay, Chase, Amazon, etc., and I log in there. Then I go to "My Account" and check for messages or activity.  

This lazy Spammer didn't even bother inserting the logo, OR personalizing the "to" address. And the fact I don't use amazon/co.uk is another clue.

This one, from a generic "Help Desk," wants me to just give them ALL of my information, despite the fact they never really tell me who they are.  Which account?  Let me just give you everything, just in case. And yes, I would be interested in buying that bridge too...

The Apple and Google Docs e-mails are also examples of this type of spam.  In fact, a lot of spam crosses categories.

Fake Sales, Points, Rewards, and Memberships

A final category involves mail pretending to "reward" you with something. Often, they pretend to be affiliated with your favorite drug store, grocery, or big box store, a retailer in whose loyalty program you DO participate.  Many of these are petty scams, rather than malware planters. They might want to sell you something that may or may not ever come. 

It may be "affiliate marketing" spam, an e-mail full of affiliate links that will earn the spammer a few pennies per click through. If they send out 50,000, and can get 100 people to click, they've made an easy $20.  But many times, this type of spam falls into one of the other categories as well.  You give them your loyalty info so you can get those free 50000 reward points, and instead, when you go to redeem that $10 worth you've been saving, it's been wiped out. 

I still say one of the BEST ways to tell if something is spam is to scroll down to the bottom.  If the contact info differs AT ALL from the purported sender's, it's spam. If it looks A LOT like the purported sender's, but has a typo or is off by a letter or 2, it's malicious spam. And if your webmail program hides the TRUE sender's address, like the AOL screenshot above, either hover over the name or click on "show details" to see the TRUE address.

ALWAYS check for personalization. In the CVS example, a REAL CVS e-mail would be addressed to me by FULL NAME, as shown on my CVS Card, not by e-mail address.  And I actually have my CVS info stored in RoboForm, and my last 4 digits are NOT 3124.    Most e-mails that start with "Dear User" are malicious in nature. And if your first name and last name are in the e-mail, it just means they were able to harvest that too. Personalization gives the appearance of legitimacy, and is often used in this way.

If it says "Dear User," it's most likely a sham. But just because it says "Dear Jane Doe" does NOT mean it is legitimate. Even mail personalized correctly bears scrutiny.

Just Junk It

Spam happens. In 2017, the only thing you can do to minimize spam is to protect your e-mail address.  Remember, connecting with Facebook does share your e-mail address with the site or app. Take those silly quizzes your friends like to share? Expect a ton of spam in return, and a lot of it malicious.

I still prefer using a separate e-mail client for the added layer of protection against spam. It is difficult to tell what is attached in a webmail program. Often, you must download it to even tell what it is. And many virus scanners will require you to manually scan that download before you open it. (Whereas in a separate client, your virus scanner scans BEFORE download, which can make a HUGE difference.)  "Displaying images" in a webmail client MAY be enough to trigger malware. It is important to run BOTH anti-virus and anti-malware programs on your system, and to be extra careful when viewing e-mails.  I do NOT recommend using a "preview" pane in a webmail program, and if you'll notice, most webmail clients disable the preview screen in the junk mail folder.  Again, "previewing" or "displaying images" in a malicious e-mail may be enough to trigger the contained malware.

When in doubt, do not click or open. If the e-mail says it's your ISP and they're going to close your account, log into your account on their website to check for issues, or pick up the phone and call.  Train your junk filters by marking spam that lands in your inbox as junk. And do NOT trust your mail program to filter all the spam. In the screenshots above, how many had [SPAM] in the subject line, indicating my spam filter had marked them appropriately?  

Yes, you can forward the shams to abuse@ebay.com or spoof@amazon.com if it makes you feel better, but it will do nothing to reduce your volume of spam. In most cases, you should just delete the e-mail and move on.  If you mess up and click through, follow the advice in our Anatomy of an Amazon Phishing Scam article.

Comments?

Do you get a lot of spam? Do you have difficulties telling scams from legitimate e-mail? Do you have any egregius examples to share? Any stories of phishing attempts? Questions?  Let us know in the comments.