Never judge an email by its cover

By Marc Laliberte Information Security Analyst at WatchGuard Technologies It’s not new advice. Receiving an email that purports to be one thing but turns out to be something...

By Marc Laliberte Information Security Analyst at WatchGuard Technologies

It’s not new advice. Receiving an email that purports to be one thing but turns out to be something else is the oldest trick in the book when it comes to cybercrime. The deceptions change but fundamentally the attacks remain the same. However, there are always new disguises that criminals take advantage of to gain our trust. From the origins of rich African businessmen who want to invest in the UK to, more recently, high street banks fraudsters have to keep ahead of the game.

In the last few months it is the turn of social networking giants, Facebook, to be deployed as a cover for malicious attacks. A recent posting on Stack Exchange (the Q&A community website) uncovered the tip of an iceberg designed to disrupt users using the power of social networking. What could you trust more than an email from a friend? The answer to this is the key to the most recent malware strike.

One particular user had been sent a notification, supposedly from Facebook, reporting that a friend had tagged him in a comment. The email contained the ubiquitous link which the user clicked on. Unfortunately, the link immediately downloaded an obscure JavaScript file. On analysis by the Stack Exchange community the file was found to be a loader application designed to launch a couple of Chrome extensions including the Autolt Windows exe. It is through this extension that the malware perpetuates its infectious cycle by creating other Facebook posts.

Though Autolt is usually a safe scripting extension, the cybercriminals were using the files, hosted on a disreputable website, to disguise their malicious attack. Concealed with .jpg extensions the victim would naturally assume that these were ordinary image files unless they subjected them to further scrutiny.

The fly in the ointment, or the saviour of the day, for this particular attack (and user) was the fact that the malicious file didn’t automatically execute the code. Whoever created the malware mistakenly assumed that users would launch the file themselves. It’s difficult to know how successful this particular wave of attacks has been as some people may have been suspicious about the file download whilst others may have innocently launched the extension.

However successful this malware has been is somewhat irrelevant as already something new will have taken its place. What is important is the two key lessons that this particular incidence teaches us.

  • The importance of communities like Stack Exchange.

When users become suspicious about the activity and behaviour of emails, links, files and downloads then alerting a wider audience is essential; not only to warn others but to gain access to the skills of other users who can help diagnose and report on the issues. If we all kept the news of an attack to ourselves then more people are vulnerable and malware attacks can get out of hand. Reporting these incidents allows the experts to put fixes in place to limit or prevent the spread.

  • Trust no-one

When it comes to online security the old adage of being ultra-cautious about clicking on links, receiving unsolicited communication and downloading files is the golden rule.

Finally, whilst this particular piece of malware was flawed in that it did not launch automatically users cannot rely on the oversight of malicious code authors. The best way to prevent exploitation by malware attacks is to ensure that your browser (and extensions) are kept up to date along with the most current version of security software. Just remember, things are not always as they seem.

In this article

Join the Conversation