If one phish spam doesn't succeed, maybe another will

September 2, 2018

Here is another entry in the annals of spammers trying extra hard, to go with an earlier one. Recently, our mail system logged the following two interesting cases. Let's start with the first one:

<ID> attachment application/octet-stream; MIME file ext: .pdf
<ID> attachment application/octet-stream; MIME file ext: .htm
rejected <ID> from 194.201.253.234/info@deltaexpress.co.ke to <redacted>: identified virus: Mal/Phish-A, Troj/PDFUri-FUP
detail <ID> Subject: [PMX:SPAM] [PMX:VIRUS] Re: Document for Last Shipments

It seems our spammer is trying to get people two ways, trying both some malware and also a phish spam as a HTML attachment. At one level this feels like a sensible approach; if the recipient's system blocks the malware attack, maybe the recipient will still respond manually to the phish spam. But that seems to assume a world where people can have malware not work and be blocked without having big red alerts show up all over the entire email. Perhaps that is the case; if so, that's depressing.

Then there's the second and perhaps more interesting case:

<ID> attachment application/octet-stream; MIME file ext: .html
<ID> attachment application/octet-stream; MIME file ext: .html
rejected <ID> from 31.220.2.200/TAX@GOV.COM to <redacted>: identified virus: Troj/Phish-DFM, Troj/Phish-DGF
detail <ID> Subject: [PMX:SPAM] [PMX:VIRUS] Tax Clearance Certificate

Apparently this spammer hopes that if one phish spam doesn't succeed, maybe another one will. Or perhaps these are actually malware, as it's not clear from Sophos' pages. Sophos describes the file type of Troj/Phish-DFM as 'HTML', which could be a plain phish, but the file type of Troj/Phish-DGF as 'JavaScript', which is likely to be malware. Certainly the spammer is trying more than one thing at once here.

(This 'TAX@GOV.COM' spammer turns out to have been trying for a while from several sources.)

This prompted me to go looking through our logs in search of messages that were identified by Sophos as having multiple bad things in them in the hopes that I'd find a double-phish case. Sadly I wasn't able to find any, and most of them were less interesting than these ones. There was one exception, but that's going to be another entry.

Written on 02 September 2018.
« NFS directory reading and directory file type information
An extravagant and dense piece of malware-laden email »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Sep 2 22:09:02 2018
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.