In my last diary[1], I gave an example of anuncommon spam message. But attackers have always new ideas to deliver their malicious content to us. Here are two new examples. October being the Cyber Security Awareness month[2], more examples are always welcome.
The first one was delivered as an NDR message (Non-Delivery Receipt">
From: Bounced mail To: handlers@isc.sans.eduSubject: Mail System Error - Returned MailDate: Fri, 21 Oct 2016 22:08:23 +0530X-Priority: 3X-MSMail-Priority: NormalX-Mailer: Microsoft Outlook Express 6.00.2600.0000X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000Message-Id: 20161021163820.8819C40060@isc.sans.orgX-Envelope-To: UNKNOWNX-Loop: handlermailYour message was not delivered due to the following reason(s):Your message could not be delivered because the destination server wasnot reachable within the allowed queue period. The amount of timea message is queued before it is returned depends on local configura-tion parameters.Most likely there is a network problem that prevented delivery, butit is also possible that the computer is turned off, or does nothave a mail system running right now.Your message was not delivered within 1 days:Server 32.80.249.78 is not responding.The following recipients could not receive this message:Please reply to postmaster@isc.sans.eduif you feel this message to be in error.
Attached to this mail, a malicious ZIP file with a .pif" />
The link points tohxxp://thekchencholing.org/.https/www/sharepoint.com/sites/shareddocument/SitePages/Home.aspx/index.php?wreply=YW5keS5nZXJhZXJ0c0BjZWdla2EuYmUN (the site has been cleaned up in the meantime). SharePoint is a common Microsoft tool used in big organizations and people could be lured by this kind of message.
Most spam campaigns are easy to detect but some messages, when properly redacted, may lure the victim easily. We are never far from an unfortunate click. Stay safe!
[1]https://isc.sans.edu/forums/diary/Spam+Delivered+via+ICS+Files/21611/
[2]https://www.dhs.gov/national-cyber-security-awareness-month
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.