{"id":329,"date":"2015-12-10T23:20:17","date_gmt":"2015-12-10T23:20:17","guid":{"rendered":"http:\/\/blog.paranoidprofessor.com\/?p=329"},"modified":"2016-09-21T14:00:12","modified_gmt":"2016-09-21T14:00:12","slug":"a-cautionary-tale-email-attachments","status":"publish","type":"post","link":"https:\/\/blog.paranoidprofessor.com\/index.php\/2015\/12\/10\/a-cautionary-tale-email-attachments\/","title":{"rendered":"A cautionary tale – email attachments"},"content":{"rendered":"

So my sister sent me an email as there were problems at work, as luck had it she was out of the office when she got this from bookkeeping.<\/p>\n

\"shadow-copy-service\"<\/a>She couldn’t make heads nor tails of it.\u00a0 To be honest, I have been working most of the versions of Windows and this sounded pretty odd to me. The user kept pressing no but the dialog kept coming back. When my sister got back to the office she ran malwarebytes to check out the situation.<\/p>\n

ransom.teslacrypt<\/a><\/strong><\/h2>\n

Wow, so it seems like they have managed to get the teslacrypt virus. Not just any virus, but something that encrypts your files and then they want you to pay them to decrypt them.\u00a0 Traditionally there is no honor amongst thieves, so it is in doubt if they would hold up to their end and actually decrypt the files even if they were paid.\u00a0 I am not going to infect my pc to test that hypothesis.<\/p>\n

How did this happen<\/h2>\n

I was kicking this around with my colleague and so we were wondering just what naughty web site was being surfed to get such a virus.\u00a0 It is a small office, so there is not much in the way of restrictions.<\/p>\n

Perhaps to ensure this doesn’t happen again, should they install a proxy server?\u00a0 Do they need a different firewall solution?\u00a0 None of the users have administrator privileges.\u00a0 Is there something was overlooked?<\/p>\n

Soul searching was done and a lot of questions were asked in addition to checking out the machine itself.\u00a0 It turns out that the reason why this happened was a lot simpler than Robert was hitting the porn sites on his lunch break.<\/p>\n

It seems that Sally in bookkeeping received an email from an unknown person with an attachment of an “invoice” to needing to be paid.\u00a0 So Sally clicked on the attachment which came up and within seconds she knew that there was nothing that they needed to pay, click click click<\/em><\/strong>.\u00a0 Closed the attachment and deleted the email.\u00a0 It was shortly after this email that the odd behaviors started to occur.<\/p>\n

There have been some good analysis of this virus such as this one<\/a>.\u00a0 That explains the deletions of the shadow copy that were being displayed.<\/p>\n

\"delete-shadows\"<\/a>From the breakdown<\/a> about how this virus worked, it was really well done – with an evil intent – but well programmed none the less.<\/p>\n

Lessons learned<\/h2>\n

There is no hard and fast rules for common sense, but easy does it, or look before you leap sound like a good advice.<\/p>\n

I get a questionable emails every few days just like everyone else.\u00a0 What do the these emails want?<\/p>\n

    \n
  1. click on this link to see sexy photos<\/li>\n
  2. click on the attached photo<\/li>\n
  3. check out my overdue bill<\/li>\n
  4. bank transfer problems statement<\/li>\n
  5. my travel itinerary<\/li>\n<\/ol>\n

    My favorites are the attachments with the names crafted for people who are only paying superficial attention to what is attached.<\/p>\n

    invoice-26282.pdf.exe
    \nprom_picures.jpg.exe<\/p>\n

    The main lesson should be that you cannot click on just anything that is attached to your email.\u00a0 This is true if this is from unknownperson@sketchydomain.cj<\/strong> or your mom<\/strong>.\u00a0 It is possible for some of these virus’s to send out emails from your account to your friends in your contacts.<\/p>\n

    If the email doesn’t sound like it came from your friend or your family member, cast a skeptical eye on it.\u00a0 Don’t open the attachment, make a phone call send an email of your own asking about the email you received.\u00a0 If in doubt, simply delete it.<\/p>\n

    Final thoughts<\/h2>\n

    You cannot be careful enough when surfing, opening emails, or running new programs.\u00a0 Below is a small list of some best practices to help keep your computer running virus free.<\/p>\n