The IRS did not send you this.

The recent increase in BOT generated spam is VERY good at social engineering, and while fortunately most of it can be blocked using very simple spam protection rules, unfortunately the payload can be VERY painful, eg RansomWare or CryptoLocker pay loads, or links to those payloads.

The most recent iteration might scare people into clicking on the attachment. Most of these are in either .doc style documents with hidden macros, links, or javascript, or with encrypted payloads. And there are two reasons that virus protections are not always enough to thwart it.

Technology has reached a point where the hackers can change payloads faster than virus checkers can keep up, as well as the actual damaging part may not actually be in the email, but simply ‘pulled’ from a remote (ever changing) site/server.

But this one is scary enough to convince many ordinary people to click on the attachment even if it is in their Spam folder, so worth writing an article.

Surprising, local North American ISP(s), even the well run ones are heavily responsible for the propagation of this MalWare. For instance, in todays reports we see a very high number of these originating from Comcast Static IP(s).

A typical message starts out like this:

Subject: Fw: IRS email for (yourdomain)

The contents say simply..

“We just received this from IRS.”

But of course it came from ‘accounting@yourdomain.com’. You as the CEO would very likely click on this (the .zip attachment) if it came into your inbox.

Now, of course it would be best if these static IP(s) that aren’t email servers would be blocked before they ever leave Comcast’s network, but this message could (and has) come via email relays and legitimate email servers that still allow for relaying from their local networks (a habit everyone should stop doing, otherwise your legitimate emails might get affected when you send spam).

But even if it gets out the network, it should be easy to stop.

Typically these emails arrive at the email server already pretending to be ‘accounting@yourdomain.com’. Most email servers should be configured NOT to accept inbound unauthenticated email pretending to be from one of your accounts.

But because of legacy problems, sometimes this is not yet possible globally. But it sure should be classed as more spammy.. In the following example, assume everywhere it says spamauditor.org, that when you get one, that is YOUR domain.

Return-Path: <accounting@spamauditor.org>
Received: from 173-14-235-194-utah.hfc.comcastbusiness.net (HELO spamauditor.org) (173.14.235.194)
Message-ID: <56AFB2AE.208D7857@spamauditor.org>
Date: Fri, 09 Sep 2016 05:58:45 +1200
Reply-To: "accounting@wizard.ca" <accounting@spamauditor.org>
From: "accounting@wizard.ca" <accounting@spamauditor.org>
X-Accept-Language: en-us
MIME-Version: 1.0
To: <you@spamauditor.org>
Subject: Fw: IRS email for wizard.ca 
MIME-Version: 1.0

Now, it is pretty easy for email servers (or spam protection) to determine that much of that message is forged. It is also pretty likely that the naming convention of the source IP address isn’t really an email server. (if it does have one the administrator would normally name it according to their company, not ComCast)

It only gets tricky if you have Spam protection turned off, or it is relayed via a legitimate email server, or maybe forwarded for real 🙂

So what is causing this? Well, with the IoT (Internet of Things) it could be almost anything that lives behind that IP Address (eg, your smart fridge, smart TV, home wireless router), but in some cases it actually could even be the hardware that your ISP supplied to give you access. There have been several well publicized cases of the actual CPE (Customer Premise Equipment) actually having vulnerabilities that hackers can take advantage of.

This particular BOT is probably the same ones used to send you fake invoices, fake voice mails, fake inventory reports, all with the same type of attachments.

What can you do? Well, make sure that you have Spam protection enabled by your ISP or email provider. And you ‘should’ also have a local virus checker installed in your personal machines. Keep hardware devices updated of course.

But most important, DO NOT OPEN the attachment no matter how legitimate sounding the email is, and even if it ‘appears’ to be from someone you trust, unless you have a virus checker in place on your device. But of course, that doesn’t always seem logical, especially when you do expect documents, zip files, and other attachments legitimately.

In the mean time, we need to hope that ISP’s also clamp down on what is leaving their networks. If we can stop it at the source, it won’t be effective for the hackers to do.  But with millions of vulnerable IP(s) at their disposal, this is a formidable threat.  For example.. just a small snapshot.. (Now, this isn’t specific to ComCast, they have a lot of IP Addresses, and there are a lot worse companies.  And they are good about using a standard naming convention that can help identify what the IP Addresses are used for.)

50.76.185.222                6 50-76-185-222-static.hfc.comcastbusiness.net 
50.192.72.182                8 50-192-72-182-static.hfc.comcastbusiness.net 
50.201.219.94                5 50-201-219-94-static.hfc.comcastbusiness.net 
50.204.13.242                7 50-204-13-242-static.hfc.comcastbusiness.net 
50.232.120.182               7 50-232-120-182-static.hfc.comcastbusiness.net 
50.241.106.121               7 50-241-106-121-static.hfc.comcastbusiness.net 
50.249.107.213               6 50-249-107-213-static.hfc.comcastbusiness.net 
50.253.41.57                13 50-253-41-57-static.hfc.comcastbusiness.net 
50.254.214.190               5 50-254-214-190-static.hfc.comcastbusiness.net 
96.88.72.177                12 96-88-72-177-static.hfc.comcastbusiness.net 
173.15.75.117                5 173-15-75-117-Illinois.hfc.comcastbusiness.net 
173.161.41.38                5 173-161-41-38-Illinois.hfc.comcastbusiness.net

There are a lot worse places around the world, and a lot of ISP’s have CPE equipment that was part of the large scale compromises.

And if you operate an email server, use RBL’s designed to list generic dynamic and static IP Ranges, and make sure your filter treat any vulnerable attachment coming from generic ‘static’ IP assignments just as suspicious as if it was a dynamic IP Address.

Has .zip|.doc and comes from a generic naming convention (static), treat with suspicion.

 

This entry was posted in Informative and tagged , , , , , , , . Bookmark the permalink.

Leave a Reply