New Spamcop Phishing

[mgolden]

[edit] Links broken - all still alive at time of checking.

The distribution method is normal for Google Groups (click the link and download the zip). I submitted one of those files to virustotal:

File size: 136966 bytes

MD5 : f5dd55f1889a864e71315c69e7cdfcb4

SHA1 : 7d8238e6bfa69d109c8030b24c7b4cb6bf813062

Result: 13/40 (32.50%)

Mostly identified as Gen:Variant.Renos.26 trojan horse, Virtool.Win32.Obfuscator.ha!a (v), etc.

"VirTool:Win32/Obfuscator are detections for programs that have had their purpose obfuscated to hinder analysis or detection by anti-virus scanners." - http://www.microsoft.com/security/portal/T...dia/Browse.aspx

Yep, yet another attempt at assimilation.[/color]

I submitted one of the setup.zip attachments that are coming in every few minutes to virustotal. It had a 22/41 hit with most identifications being FakeAV.

I've got the SpamCop email A/V option enabled but it NEVER catches anything. Any ideas as to why?

[dbiel]

I am begining to think that Cisco/IronPort/SpamCop could care less about the Spamcop Phishing email that keep going out. There is absolutely no reason why any mail with an attached zip file and bearing the key words that would flag a phishing attempt should be getting into our in boxes unless spamassassion has been turned off or white lists are being used. To think that these phishing emails are getting spamAssassin scores of under 5 tells me that nobody is minding the store at SpamCop.

[Farelf]

I submitted one of the setup.zip attachments that are coming in every few minutes to virustotal. It had a 22/41 hit with most identifications being FakeAV.

I've got the SpamCop email A/V option enabled but it NEVER catches anything. Any ideas as to why?

The purpose of virustotal is to try enough AV engines to *almost* guarantee detection by some of them if it really is a viral load (and to alert the others that they need to extend their detection). But, sadly, no single product can be relied upon to catch most early-issue viruses/downloaders, etc. I don't know what the SC email uses for AV but the viruses can be trivially modified so easily to stay in front of signature detection that almost any AV is going to be fairly-well useless against the leading edge of an attack.

The key, as dbiel suggests, might be some custom work on the SpamAssassin keywords and so-on (especially if the attack mail is supposed to look 'official', therefore some words are going to be nigh-on unavoidable). I don't know how feasible that might be (but it's not happening).

If you're getting these things in your in-box every few minutes then the situation is really serious.

[michaelanglo]

I've got the SpamCop email A/V option enabled but it NEVER catches anything. Any ideas as to why?

The SpamCop webmail A/V was altered some years back to silently discard anything it found.

This followed a period where floods of notification emails were just as much trouble as the viruses themselves.

SpamCop webmail tried restoring the notification at least once but the flood problem proved intractable.

So if any viruses are being caught by SpamCop mail, sorry, you are not told.

[StevenUnderwood]

The SpamCop webmail A/V was altered some years back to silently discard anything it found.

This followed a period where floods of notification emails were just as much trouble as the viruses themselves.

SpamCop webmail tried restoring the notification at least once but the flood problem proved intractable.

So if any viruses are being caught by SpamCop mail, sorry, you are not told.

In fact, I'm not sure you can turn it off. I don't think the switch does anything at this point.

[petzl]

In fact, I'm not sure you can turn it off. I don't think the switch does anything at this point.

Some years ago JT turned it/notification off by default (the "switch" does nothing)

never been told it is back on (and don't want it on, as it is a pest)

[pilgrim1]

Hi Folks,

Not that I think for a second anyone would be fooled by this, I just wondered if anyone else has being seeing these type of emails lately. They seem to be dripping at an ever increasing rate into my Spamcop account in recent days:-

The come in with following of Subject :-

setting for your mailbox intramore[at]spamcop.net are changed

I've also seen

settings for your mailbox whitefort[at]spamcop.net are changed

and various others.

The purport to come from From:

"spamcop.net support"

And the body contains the following :-

SMTP and POP3 servers for intramore[at]spamcop.net mailbox are changed. Please carefully

read the attached instructions before updating settings.

http://mamapapabrat.googlegroups.com/web/setup.zip

Hmm, setup.zip, must be OK, I'll be downloading that then

For anyone interested, if you are fool enough to follow the link (no I wasn't) it takes you to a Google groups page with a download link on it. should you be really hard of thinking and click this link, it will in turn attempt to download the following virus :- (from a URL so long it's not worth posting and possibly generated in real time)

Trojan.Win32.FraudPack.avmz

According to Kaspersky and is helpfully listed as "Performs potentially dangerous activity" and seems to be the usual :- bot conrol, zombie, master of the universe type of stuff.

The spamcop header for this one looks like this :-

Return-Path: <spirits7[at]redwordsaid.com>

Received: (qmail 4832 invoked from network); 9 May 2010 02:40:36 -0000

X-spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on filter7

X-spam-Level: **

X-spam-Status: hits=2.9 tests=DOS_OE_TO_MX,RDNS_NONE,STOX_REPLY_TYPE

version=3.2.4

So there you have it, well worth the read.

Regards

CC

[live link broken]

[Farelf]

Precisely the same discussed above

Ok, I suppose that thread is getting a trifle long and mentions many different types, but I think I will merge these anyway.

[pilgrim1]

Precisely the same discussed above

Ok, I suppose that thread is getting a trifle long and mentions many different types, but I think I will merge these anyway.

Hi Farelf, sorry I didn't see this in the thread, wood and trees and all that, apologies, just trying to be helpful.

Regards

CC

[mgolden]

http://mamapapabrat.googlegroups.com/web/setup.zip[/b]

Yea, the mamapapabrat version came in all weekend long. It's obvious no one is manning the abuse desk at Google Groups on the weekend and the hackers obviously know it.

Here is my up to date list of links since my last post:

Friday:

hxxp://groups.google.com/group/ecd112

hxxp://groups.google.com/group/bkaboy

Saturday & Sunday

hxxp://groups.google.com/group/mamapapabrat

Today

hxxp://groups.google.com/group/mimozkaa

hxxp://groups.google.com/group/iglaaa

hxxp://groups.google.com/group/smogggly

hxxp://groups.google.com/group/partersss

hxxp://groups.google.com/group/zippiiix

hxxp://groups.google.com/group/creterx

hxxp://groups.google.com/group/tacumbex

hxxp://groups.google.com/group/mozilloid

hxxp://groups.google.com/group/craterx

hxxp://groups.google.com/group/creterx

hxxp://groups.google.com/group/perlox

hxxp://groups.google.com/group/morozx

hxxp://groups.google.com/group/tacumbex

hxxp://groups.google.com/group/traxers

hxxp://groups.google.com/group/zeraxer

All reported to Google abuse, for what good it will do.

Edit. Just checked. All these links are still active. Even the ones reported Friday.

[Farelf]

Hi Farelf, sorry I didn't see this in the thread, wood and trees and all that, apologies, just trying to be helpful.

Yep, understand that and your efforts are appreciated.

Yea, the mamapapabrat version came in all weekend long. It's obvious no one is manning the abuse desk at Google Groups on the weekend and the hackers obviously know it.

...

All reported to Google abuse, for what good it will do.

Edit. Just checked. All these links are still active. Even the ones reported Friday.

Yes, perhaps it is as hypothesised before - it may take a certain critical mass of reports to get the take-down fast-tracked - otherwise some regular and slower verification process is invoked. I guess some other reporters are running out of steam. But if no-one reports they never get kicked off.

We've seen Google Groups and other services abused before. Eventually the service gets on top of the abuse and the spammers look for an easier target. Until next time. Part of the evolutionary/'product cycle' process which we must endure. Since these are (as yourself, pilgrim1 and I have verified) actual zombification-type exploit attacks with the potential to degrade the internet even more it seems remiss of GG not to adopt a greater sense of urgency. Yet 'they' (owners) never do. :angry:

[MyNameHere]

I wonder if reporting this spam/virus scam to the AV vendors instead of to Google would get any more traction? I would think that someone spreading malware would be of interest to McAfee, Symantec, AVG, and so on.

They might be able to influence Google into taking some action.

?

[dbiel]

I also have received the same new phishing attempt. But what bothers me is why no one at SpamCop has done anything to keep them out of our inboxes. Even I could build a simple filter that would deal with most of these as there are more than enough common pieces of info like a .zip file attached, from: spamcop.net support, But then again, the personal filters at SpamCop do not run if you are using IMAP or POP to access you SpamCop.net mail. So the only assumption I find possible to draw is that nobody at SpamCop gives a damn about doing anything about the ongoing SpamCop Phishing attempts. If they did, we would be finding them in our held mail folder, not in our inbox.

edit

After looking in my heldmail folder (I very seldom check it anymore) I find a lot of phishing emails there, so maybe my previous post was a bit too harsh.

[MyNameHere]

I also have received the same new phishing attempt. But what bothers me is why no one at SpamCop has done anything to keep them out of our inboxes.

<snip>

edit

After looking in my heldmail folder (I very seldom check it anymore) I find a lot of phishing emails there, so maybe my previous post was a bit too harsh.

Yep, most of them are in my Held Mail, too. A few in the Inbox. It's just that there are so many--you don't realize how many until you look in the Held Mail.

Which leads me to another question. I suppose it doesn't cost the spammer/hacker very much to spew these out, but how many "hits" can they be getting? Are they doing this just to annoy us?

Is this something they're doing just to SpamCop or is it other mail service providers, too? I haven't seen it on my Hotmail or Gmail or ISP accounts so far.

[Farelf]

I wonder if reporting this spam/virus scam to the AV vendors instead of to Google would get any more traction? I would think that someone spreading malware would be of interest to McAfee, Symantec, AVG, and so on.

They might be able to influence Google into taking some action.

If you submit samples to VirusTotal the signature gets passed to any other participating AVs who want to update. Seems not all do. Not sure Google takes much notice of anybody but that's probably unfair.

...Are they doing this just to annoy us?

Is this something they're doing just to SpamCop or is it other mail service providers, too? I haven't seen it on my Hotmail or Gmail or ISP accounts so far.

As commented back in an earlier response this does not seem unique to SC mail accounts. Hotmail and Gmail probably do a better job of filtering and silently dropping anything sent to those accounts. One of the reasons the total volume of spam is pretty much an unknown - like "If a tree falls in a forest and nobody hears it ...?"

[MyNameHere]

Thanks, Farelf. Sorry I missed the earlier post that covered both of my questions. I skimmed a little too quickly.

But I want my mail service to let me decide what is junk and what isn't, so I'm glad SC keeps all of it (except those with virus loads attached). No matter how good an automated system is, it will occasionally "execute" some "innocent" emails.

[dra007]

This may be unrelated but I am getting an unusual high number of e-mails requesting me to inspect attachments. Fortunately they get identified tagged removed to the virus collection and defanged by my postini filter, this is a cute example...but I have seen as many as 1-200 a day of these poining to various sources and having various type of malware attached even though the content seems identical (they must love me):

Received: from source ([90.211.253.112]) by exprod7mx251.postini.com ([64.18.6.11]) with SMTP; Tue, 11 May 2010 12:10:43 EDT

Received: from 90.211.253.112 by dev.null; Tue, 11 May 2010 17:10:37 +0000

To:

X-Mailer: Microsoft Outlook Express 6.00.2900.2180

X-Mimeole: Produced By Microsoft MimeOLE V6.00.2900.2180

X-Msmail-Priority: Normal

X-PSTN-Levels: (S: 1.83648/99.90000 CV: 0.0000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 )

X-PSTN-Neptune: 17/16/0.94/86

X-Priority: 3

X-Pstnvirus: PSTN-MalwareDetection

Date: Tue, 11 May 2010 17:10:37 +0000

From: "Katheryn Lundy" <darrenoi371[at]HomeSoul.com>

To: <unknown[at]pitt.edu>

Subject: New resume.

Please review my CV, Thank you!

Question is why would I even want to review anyone's cv?

[Farelf]

...This may be unrelated but I am getting an unusual high number of e-mails requesting me to inspect attachments....

Question is why would I even want to review anyone's cv?

Same approach but adapted to institutions and businesses. They will try anything that might coincide with your responsibilities. Or to fool you into forwarding it to a colleague whose responsibility it is (who then has his/her guard down a little bit). Probably works quite well in smaller organizations with broader individual scope of function and anything slightly misdirected is routinely passed on (I know I've almost been caught a few times).

[mgolden]

Heh.

[19:45 EDT] Please be alert to the fact that there are a lot of phishes being sent pretending to be mail about your SpamCop email account -- they may contain an attachment or may be just a link to googlegroups. Do not open the attachment; do not click the link.

[StevenUnderwood]

Man I am enjoying greylisting and wondering what you are talking about

I have revceived none of these and have received 1 spam in the held mail in the last 3 weeks.

[moltar]

Admin edit: Moved this 'new' Post' from the Reporting Help Forum and merged it into this existing E-mail Account Forum Topic/Discussion. PM sent to advise of this action.

Replaced my domain with mydomain.com. The email is fwded from spamcop to my other account.

 Received: from m6b.mxes.net ([unix socket])
	 by m6b.mxes.net (Cyrus v2.3.12) with LMTPA;
	 Sat, 29 May 2010 21:51:00 -0400
X-Sieve: CMU Sieve 2.3
Return-Path: <helpdesk[at]spamcop.net>
Received: from 216.86.168.176
	by m6b.mxes.net (bayesd) with LMTP id 1275184260-83382-10
	for <rf_mydomain.com[at]ms6.mxes.net>; Sat, 29 May 2010 21:51:00 -0400 (EDT)
Received: from local_scanner.mxes.net (mxout-01.mxes.net [216.86.168.176])
	by mxout-01.mxes.net (Postfix) with ESMTP id D4BE98A110
	for <rf[at]mydomain.com>; Sat, 29 May 2010 21:50:59 -0400 (EDT)
Received: from c60.cesmail.net (c60.cesmail.net [216.154.195.49])
	(using TLSv1 with cipher RC4-SHA (128/128 bits))
	(No client certificate requested)
	by mxin.mxes.net (Postfix) with ESMTPS id 5455B8A10A
	for <rf[at]mydomain.com>; Sat, 29 May 2010 21:50:59 -0400 (EDT)
Received: from unknown (HELO filter7.cesmail.net) ([192.168.1.217])
  by c60.cesmail.net with SMTP; 29 May 2010 21:50:54 -0400
Received: (qmail 21502 invoked by uid 1010); 30 May 2010 01:50:58 -0000
Cc: recipient list not shown:;
Delivered-To: spamcop-net-moltar[at]spamcop.net
Received: (qmail 21405 invoked from network); 30 May 2010 01:50:48 -0000
Received: from unknown (192.168.1.88)
  by filter7.cesmail.net with QMQP; 30 May 2010 01:50:48 -0000
Received: from avas104.indosat.net.id (219.83.54.104)
  by mxin1.cesmail.net with SMTP; 30 May 2010 01:52:49 -0000
X-IronPort-Anti-spam-Filtered: true
X-IronPort-Anti-spam-Result: AoUOAK9gAUzKmzKE/2dsb2JhbACDFkOBfox3ixiBRogvpCqCeoNOiQIOgRiBSQgFgS9rBINGiU4Bgxw
X-IronPort-AV: E=Sophos;i="4.53,325,1272819600"; 
   d="scan'208";a="38903006"
Received: from sumatera.indosat.net.id (HELO ms1.indosat.net.id) ([202.155.50.132])
  by avas114.indosat.net.id with ESMTP; 30 May 2010 08:50:36 +0700
Received: from banda (202.155.50.142) by ms1.indosat.net.id (7.3.104)
		id 4BDFAC190039A3B4; Sun, 30 May 2010 08:39:39 +0700
Message-ID: <31284045.391721275183579719.JavaMail.defaultUser[at]defaultHost>
Date: Sun, 30 May 2010 08:39:39 +0700 (WIT)
From: "helpdesk[at]spamcop.net" <helpdesk[at]spamcop.net>
Reply-To: customer_centre11[at]live.com
Subject: Your Account Update
MIME-Version: 1.0
Content-Type: text/plain;charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-SpamCop-Checked: 219.83.54.104 202.155.50.132 202.155.50.142 
X-Virus-Scanned: ClamAV, Sophos
X-spam-Score: 1.6
X-spam-Check: Enabled,6.0,13.0,1,1,42,1,0,0,1,1,0,0,0,[spam],
X-spam-Status: No, score=1.6 threshold=6.0,13.0 
X-spam-Sys-BayesResult: Unsure, 0.627370
X-spam-Report:  Content analysis details:
  -0.0 SPF_PASS			   SPF: sender matches SPF record
  1.6 MISSING_HEADERS		Missing To: header
X-spam-Scoring: 1,6
X-Originating-IP: 216.154.195.49
X-Envelope-To: <rf[at]mydomain.com>
X-EsetId: 43E7BC27AF5D190911AB

Dear spamcop Customer
 There is an on going changes/upgrading in your E-mail Account,please 
send us your E-mail ID and password to enter into our database 
operating system  for upgrading in other to avoid your account be close

[agsteele]

Man I am enjoying greylisting and wondering what you are talking about

I have revceived none of these and have received 1 spam in the held mail in the last 3 weeks.

Me too... I've been on vacation for a week and returned to 1 message in held mail and two that completely slipped through and a zillion (well maybe a few less) that will need attention when I return to work on Tuesday after our public holiday weekend. None are phishing-style Emails.

Grey-listing is exceedingly good and keeping this junk out of my mailbox.

Andrew

[juanv]

Where does one send a phishing email to report it?

[turetzsr]

Hi, juanv,

...Please have a look at SpamCop Wiki article "PhishMail" sections labeled "Reporting mail sources," "Reporting phish websites" and "Reporting to the institutions who were spoofed."