Harmful and Nuisance E-mail

Nuisance Email: Spam and Phishing

All users of email have had to deal with spam and phishing attacks.  Spam is unsolicited email that advertises "products" or carries a virus payload designed to compromise your workstation.  Phishing is the attempt to convince you to provide personal information over the Internet -- credit card information, social security number, etc. -- that can be used to access your financial accounts.  

These problems result from the way the Internet was designed to function, and developing systematic solutions requires international cooperation and standards.  This article from the November 1, 2004, issue of Network World, titled "E-Mail at the Crossroads", describes the nature of the problem and the sense of urgency in trying to resolve it.

OUCH: The Report On Identity Theft and Attacks on Computer Users
Volume 1, No. 8. August 3, 2004
Every day, thousands of people are fooled by email from criminals trying to steal their identities or infect and take over their computers. This update will help you avoid being a victim. The attacks listed here are the tip of the iceberg. To be safe, don't open email attachments from anyone unless you were expecting the attachment. And don't click on links in emails unless you can guarantee the email came from someone who is not trying to fool you.

Harmful Email Subjects to Avoid

I. Emails from people trying to infect your system and steal your friends' email addresses for spam

1.	Pictures of Osama Bin Laden's hanging or Arnold Schwarzenegger's suicide note
2.	Email that seems to come from your system administrator or other familiar sender that says your email could not be delivered, or some similar statement.
3.	Email with subject "Against!" or "Revenge"
4.	Email with subject Re_ and body with animals or foto or other subjects

II. Emails from people trying to steal your identity (and your money)

III. Emails from people trying to fool you into hurting yourself or your friends and coworkers
1. Subject: "jdbg" Virus: how to detect and remove.

More Details About Each Attack

I: Emails from people trying to infect your system and steal your friends' names for spam

1.	Update Your Billing Information (from eBay)
2.	Your account at eBay has been suspended
3.	Your account at Wells Fargo has been suspended
4.	Notification of US Bank Internet Banking
5.	Attn: Citibank Update
6.	Confirm AOL Billing Info

1. Name: Hackarmy
The bait: An email or news article claiming to offer you copies of pictures of Osama Bin Laden being hanged. A second form claims to have a suicide note from Arnold Schwarzenegger. How it infects your system: You click on a link that downloads a zip file. You execute the file thinking you will see the pictures. What it does to you: Gives attackers remote control of your computer so they can use it in attacks on other people, or harvest email names for spam. More detailed information is available on the Symantec Web site.

2. Name: Mydoom-O
The bait: An email that seems to come from your mail or system administrator or from another familiar sender, with an attachment and with any one of the following subjects: (1) say helo to my litl friend, (2) click me baby, (3) one more time, (4) hello, (5) error, (6) status, (7) test, (8) report, delivery failed, (9) Message could not be delivered, (10) Mail System Error - Returned Mail, (11) Delivery reports about your e-mail, (12) Returned mail: see transcript for details, (13) Returned mail: Data format error. How it infects your system: You download and open the attachment. What it does to you: Steals all email addresses from you to be sold to Spammers; spreads to other sites from your machine. It also uses your system to send requests to search engines like Google to look for more email addresses. More detailed information is available on the Symantec Web site.

3. Name: Atak-C
The bait: An email that arrives with the subject "Attack!" or "Revenge" and a zipped attachment How it infects your system: You download and open the attachment. What it does to you: Steals all email addresses from you to be sold to spammers. More detailed information is available on the Sophos Web site.

4. Name: Beagle
The bait: An email with subject Re_ and body with animals or foto or other subjects, and an attachment. How it infects your system: You download and open the attachment. What it does to you: Disables antivirus and other important software, mass mails itself to others, steals email addresses from throughout your files, gives attacker remote control of your computer to use to attack other systems. More detailed information is available on the Computer Associates Web site.

II. Emails from people trying to steal your identity (and your money)
1. Update Your Billing Information (from eBay)
The bait: An email that looks as if it comes from eBay saying the company has "detected a slight error in your billing information" and saying that you must fix it within 48 hours to continue to buy or sell on eBay. What it tries to make you do: Click on a link and tell them your eBay and PayPal username and password, and your credit/debit card information You can see how this actually appears on the APWG site.

2. Your account at eBay has been suspended
The bait: An email that looks as if it comes from eBay saying your account has been suspended and "We had to block your eBay account" What it tries to make you do: Click on a link and tell them your eBay and PayPal username and password, and your credit/debit card information You can see how this actually appears on the APWG site.

3. Your account at Wells Fargo has been suspended
The bait: An email that looks as if it comes from Wells Fargo saying your account has been suspended and "Your account has been compromised by outside parties." What it tries to make you do: Click
on a link and tell them your username, password, and credit card information. You can see how this actually appears on the APWG site.

4. Notification of US Bank Internet Banking
The bait: An email that looks as if it comes from US Bank saying,
"as a preventative measure, we have temporarily limited access to some features." What it tries to make you do: Click on a link and tell them username, password, credit card data or debit card data. You can see how this actually appears on the APWG site.

5. Attn: Citibank Update
The bait: "Click here" link in an email that seems to come from Citibank. What it tries to make you do: Click on a link and tell them personal information and credit card or debit card data. You can see how this actually appears on either the Fraud Watch International Web site or on APWG.

6 Confirm AOL Billing Info
The bait: An email that seems to come from AOL saying your billing information is out of date and asking you to "spend several minutes and update your billing records." What it tries to make you do: Click on a link and tell them personal information and credit card or debit card data. You can see how this actually appears on the APWG site.

III. Emails from people trying to fool you into hurting yourself or your friends and coworkers
1. jdbg Hoax
The bait: An email telling you about a virus and how to remove it. Example: "Subject: "jdbg" Virus: how to detect and remove." May also talk about finding a teddy bear on the machine - because the file has a bear as a symbol. What it is trying to make you do: Remove a file that is not harmful. You can find more information on the Symantec Web site.

SANS extends its thanks to the 175 organizations that helped develop the format and content of this alert. Special thanks go to CipherTrust for providing lists of the most important threats. Copyright 2004, The SANS Institute. Permission is granted to copy and redistribute this material to whomever it will help.