September 2012 IT Business Consulting Newsletter

Phishing Got ME!!!

By Tom K

It’s ironic that just after highlighting Phishing in my last newsletter (see "Don’t Be the Big Fish"), I got sucked in and took the bait. This one was new and different, but no excuses... I should have known better!

So to help you by detailing my carelessness, in this month’s newsletter I discuss this new Phishing attack, how/why it got me, and why I should have recognized it for what it was. This newsletter is pretty short and, as there are several good variants of the con that got me flying around cyber mail, it is well worth the read.


The Con

The con that got me wasn’t your typical “looking for info” scam, but was a simple email from Fed Ex (with nice graphics) advising that a package I had sent had not been delivered due to an inaccurate address, and the package could be picked up at Fed Ex. I just needed to “print” a copy of the label. Clicking Print, of course, initiates a download (the typical run/save windows box). If you hit Run, or if you save & then run, you’ve just invited and installed a virus... in this case a Trojan.

Since I got caught by this one in my email, I researched & found instances of very similar cons using UPS and USPS, both for “a package you sent has been returned” and “we were unable to deliver a package to you”. In all instances, the desired outcome is for the recipient (you & me & Aunt Millie) to initiate a Trojan download.


Why I Got Hooked

I’m not stupid, I was just careless! I neglected to heed my own advice... when dealing with email, always be on your guard!

The attack was very non-typical. No request for info, and not a blatant “go here.” They were not phishing for information, but trying to download a Trojan / key logger.

The bait fit my previous activity. The week before, I had sent a number of packages out via both Fed Ex and UPS, so it made sense (to one not paying attention).

It was late, I was trying to get out of the office, I was tired, and I was in a hurry. So I was not paying attention, and I let my guard down.

You might see a pattern here... the con was pretty good, but wouldn’t have worked HAD I NOT LET MY GUARD DOWN!


What I Should Have Seen

Looking back at the email, there were several items, some subtle & some “in your face” (to one who was paying any attention) that I should have seen:

  • They didn’t reference my tracking number – real emails from real companies use their reference numbers
  • There were 2 minor grammatical errors
  • The return email address was     activity@info-fedex.com     FedEx addresses are     @fedex.com
  • They wanted me to download / open a file
  • The download URL had nothing to do with FedEx (we all know better!)
  • The download file was a .ZIP file (very dangerous – this was the worst “in your face”)

As noted in last month’s newsletter, things to watch for that would have prevented this:

“The best means of detection is to always be on guard and don’t click on links or attachments unless you are sure they’re legitimate and you know the sender... And, if you are inclined to click on a link, set your browser to display the actual URL of links and hover your mouse pointer over the link to see where it really goes.”


Saved By Anti-Virus Software

Fortunately, even though I was tired, sloppy, and in a hurry, my AV software was updated, properly configured, and on the job. When I hit the ZIP file, my AV app refused to let me open it and detailed the specific threat.


Final Thoughts

No matter how good we are (or think we are), if we allow being tired and in a hurry to influence our ability to see the danger signs that are right in our faces, we’ll get burned.

Pay attention! Don’t let your guard down! And keep your excellent AV application tuned and updated!


As ever, if you have any questions or comments concerning this article, I’d be happy to discuss this with you at your convenience. Feel free to contact me at TomK@TomKConsulting.com, or via my cell 443.310.5110.


Next month I’ll get back to the scheduled security discussion with a look at the hows and whys of security audits. See "IT Security Audits"