Any human with an email address likely has gotten thousands of spam messages that look like delivery notifications, invoices, or other alleged communications from shipping companies such as UPS or DHL. They typically contain malicious attachments with exploits for a browser or plug-in vulnerability, but a researcher at the University of Cambridge has run across a novel twist on this kind of spam that turns out to be a completely different kind of attack.
The email that Richard Clayton of the university’s computer lab security group analyzed is a pretty convincing forgery of a DHL email. It has the correct branded logo on top and, unlike most messages of this kind, doesn’t feature broken English or dozens of grammatical errors. It informs the recipient that his package has been delivered to the local post office and he needs to download and open an attachment.
While many emails like this contain a PDF or Word document with an exploit for a known–or in rare cases, zero day–vulnerability, this one is different. When opened, the PDF comes up as a blurred screen with a message telling the user that the document is “secured” and he must visit a special link in order to see the complete file.
“Once again, anyone expecting malware related activity at this point will be disappointed: the click then took you to a run-of-the-mill DHL impersonating website where the victim would have entered their credentials… in practice, these sites often collect email addresses and email passwords, so they’re often more of an attack on mail providers rather than DHL,” Clayton said in a blog post explaining the attack.
That is a long way to go in order to execute a simple phishing attack. But, as users and email security systems have become more adept at spotting phishing emails, the criminals have had to adjust their tactics. Now, much of the effort goes into just getting the email past filtering systems and into the user’s hands, where it can do some damage.
“At present, the most that an email handling company will do with this email is to check that the PDF is well-formed and doesn’t contain known-malicious constructs (and the least is that it will be ignored altogether and passed through). So the presence of the URL will not be detected and the email will be delivered,” Clayton said.
“Of course blacklisting the phishing site might cause the browser (or a toolbar) to throw up a warning to the user — but at a pretty late stage in the process when many will have pretty much made up their mind to view the “secure document” no matter what (recall my recent post about the high percentage of people who clicked through a Microsoft warning).”
The fake DHL message also includes a line at the bottom encouraging the recipient to move the message to his inbox if it happens to end up in a spam folder. Many legitimate emails from sites and mailing lists contain a similar line, but this isn’t simply another feint. Instead, it’s a way for the attacker to trick the email filtering system into trusting the sender. If the user moves the message from a junk folder into his inbox, it will alert the filtering system that it made a mistake in quarantining the email.