An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Page 2 of 2 < 1 2
Topic Options
#27677 - 12/13/13 01:04 PM Re: Email: replies from emails I did not send [Re: Bensheim]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
Originally Posted By: Bensheim
Originally Posted By: Virtual
This would worry me a bit. There are only a handful of possible answers to this question.

1. your computer is compromised. software is installed or altered to communicate with the phishers


This seems very unlikely indeed, but how would I check that?



That covers a lot of ground. "How do I tell if my coworker is a spy?"


Quote:


Quote:
2. something is intercepting your communications
- the web site you are using isn't using ssl, allowing interception of traffic at various places on the internet
- the web site itself is using ssl, but is submitting forms via plain http POST traffic, allowing interception of traffic at various places on the internet
- another computer on your LAN is monitoring the traffic and is communicating with the phishers
- a computer on the government LAN is monitoring the traffic and is communicating with the phishers


The other computers on this LAN are all in this office and only two people use them; the other one is completely non-technical.....



"hmm lets see what's on that flash drive I found laying in the parking lot. Oh look, porn! click click click. What? I need a codec? sure, go ahead and install it and get on with the show! click click click"

and that's how a completely non technical staff leads to a compromised computer on your lan.



who did you say was your email provider? greginmymomsbasement.com?
_________________________
I work for the Department of Redundancy Department

Top
#27678 - 12/13/13 01:53 PM Re: Email: replies from emails I did not send [Re: Virtual1]
Bensheim Offline


Registered: 08/16/09
Loc: UK
Vivid imagination, virtual, but that does not happen here.

Top
#27680 - 12/13/13 02:44 PM Re: Email: replies from emails I did not send [Re: Bensheim]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
Originally Posted By: Bensheim
Vivid imagination, virtual, but that does not happen here.


not so vivid. It's actually a known and frequently used ploy for kick-starting high end spear phishing, to get their foot in the door at a company they're targeting. (it was rumored to be how iran got their centrifuges taken over)
_________________________
I work for the Department of Redundancy Department

Top
#27686 - 12/14/13 04:23 AM Re: Email: replies from emails I did not send [Re: Bensheim]
ryck Offline


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: Bensheim
BTW, when communicating with these Government websites, it is not done by email. Submitting (mandatory) forms and requesting information is all done directly on their websites. No email transactions.

Okay. So, still applying my simple-minded logic, I still see things that would worry me if this was my situation.

1. The Phishers know when ever I communicate with these two sites.

2. Of the three, I am the common denominator.

3. The odds of the two government sites both being infected but me being clean, low.

4. The odds of me being infected, greater.

5. The odds of me being infected deliberately by someone in my office, zero.

However, I would have to consider if a malicious force snuck into my system unseen, which is always a possibility. Do you use any software that maintains a sentry, or software with which you periodically sweep your drives to see if anyone got past your sentry?

As I understand it, sneaking in undetected may not be difficult. For example, you or your staff could have received an email from a friendly source with an innocuous image attached, but the image could contain (unknown to your friend) code that installs an invader on your system.

I am just a private individual but I still take precautions and use such software because I worry about receiving such emails, and worry about things I could pick up unknowingly just traveling the internet. I don't want anything to be looking at my private information.

Let me give you a very recent example that happened with a colleague of mine, who is very careful about where he travels on the internet et cetera. A bug was placed on his machine and it remained for quite a while as someone observed his correspondence. Then, when he was traveling abroad, his investment advisor got an email (written in the style my friend would write) asking to transfer funds to a foreign account. Fortunately his advisor was suspicious and contacted my friend by phone.

So, back to the software question. Do you have a sentry and do you periodically sweep? If not, you might want to consider it.

Again, I think you want to hear from folks on this site who know about this kind of software. It is not a choice to be made lightly as there is some software (even "big name") that can cause other kinds of problems because they are not well written. They seem to be better at advertising their wares.


Edited by ryck (12/14/13 04:29 AM)
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS High Sierra 10.13.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Carbon Copy Clone on 500GB OWC Mercury OTG Pro

Top
#27687 - 12/14/13 08:53 AM Re: Email: replies from emails I did not send [Re: ryck]
Pendragon Offline


Registered: 08/04/09
Loc: Georgetown, Texas, USA
"...a colleague of mine, who is very careful about where he travels on the internet et cetera. A bug was placed on his machine and it remained for quite a while as someone observed his correspondence."

Just curious... Has your friend a Mac or PC? And does he (you) know the name of the bug?
_________________________
Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#27688 - 12/14/13 10:51 AM Re: Email: replies from emails I did not send [Re: Pendragon]
ryck Offline


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: Pendragon
Just curious... Has your friend a Mac or PC? And does he (you) know the name of the bug?

Well, those are good questions as I only got a fleeting description while at a social event in another city....so I have now phoned.

1. He has a PC.

2. The device sending out the information was called Perfect Key Logger.

3. PKL has quite rich functionality and can capture email, screen shots et cetera from a remote location.

4. He believes the hacker remotely operating it came in through an email attachment.

5. My friend does not know how the logger came to be installed on his machine and wonders if the OS came with it. He has since had his computer service person remove it.
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS High Sierra 10.13.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Carbon Copy Clone on 500GB OWC Mercury OTG Pro

Top
#27689 - 12/14/13 11:12 AM Re: Email: replies from emails I did not send [Re: ryck]
Pendragon Offline


Registered: 08/04/09
Loc: Georgetown, Texas, USA
Interestingly (enough), Perfect Key Logger is also made for Macs.

But how does one detect and remove such from a Mac? Ah, more I do not know...
_________________________
Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#27690 - 12/14/13 12:29 PM Re: Email: replies from emails I did not send [Re: Pendragon]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
This is sometimes referred to as a "launch hook". At some point in the startup or login process, their program has to be started. There are a number of standard places to do this, and it's also possible to modify system files to achieve a hook without showing up in the typical places. It really depends on how much effort they want to go through, how forward-compatible they want it to be, etc.

(hard drive)/Library/Startup Items
(hard drive)/Library/LaunchDaemons
(hard drive)/Library/LaunchAgents
(home folder)/Library/LaunchDaemons
(home folder)/Library/LaunchAgents
(home folder)/Library/Preferences/loginwindow.plist

those are the "suggested" places for 3rd party software to do their hooking. Actual malicious software may not be in such plain sight. They may live in /System, or may be a cronjob (as the DNS redirector was for example)

I've written scripts to check all of these locations and display items that are not normally there. (the contents of system's launch folders is long and confusing and varies by os version, software isn't supposed to hook there but on rare occasion will)
_________________________
I work for the Department of Redundancy Department

Top
#27691 - 12/15/13 10:03 AM Re: Email: replies from emails I did not send [Re: Virtual1]
Bensheim Offline


Registered: 08/16/09
Loc: UK
This is the home page of Companies House, with a prominent red warning on the right hand side "Warning about bogus emails"

http://www.companieshouse.gov.uk/

I therefore conclude that bogus Phishing emails purporting to come from them are not exclusive to me......

This the Security Page from HMRC (Her Majesty's Revenue & Customs) with information and advice about bogus emails

http://www.hmrc.gov.uk/security/reporting.htm

I therefore conclude that bogus Phishing emails purporting to come from them are not exclusive to me......

It is not possible for any unauthorised person to gain access to these Macs let alone log in and instal software. Neither is it possible for anyone else here to instal unauthorised software.

Thanks for the replies

Top
#27692 - 12/15/13 10:09 AM Re: Email: replies from emails I did not send [Re: Bensheim]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
Originally Posted By: Bensheim
It is not possible for any unauthorised person to gain access to these Macs let alone log in and instal software. Neither is it possible for anyone else here to instal unauthorised software.


That absolute belief may get you into trouble. It would be wise to never completely eliminate that from consideration.
_________________________
I work for the Department of Redundancy Department

Top
#27694 - 12/15/13 10:45 AM Re: Email: replies from emails I did not send [Re: Bensheim]
ryck Offline


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: Bensheim
This is the home page of Companies House, with a prominent red warning on the right hand side "Warning about bogus emails.

This the Security Page from HMRC (Her Majesty's Revenue & Customs) with information and advice about bogus emails.

I therefore conclude that bogus Phishing emails purporting to come from them are not exclusive to me......

Those cautions are pretty standard fare. I don't know of any bank, for instance, that doesn't provide the same or similar warnings.

Don't overlook an important wrinkle....you get the Phishers contacting you shortly after you contact these organizations. I don't think it's an aspect you want to ignore.

However, both of those sites offer a service you should use. They each ask that, if you get phishing emails, forward them to the addresses they provide. When they receive an offending email from you they will have a team track the phishers down and take action.

You should first expand the offending email headers to "long headers" as they contain a lot of helpful data that the team will want to see. It would be meaningless to you or me, but it is gold to them.

If you don't use the service (help) that these organizations offer, you can't really complain about the problem.


Edited by ryck (12/15/13 10:50 AM)
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS High Sierra 10.13.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Carbon Copy Clone on 500GB OWC Mercury OTG Pro

Top
#27695 - 12/15/13 11:59 PM Re: Email: replies from emails I did not send [Re: ryck]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
RE You should first expand the offending email headers to "long headers" as they contain a lot of helpful data that the team will want to see.

As a rule I send phishing attempts to the real companies being spoofed. In olden days it was easy and straightforward to switch to "long headers", but I no longer can find any way to do that with any email client I use (eg, gmail).
Any helpful hints?

Top
#27696 - 12/16/13 03:38 AM Re: Email: replies from emails I did not send [Re: grelber]
ryck Offline


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: grelber
As a rule I send phishing attempts to the real companies being spoofed.

I do that as well. The most common are phishing expeditions passing themselves off as banks, in which case I not only forward to the bank but also to my ISP. Anything generic, like "Visit this site because you've won a lottery", would just go to the ISP.

In either case, I would also immediately write a Rule instructing my email software to delete immediately any further correspondence from the phishers.

Originally Posted By: grelber
In olden days it was easy and straightforward to switch to "long headers", but I no longer can find any way to do that with any email client I use (eg, gmail).

I use Apple Mail and they make it as easy as falling off a log. Under "View" I select "Message" where I am given two choices - Long Headers or Raw Source.

I don't know how it would be done with other email software (I have only ever used Apple Mail) but I'm sure others visiting here should.


Edited by ryck (12/16/13 03:39 AM)
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS High Sierra 10.13.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Carbon Copy Clone on 500GB OWC Mercury OTG Pro

Top
#27697 - 12/16/13 04:46 AM Re: Email: replies from emails I did not send [Re: grelber]
dkmarsh Offline
Moderator

Registered: 08/04/09

Quote:
In olden days it was easy and straightforward to switch to "long headers", but I no longer can find any way to do that with any email client I use (eg, gmail).
Any helpful hints?

When viewing a message in gmail, click on the disclosure triangle at the right end of the subject line, and choose Show original from the dropdown menu. That'll give you the entire message's raw source, from which the full headers are easily copy-and-pasteable.
_________________________

dkmarsh • member, FineTunedMac Co-op Board of Directors

Top
#27698 - 12/16/13 05:55 AM Re: Email: replies from emails I did not send [Re: dkmarsh]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
I see such in your example, but no such thing exists in my Gmail.
I'm using basic HTML view, so that may be the reason it doesn't exist any longer for me.
I won't switch to standard view because it takes forever to load with my dial-up Internet access; basic view also has the benefit that I get absolutely no ads.

Top
#27703 - 12/16/13 09:41 AM Re: Email: replies from emails I did not send [Re: grelber]
dkmarsh Offline
Moderator

Registered: 08/04/09

I can still access a Show original link in Gmail basic HTML view.
_________________________

dkmarsh • member, FineTunedMac Co-op Board of Directors

Top
#27704 - 12/16/13 09:49 AM Re: Email: replies from emails I did not send [Re: grelber]
Bensheim Offline


Registered: 08/16/09
Loc: UK
Getting back to basics here, all these irritating bouncebacks are it seems to me, a direct result of my using BoxTrapper.

This means that anyone emailing us will, if not on the White List, be required to prove that they are human and send again.

Every one looks the same (as previously reported), viz:

Quote:
This message was created automatically by mail delivery software.
A message that you sent has not yet been delivered to one or more of its
recipients after more than 48 hours on the queue on garm.silverserve.com.

The message identifier is: 1VrmnD-0001S3-5y
The subject of the message is: Your email requires verification verify#KhtheXNMfL7cua7SNgkXg-1387018195)
The date of the message is: Sat, 14 Dec 2013 10:49:55 +0000

The address to which the message has not yet been delivered is:

pw@fy.org

No action is required on your part. Delivery attempts will continue for
some time, and this warning may be repeated at intervals if the message
remains undelivered. Eventually the mail delivery software will give up,
and when that happens, the message will be returned to you.


(It seems to me that) the software at the ISP end is attempting to get "verification" from a bunch of recent spams by BoxTrapping rules.

This goes in cycles, and each (apparently random selection of ~20, since I get over 50 spams a day) cycle lasts about 3 days. It gets up to 72 hours on the queue then it gives up.

IF I stopped BoxTrapping, every single spam (over 50/day) would be allowed through. I have stepped up the alleged scrutiny of SpamAssassin, but I cannot tell if that has helped at all; I think the effect was zero.

I could complain to the ISP but from past experience none of them have English as a first language and it takes repeated attempts to explain what their problem is......and by then three days (that 72 hours above) have elapsed, so they cannot see what I'm on about.

This particular ISP is the Registrar for our company domain name and run our business emails, therefore I am extremely reluctant to switch to someone else. I use another ISP for internet access/broadband supply.

If I dumped the ISP of which I complain and shunt everything to the broadband ISP (whose performance has been flawless for years) then I'd have to move the domain-name registration over too (?) and possibly (?) tolerate a different business email address either in the interim or from then on.

As I type I realise that this is particularly pertinent: our domain-name registration fee is renewed annually in January.

Helpful replies appreciated: thanks in advance.

Top
#27705 - 12/16/13 10:53 AM Re: Email: replies from emails I did not send [Re: dkmarsh]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
Talk about being blind in one eye and not being able to see out of the other ... tongue
I was only looking at the Subject line, not the options below the To line.
Many thanks for pointing that out.

Top
Page 2 of 2 < 1 2

Moderator:  alternaut, dianne, MacManiac