UGN articles UGN articles
This article was prompted by a post to the AUGD discussion list last week for leads to info concerning Macs and virus, worms and spoofs. When I saw it, I immediately thought either we're not doing a good job of reporting, or people aren't reading. I've posted our updates to that list each Monday for nearly ten years. So I thought I would build an article which capsulizes some of the issues and some reference links.
Almost daily we see new schemes launched by online criminals to defraud you of your money or identity or both. Many of the scams have been carefully shrouded within encoded unsolicited email (aka: spam), hidden in spyware, zombies or virus, and now even as perfectly innocent email masquerading as legitimate mail. For all intensive purposes, these threats do not affect Mac users beyond the nuisance they cause the emailbox. But be vigilant. With Apple's new popularity growth from both the iPod phenomena and frequent appearances on TV and in movies, OSX's UNIX Achilles heel will likely become a target for evil-doers at some point.
Probably one of the best ways to stay informed is your subscription to the InfoManager. In that column we try to release the latest information about virus, worms, and new online frauds as they appear. You can read MUG InfoManager online, or subscribe to the ascii text newsletter sent each and every Monday morning.
Of note for Mac users is the "Safe Net" department of the Association of Apple Computer Users (AACUG).
As previously noted, Mac users have little fear of virus and worms for the time being. However they are very vulnerable to the fallout from virus and worms. In reality, many of the techniques now employed by online criminals will be more damaging than a virus or a worm.
In January of 2003 we reported on an emerging technique nicknamed phishing. Phishing attacks rely on spoofed messages that are made to appear to come from retailers, banks and other legitimate businesses in an effort to get recipients to divulge their credit card data and other personal information. It's probably one of the most important types of spam to be aware of. Here's how it works:
The spammer has cleverly forged all the email headers to look as if the email came from Amazon, PayPal, eBay or others. It's written as a legitimate email, but the "secure link" noted doesn't go to the email address which displays in the email, but rather to a third party online CGI or Javascript which has been encoded in the html mail. These scripts execute and take you to a web page that looks exactly like the spoofed entity where you key in your ID and password. Bam -- they now have access to your account, your credit card information, ID and password.
At that point, they enter your account and begin setting up bogus auctions, sales, purchases or what have you. From that account they move one to infecting other accounts. Your account is now doomed.
Last February, the Anti-Phishing group reported that unique spoofed or "phishing"attacks increased 52% in January, and that of the millions of phishing emails sent, some 5% of the recipients actually responded or followed the instructions. (Reference)
Most recently, two virus have been noted as carriers of third-party or indirect phishing. Here's how it works:
The virus infects a Windows machine. It reads the owners email address book and begins propagating itself by sending email to those addresses with the virus embedded. The email is cleverly written as a 'mail merge' using the recipient's domain or ISP as the sender and encourages you to click on either the link to the ISP or the link with the "password" protected patch for the virus. When the recipient clicks the patch link, the machine executes the virus. When the recipient clicks the ISP link (encoded in html) it reports the live email address, users' address and users' isp/domain to another, 3rd party. We have been unable to track these third parties because by the time we chase them down, they're gone. These criminals obviously rely on the first wave of response, then quickly delete the account and move on.
Example: I get hundreds of these each week. The email is addressed to my legitimate email address, but the forged headers say it was sent by "Manager" at my domain. It's so cleverly written that it is even signed "Support at user-groups.net" and signed by the webmaster@user-groups.net. Of course I know better because there are no manager or webmaster addresses at user-groups.net. So the perpetrator is "fishing" for a lead. If I click to reply, and follow their instructions, they got me.
The worst spin-off of this technique is resulting in hundreds of "bounces" where the virus is attempting to send the very same mail to other addresses in the infected PeeCee's addressbook. So hundreds of email addresses are getting mail from manager @ user-groups.net which bounce back to me. The real killer is -- those bounces also carry the virus. I've had calls from all around the world asking if I sent the email. One upset gentleman called from Chili accusing me of crashing their whole system. Of course the virus didn't come from me, but rather someone on Windows who just happened to have my email address in their address book. It's sick, it's evil, there's absolutely nothing I can do about it and it shows no signs of slowing down.
First: If you don't have an eBay, PayPal or other account mentioned in the email, then simply ignore it and delete it. If you are particularly civic minded, then report it to the appropriate authority at the spoofed domain. (Most people just don't want to be bothered, their heads are in the sand. That's why anti-spam programs are profiteering.)
Understand HTML Mail - If you use Eudora or another reliable email program, merely turn off html viewing. You'll see these evil emails naked where they can't shroud their links.
Look in the header of the email and you'll find several characteristic elements: the "Return-Path:" and "Received: from". There may be several of the "Received: from" entries. The first one should agree with the "Return-Path:", the "Sender" and the domain cited in the email. If it does not, then it's a forgery.
Look in the body of the email and see if there's a link listed. Look for "a href=", and following will be a domain. If the address after the "http://" is not the same as the subject of the email (ie: paypal.com or ebay.com, etc.,) then it's likely a forgery.
If all of this seems too much to deal with, then simply:
As I mentioned before, one of your best resources will be the InfoManager because we report on events and developments as they break. Unfortunately, there have been several hundred articles on the subject since since January and it's all but impossible to keep up with them all.
See: InfoManager
Elsa Travisano*, Listmom for the AUGD discussion list sent out a plea last week for information pretaining to the new generation of virus and worms.
Elsa said:
"... several members have voiced their concern and alarm about the latest email viruses and spoofs. Especially disturbing to many was the recent wave of virus-containing emails that appear to have been sent from the member's account. Have you found any good Mac-specific links on the web that cover these issues in easily understandable terms? Or perhaps your group has an article or column on your group's website or in your newsletter on the subject."
While none of the cited latest viruses and spoofs are recent, other listees responded with some valuable input:
M. Schoenfeld wrote:
"Patrick Douglas Crispin* has a good PowerPoint presentation entitled "Viruses, Cookies, and Spam ... Oh, My! How to Protect Your Computer from the Internet Nasties and How to Fix What's Bugging You on Your PC or Mac" (1.66 Mb Powerpoint)"
Schoenfeld notes that Crispin's presentation is free providing you do not make any money from it; and that you provide credit for netsquirrel.com
Schoenfeld also cites two more good references: MacDevCenter's Security Primer for Mac OS X by Frangois Joseph de Kermadec as a good reference.MacZealots' three-part tutorial on "Complete Mac Security". Schoenfeld is from MacsWest MUG
Paul Richards, another MUG frequenter of the list followed with some information on PayPal and eBay spoofs. You'll remember that both InfoManager reported these and many others last year.
Paul says: [Quote]
My best advice to anyone is:
For eBay you can go to their Security Center using the link at the bottom of their home page, or go straight to their "spot the spoofs" tutorial and reporting page. The tutorial is pretty good. you can also FORWARD the suspect eBay e-mail to spoof@ebay.com and wait for a response before you take any action. If it is a spoof, you will get a reply telling you so. If it is legitimate, they will tell you that too.
PayPal has somewhat similar resources at the Security Center link from their home page. They also have an eCommerce Safety Guide PDF there that's pretty good.
Richards also cites related that are "pretty good":
* Elsa Travisano is President of MUG ONE, the Macintosh User Group of Oneonta, NY
* Patrick Douglas Crispin is one of the editors for the ever popular internet newsletter called the Internet Tour Bus at TOURBUS.com
Return to: the top of this page, or the INDEX for this department
Exit to: The User Group Network front page
Contact: The Editor, Webmaster or Membership Director