Intruders Change Their Tactics

Last week’s column ended with a promise:

“Next week we can discuss further issues, such as what course of action to take if an intruder is a dialer. You sure don’t want expensive calls made to porn sites off your computer.”

I’m going to break that promise.

In the last two weeks I’ve received fewer intruders attempting to invade my computer through my email. For months I had been getting 10 to 15 messages a day like the following:

This is an enticement to open the attachment. It presents itself as a text file but most likely it’s a malicious script that’ll harm your computer.

I wondered why the senders continued the onslaught month after month. Norton caught most of them. The mainstream media has been sounding the alarm so often that people have become reluctant to open attachments.

Then suddenly in the last two weeks the onslaught dried up. Now I receive one or so a day in my Outlook inbox.

I had also been receiving several emails a day by senders pretending to be Microsoft:

I wondered why this onslaught continued month after month. Microsoft was actively pursuing the senders. Besides, Norton was deleting the vicious scripts and the public had to know that the message wasn’t from Microsoft.

Apparently the senders did give up. I haven’t received a Microsoft spoof in a week.

That doesn’t mean all is well. It just means the intruders are preparing new tactics. And indeed they have already begun. To my surprise, in the last week Norton has failed to intercept attachments I am almost certain are malicious scripts. I’m not about to open the attachments and see what they do.

Here’s an example:

Everything about this email smells bad. The return address. The word ‘dear’ before the attachments. The introduction ‘Hi’. I have no knowledge of the address the so-called DAEMON couldn’t find. And so on.

I don’t know why Norton didn’t intercept these scripts. The creators of these vicious intruders apparently figured out Norton’s algorithm for deleting attachments and figured a way around them. In the last couple days there have been two more suspect attachments that have slipped by Norton.

Here’s my rule on opening attachments. If my cousin has emailed me several times about the coming birth of a grandchild, and then I get an email from him with a bunch of attachments he says are photos of the newborn, I’ll view them without opening them. If they’re really photos, then I’ll save them.

How to view an attachment without opening it up? With a product called QuickView Plus. Rather than tell you about it, visit their manufacturer at http://www.avantstar.com

The latest version costs $35.00. Probably less at a large store. Weigh that against catching a macro virus or some other Malware that’ll make your computer unbootable.

If I receive an attachment from somebody I know, I’ll email or call the sender and ask if he or she sent it. In a few cases I’m more lenient than I should be. If I get an attachment from Jack Wheeler, I’ll save it to disk and view it with Quick View before verifying that he sent it.

If I receive an attachment from someone I don’t know personally, I’ll probably just delete the email. The companies I deal with, including Microsoft, don’t send unsolicited attachments.

Intruders are trying new tactics. I’ve gotten several emails like the following in the last week:

Notice that Norton has deleted the attachment. The sender’s message should make you suspicious. “Authentication required”. Anything you really need to authenticate you would know is coming. For example, if you joined a new forum. The sender’s claim that no virus was found smells bad. There’s still a threat. The link. You’d be a fool to click it. Dollars to doughnuts that upon opening, the site would insert malicious cookies in your documents and settings folder. The site will make enticing claims, encouraging you to click further. With each click you run the risk of additional cookies, scripts, controls, or registry entries being placed on your computer.

Worse yet, what appears to be a web link may be a worm. If you click it you won’t be taken to a web site at all, you’ll unleash a short script that’ll harm your computer. I could tell you how to see whether it’s a script. But I won’t, it’s too risky if you’re not an experienced computer user. Whether the fragment is a link or a script, its dangerous.

New tactics include ‘spoofing’. Spoofing is when someone on the internet is pretending to be somebody else. As far as email is concerned, it’s quite easy to fake an email address. If it’s an address from which you regularly receive email, your guard may go down. I belong to a list that sends information on the Israeli-Arab conflict. It’s called Freemanlist.

A few days ago I received the following:

When I received the email I was immediately suspicious. Freemanlist doesn’t normally send attachments. The cartoon would be in the body of the message. The message itself is short and lacks detail. Freemanlist emails are usually verbose.

I deleted the message.

In summary, the Internet is a dangerous place. One vicious intruder can ruin your whole day. Be very careful about attachments. Buy Quick View. Take the time to double-check with even trusted associates that an attachment is authentic.

Next week I hope to return to our step by step guide to safer computing.

Dennis Turner

Hold the press! Just after I sent this week’s column to Jack, I received a new email. Its subject was ‘Office XP’. When I selected it, a sentence appeared, “The message is loading.” I don’t have a screen shot for you because I immediately deleted the message. That’s not sufficient. I right-clicked the deleted items folder and selected ‘empty the deleted items folder’ to permanently remove the message from my computer. Then I immediately turned my computer off, rebooted, and started up Norton AntiVirus for a full system scan.

Who knows what was loading? Most likely a long vicious piece of code. Respectable organizations do not ‘load up’ a presentation without your permission. Furthermore, if they ask your permission, delete the email immediately. A responsible organization invites you to their web site on which you can watch a presentation.

This is the first time I’ve seen this tactic.

Fallujah Delenda Est.