Malware in mails

We are used to the typical malware hosted in mails. They are often based on basic human instincts such as lust or greed. How often are we proposed pictures of nude artists? By the way, this could be an excellent way to decide who is believed to be the sexiest woman in the world: Measure their occurrence in the malware mails. Normally, you should only use the most attractive ones.In view of my junk mails, it seems that Angelina Jolie is leading these last weeks.

Often these mails are so rudimentary that they may be spotted even by unaware people. Often wrong spelling and weak grammar are a good signature. Nevertheless, I received an interesting one, that was better elaborated than the usual ones. It is why I looked at it rather than deleting it immediately. It was titled customs, please read. Here is the text

Good day,

We have received a parcel for you, sent from France on July 9. Please fill out the customs declaration attached to this message and send it to us by mail or fax. The address and the fax number are at the bottom of the declaration form.

Kind regards,
Frederick Shepard
Your Customs Service

Of course, the attached file was containing a Trojan named BKDR_AGENT.SHH. This Trojan is known for more than one year and detected
by anti viruses. Nevertheless, from the social engineering point of view, it was a nice piece:

  • It presents itself as coming from customs. Customs are official entities, thus in theory trusted. You are always careful with customs.
  • The address and the fax were supposed to be in the attached declaration form. Thus, you would have to open it, and trigger the malware.
  • The email address was Looks very official. Blue jean mail lead to believe that it is a selling site (this is not the case).

There is still one error. I am located in France. So why should a parcel sent from France need any custom clearance. Still some effort to do for the malware writers. But they progress.

Leave a Reply

Your email address will not be published. Required fields are marked *