A few days ago a few clients reported some phishing emails. Although we all get these quite regularly, this one surprised me as the email managed to get through both Trend Hosted email and also Messagelabs.
I regularly send phishing emails and similar to Messagelabs Support to be added to their database and I also quite regularly send virus files to Trend for addition into their signatures – if they havn’t been spotted by Trend’s AV software.
Let’s face it, 99% of these things are simple to spot, and generally, nowadays, rely on social engineering (or thick users) for their payloads to be activated.
I do think, however, that a swift turn around to acknowledge and block these sites and emails is important, as so many emails are sent out and it only takes one user within a company to potentially ruin everything for everybody.
This is the email:
It’s not very advanced, for sure! Still, I thought I’d have a look at it and see if it is actually dangerous – it did after all, get through a several layers of perimeter security before making it into the inboxes.
Initially, to my shame, I thought the website was simply a virus downloader, since the first thing is does is try and get you to download and install Rapport:
So, I downloaded the file and tested it with the excellent virustotal.com results came back negative, so it seemed like the download really was coming from trusteer.com… However I thought I best submit it to Trend, just to be sure – after all the less of this type of thing that lands in my customer in-boxes, the better life I will have.
I sent them this simple email:
This was downloaded by a client from here:
http://katzmusic.ch/fileadmin/data/alliance-leicester/Customer-login.html
(phishing email)I cannot believe it is NOT a virus
Attached was the zipped up exe file as per their virus submission procedures.
Whilst I waited for a reply, I thought that I would checkout the site in more detail:
This is the main page:
Entering random stuff (as is the way) let’s you through to the data collecting page:
This site is pretending to be Alliance & Leicester, it is asking for all the information required to use your debit cards.
Conveniently, after you enter your details, you are landed back at the real Alliance & Leicester website.
So, this is a blatent and obvious fraud site. Without a doubt this site is attempting to steal. Agreed ?
—–Original Message—–
From: Trend Micro EMEA Anti-Threats Support Team [mailto:trendlabs@av-emea.com]
Sent: 08 July 2011 15:01
To: z
Subject: Re: [EMEA_TL#2011070803000171] VirusDear z,
The latest tests indicate that this website contains no malicious software and
shows no signs of fraud.Please retain the subject heading of this email as it will serve as the incident
ID reference for this incident.Best Regards,
_______________________________________Al
Anti-Threats Support Engineer
TREND MICRO EMEA
“Securing Your Journey to the Cloud”
_______________________________________
Apparently not. I was a little aghast. I would usually expect a ‘thank you’, ‘confirmed’ blah blah ‘next signature’ blah blah etc… So I replied.
Are you serious ?
A site pretending to be a bank, asking for your debitcard details is showing “no signs of fraud” ?
Now, by now this site is obviously very well known. and blocked from access by Sonicwall, Google Chrome & Symantec to name but three. Oh, it’s also blocked by :
Imagine that, so at least if the links make it through their hosted email solution, the desktop AV will stop the users being daft! Yay! Victory!
Today I get another two emails from Trend:
This is an update.
We are currently investigating your matter.
We will update you within a separate email upon further development. This might consist of letting you know about the available deliverables that solve your concern or requesting further details for deeper investigation.
Thanks for your support.
Please retain the subject heading of this email as it will serve as the incident ID reference for this incident.
Best Regards,
And then later in the day:
Good day!
We have re analyze the site you provided:
The latest tests indicate that this site contains malicious software or could defraud visitors
Fraudulent sites that mimic legitimate sites to gather sensitive information, such as user names and passwords
It took over 3 days (and a some awful grammar), but thanks to the quick acting experts at Trend, we now surf in a safer web.
Not a great turnaround in my opinion.
Anybody have a preferred AV provider they want to pimp ?