[Veltliner]

So far, I don't.

Only today I had a weird experience. I got one of those phishing mails, and reported it to us-cert.

I got a mail back from them with a confirmation number, and the invitation to copy and paste the link below to get more security tips. When I tried to highlight it, the link was actually downloading a pdf, which contained security tips by us-cert.

What really puzzled me: what if something else got downloaded too, like a trojan horse or a keystroke logger? Would I notice it?

And was this email coming from a government agency, or from a scammer?

I called the number on the email to see if someone would pick up.

Someone did pick up. A really calm, and a bit sleepy guy. No background noise. Didn't sound like an office. Could have been anywhere. I asked him about the mail.

I gave him the confirmation number from the email and he said it was fake.

But the email came within a minute after my reporting the phishing mail, so there has to be a connection.

Things got stranger from there. He was asking me several times if I was Mr. Caplin.

Movie buffs know that Caplin is the guy Cary Grant is looking for in "North By Northest" - and who doesn't exist, as he's an invention by government agents.

The guy on the phone could not/or would not give me any ID number.

I sent the phishing mail again to the email address he gave me, and which was the same as on a government website (US CERT).

This was such a strange experience. I sometimes had the impression that I was the target of federal agent humor (Mr. Caplin), and at other times I could see a really good scammer relaxing on his bed and playing with that caller.

Well, I'm a writer as well, and making up stories is part of what I do. Just here the story was making itself up. I didn't have to do a lot.

This has made me think about getting anti-virus software. I know, there are no Mac viruses. But what about Trojan Horses and keystroke loggers?

Do you have such a software?

Is McAfee best?

From what I got today nobody should be online without some kind of scanning software.

[turtle777]

You reported spam to us-cert ?

WHY ?

-t

[besson3c]

Learn how to check the full headers for the envelope address. If it doesn't match the domain of the from header, it's bogus.

Don't bother trying to report your phishing emails anywhere, there are too many of them for anybody to really care about anymore, I think.

You can get a trojan on your Mac, but instead of relying on software to prevent you from doing something foolish, I would start with learning what you can (this thread is a good start!). You were right for being suspicious, you just need to learn how to track the envelope address.

[besson3c]

Are you Mr. Caplin by the way?

[besson3c]

For those wanting info on envelope addresses, look at the full headers of one of the notifications sent to you from this forum. Look for the following:

Received: from postoffice.macnn.com (kermit.macnn.com [207.58.150.170])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by mySMTPserver (myMTA) with ESMTPS id 15051B9A8
for <myemailaddress>; Mon, 4 Oct 2010 23:02:26 -0400 (EDT)

In this case the MacNN SMTP server is postoffice.macnn.com, and the server that sent this message to the SMTP server is kermit.macnn.com - it's IP address 207.58.150.170. This cannot be easily forged, it is meaningful. If the domain of the SMTP or origin server doesn't match the domain of the sender, lookup the IP address to see what ISP controls this netblock and where it resides. Often times these spam/phishing attacks reside outside of the US - obviously the US-cert is not going to be sending you emails from Korean servers! Use common sense here in determining whether this is legit. Most of the time it will be pretty obvious once you get this far.

[Veltliner]

Originally Posted by turtle777 

You reported spam to us-cert ?

WHY ?

-t

I reported a phishing email.

[Veltliner]

Originally Posted by besson3c 

Are you Mr. Caplin by the way?

My credit card says so.

I don't know who's paying the bills.

The FBI probably.

[Veltliner]

Originally Posted by besson3c 

For those wanting info on envelope addresses, look at the full headers of one of the notifications sent to you from this forum. Look for the following:



In this case the MacNN SMTP server is postoffice.macnn.com, and the server that sent this message to the SMTP server is kermit.macnn.com - it's IP address 207.58.150.170. This cannot be easily forged, it is meaningful. If the domain of the SMTP or origin server doesn't match the domain of the sender, lookup the IP address to see what ISP controls this netblock and where it resides. Often times these spam/phishing attacks reside outside of the US - obviously the US-cert is not going to be sending you emails from Korean servers! Use common sense here in determining whether this is legit. Most of the time it will be pretty obvious once you get this far.

This email looks a bit different.

But it has four or five received: <a web page here>, all with us-cert.gov at the end and a lot of IP addresses.

So, I think it was all fine, even though the agent I was talking to said the report number was fake.

I looked up two of the IP addresses.

One was from us-cert. Even neighborhood was called us-cert.

The other ones couldn't be established, not even the country.

Lots of weird names of other senders/recipients like Mekong and Exalibur in the header.

[Doofy]

Install Little Snitch. Then sleep soundly.

[ghporter]

Originally Posted by turtle777 

You reported spam to us-cert ?

WHY ?

-t

Phishing attacks are very different from spam-spam is an unsolicited ad, sometimes masked as something like a testimonial or "free offer," while a phishing attack is digital fraud. I report phishing attacks to the company/agency that is being impersonated. This helps them identify who is doing the attacks and often helps them warn other, less well-informed customers about the risk.

Just an "antivirus" package won't help with fraudulent emails or phishing attacks. You need something that helps do what besson3c described. A cynical eye for whether or not an email is genuine is a good substitute, followed by besson's suggested approach for verifying the source of an email. Further, NO VALID BANK OR CREDIT CARD COMPANY will EVER ask you to provide personal information in an unsolicited email. People still fall for "please confirm your user name and password" phishing emails...it's sad. If your bank really does need to contact you by email, they will almost certainly ask you to log onto their site manually, or at least give some simple process for you to verify that you're really going to their site if you use their link. And it's ALWAYS a good idea to READ THE URL that goes with any email's links BEFORE you click on them.

[besson3c]

Originally Posted by Veltliner 

This email looks a bit different.

But it has four or five received: <a web page here>, all with us-cert.gov at the end and a lot of IP addresses.

So, I think it was all fine, even though the agent I was talking to said the report number was fake.

I looked up two of the IP addresses.

One was from us-cert. Even neighborhood was called us-cert.

The other ones couldn't be established, not even the country.

Lots of weird names of other senders/recipients like Mekong and Exalibur in the header.

Feel free to post the headers here, if you'd like...

[Veltliner]

Originally Posted by besson3c 

Feel free to post the headers here, if you'd like...

Here's the header.

I replaced my email with "[email protected]" and the server name with "server01.myhost.net"

It looks genuine, but the man on the phone said the incident call number is a fake.

header starts below this line

-----------------------
From: [email protected]
Subject: Follow-Up on Incident call number: PH0000000756729 regarding 05-Scans/Probes/Attempted Access Social Engineering - Phishing
Date: October 4, 2010 10:04:35 AM PDT
To: [email protected]
Reply-To: [email protected]
Return-Path: <[email protected]>
Envelope-To: [email protected]
Delivery-Date: Mon, 04 Oct 2010 13:04:36 -0400
Received: from daphne.brass.us-cert.gov ([208.73.187.78]) by server01.myhost.net with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <[email protected]>) id 1P2oSp-0007Yk-W1 for [email protected]; Mon, 04 Oct 2010 13:04:36 -0400
Received: from daphne.brass.us-cert.gov (localhost.localdomain [127.0.0.1]) by postfix.imss71 (Postfix) with ESMTP id 5D8053F092 for <[email protected]>; Mon, 4 Oct 2010 17:02:24 +0000 (UTC)
Received: from yabba.bronze.us-cert.gov (yabba.bronze.us-cer.gov [192.168.2.22]) by daphne.brass.us-cert.gov (Postfix) with ESMTP id 424133F08F for <[email protected]>; Mon, 4 Oct 2010 17:02:24 +0000 (UTC)
Received: from needle.bronze.us-cert.gov (unknown [192.168.16.109]) by yabba.bronze.us-cert.gov (Postfix) with ESMTP id 1BBDB3004F for <[email protected]>; Mon, 4 Oct 2010 17:04:36 +0000 (UTC)
Received: from MEKONG.bronze.us-cert.gov ([192.168.2.161]) by needle.bronze.us-cert.gov with Microsoft SMTPSVC(6.0.3790.4675); Mon, 4 Oct 2010 12:04:35 -0500
Received: from excalibur ([192.168.2.181]) by MEKONG.bronze.us-cert.gov with Microsoft SMTPSVC(6.0.3790.4675); Mon, 4 Oct 2010 13:04:34 -0400
Message-Id: <24183617.1286211875166.JavaMail.SYSTEM@excalibu r>
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_15408_21325582.1286211875119"
X-Priority: 0
X-Originalarrivaltime: 04 Oct 2010 17:04:34.0892 (UTC) FILETIME=[385518C0:01CB63E6]
X-Tm-As-Product-Ver: IMSS-7.1.0.1224-6.0.0.1038-17680.004
X-Tm-As-Result: No--1.781-5.0-31-1
X-Imss-Scan-Details: No--1.781-5.0-31-1
X-Spam-Status: No, score=2.5
X-Spam-Score: 25
X-Spam-Bar: ++
X-Spam-Flag: NO

[Veltliner]

Originally Posted by ghporter 

Phishing attacks are very different from spam-spam is an unsolicited ad, sometimes masked as something like a testimonial or "free offer," while a phishing attack is digital fraud. I report phishing attacks to the company/agency that is being impersonated. This helps them identify who is doing the attacks and often helps them warn other, less well-informed customers about the risk.

Just an "antivirus" package won't help with fraudulent emails or phishing attacks. You need something that helps do what besson3c described. A cynical eye for whether or not an email is genuine is a good substitute, followed by besson's suggested approach for verifying the source of an email. Further, NO VALID BANK OR CREDIT CARD COMPANY will EVER ask you to provide personal information in an unsolicited email. People still fall for "please confirm your user name and password" phishing emails...it's sad. If your bank really does need to contact you by email, they will almost certainly ask you to log onto their site manually, or at least give some simple process for you to verify that you're really going to their site if you use their link. And it's ALWAYS a good idea to READ THE URL that goes with any email's links BEFORE you click on them.

It's best practice never to use a link to go to a bank website but navigate to it.

In regards to keystroke loggers and spy software/Trojan Horses: how can you make sure you don't have already sitting in your system?

Would Doofy's "Little Snitch" help? Would McAfee's anti-virus help?

I mean, could malware come to your computer through a pdf? (Happens sometimes: you click on a google search result, and instead of going to a web page you download a pdf.)

(This incident, which happened when I was already halfway out the door and just wanted to quickly report a phishing, woke me up.)

[besson3c]

Little Snitch will help monitor outgoing network requests which is definitely useful since trojans zombify by communicating with controlling machines.

Your headers look good, the email seems legit.

There is no magic bullet for guaranteeing security, unfortunately. You could, in theory, get a trojan in several different ways. LIttle Snitch is a great start...

[ghporter]

Originally Posted by Veltliner 

It's best practice never to use a link to go to a bank website but navigate to it.

Absolutely. Use your bookmark or type the URL.

Originally Posted by Veltliner 

In regards to keystroke loggers and spy software/Trojan Horses: how can you make sure you don't have already sitting in your system?

On a Mac, the user has to explicitly allow software of any kind to install. Unless you've agreed to let something install, it's almost certainly not there. This is quite unlike Windows (especially through XP), which could easily install executable code without your knowledge or permission.

Originally Posted by Veltliner 

Would Doofy's "Little Snitch" help? Would McAfee's anti-virus help?

I mean, could malware come to your computer through a pdf? (Happens sometimes: you click on a google search result, and instead of going to a web page you download a pdf.)

(This incident, which happened when I was already halfway out the door and just wanted to quickly report a phishing, woke me up.)

Little Snitch tells the user when there's traffic going out-you look at the app that's communicating and decide if it's supposed to be doing this. You can then block any outside connections from anything you don't want "phoning home." McAffe? Maybe. I have had difficulty using McAfee for a lot of things; its interface is not built around the way I think of antivirus or anti-spyware functions. I much prefer Symantec's AV products (especially the corporate ones) because of their integration and ease of use, and I've never seen a real performance hit from running these packages, either on a PC or a Mac. (The consumer Norton AV for Mac is a different issue-I have no personal experience with it.)

On a Mac, you can't really encounter a problem from opening a PDF online. This is because those potentially "malicious" PDFs would have to get through the OS X security model which basically disallows execution of arbitrary code without specific user approval. What you're referring to as "happens sometimes" is exactly what Google does-if your search term is found in the online PDF, Google links to that PDF. Nothing shady about that at all. Opening a PDF is benign in OS X, especially if you only use Preview to do it.

[Spheric Harlot]

Not quite:

The PDF vulnerability in Adobe Reader affected Macs as well and allowed random code execution.

[besson3c]

Originally Posted by ghporter 

On a Mac, the user has to explicitly allow software of any kind to install. Unless you've agreed to let something install, it's almost certainly not there. This is quite unlike Windows (especially through XP), which could easily install executable code without your knowledge or permission.

Technically this is not quite correct. You can run apps or daemons/processes out of your home directory without entering your root password to grant the app permission.

[Doofy]

Avoid Intego stuff, BTW. It's like a virus in itself.

[Spheric Harlot]

How so?

[Doofy]

Puts that many hooks into the system that in order to stop it pestering you, you end up doing a nuke and pave.

[ghporter]

Originally Posted by besson3c 

Technically this is not quite correct. You can run apps or daemons/processes out of your home directory without entering your root password to grant the app permission.

Does that include subdirectories, like Downloads? I have had things try to download, and had things download (usually on purpose), but nothing's actually been able to run itself, by itself-I've always been prompted to authenticate first. Have I simply missed really well written bad stuff?

[besson3c]

Originally Posted by ghporter 

Does that include subdirectories, like Downloads? I have had things try to download, and had things download (usually on purpose), but nothing's actually been able to run itself, by itself-I've always been prompted to authenticate first. Have I simply missed really well written bad stuff?

No, it's not badly written stuff...

Stuff that asks you to authenticate wants to install pieces for *all* users of that computer - usually components that go in /Applications, /usr, /Library, etc.

However, if you were to download a standalone application, say Firefox or something, something that just ships on a disk image that you have to drag yourself into the Applications folder for instance, you could put this application anywhere in your home directory (including subdirectories) and just run it there without having to authenticate at all. It is possible that by invoking this code a trojan will be installed into your home directory somewhere that will phone home.

I've been trying to come up with good succinct advice for the original poster about this because I have people asking me about this too and what they ought to do to prevent getting some sort of infection. The answer is that it's complicated...

I think too many Mac users operate in an older mindset that the stuff we have to be worried about is the self-replicating stuff that piggybacks on Windows, perhaps is caught through Outlook Express or whatever.. From what I understand that is all pretty old school.

From what I understand now the big game is phishing, spyware, and trojans. Spyware we can pretty much cross off the list since the majority of that crap is IE based. However, phishing is all about platform agnostic social engineering, and trojans can be written for any operating system (and websites where you would download such a thing can easily detect what OS you are running).

A trojan could be something malicious like deleting stuff, although I believe that is pretty uncommon since simply making life inconvenient for you isn't as interesting to the people making these as the money making potential. Most trojans, AFAIK, will do stuff like phone home to a botnet and send out a lot of spam and phishing emails through its own built-in SMTP mailer. As many have read, there are gobs and gobs of machines that have been turned into zombies this way, when I used to work at a university many students were not even aware of this. What is attractive to phishers and spammers is committing murder with somebody else's murder weapon. They don't give a rat's ass how important or unimportant the stuff is that is on your computer, they just want to do their own thing anonymously using your gear/murder weapon. Well designed trojans are likely setup so that you will barely even notice this.

All of this being said, I don't like to make people crap their pants. Yes, all of this is not terribly likely, Windows is still probably a more attractive target, yadda yadda. However, not executing strange things is still a good idea. If you do not know how to look at what processes are running and manage this, Little Snitch is a nice little watchdog.

It is also a good idea to be savvy about what services you have that are open and listening to connections from the outside world. This won't affect most people because most are behind routers where ports are not being forwarded, aren't running servers in the first place, etc. but for the small number that are it is wise to understand that running web applications such as WordPress and leaving these unattended can cause problems. I have seen older versions of WordPress compromised on my own machines and starting up IRC clients. Out-of-date versions of WordPress are far from the only web app that is compromiseable, you can compromise PHP, Apache, or pretty much anything else that is exposed to the world. I have seen a *ton* of web based forms be compromised to send out email, a ton of cross site scripting to pull from databases, etc. Web based exploits are a pretty big deal...

In other words, if you are tinkering around and doing stuff, either learn enough to secure your server or shut it down when you are done. It is so easy to kind of forget about something like this and leave it unattended for a while.

To the original poster, I would suggest just learning what you can, don't be paranoid about stuff and do the equivalent of wearing multiple condoms when you have sex, but just be generally smart and aware

[Veltliner]

Originally Posted by ghporter 

On a Mac, you can't really encounter a problem from opening a PDF online. This is because those potentially "malicious" PDFs would have to get through the OS X security model which basically disallows execution of arbitrary code without specific user approval. What you're referring to as "happens sometimes" is exactly what Google does-if your search term is found in the online PDF, Google links to that PDF. Nothing shady about that at all. Opening a PDF is benign in OS X, especially if you only use Preview to do it.

Originally Posted by besson3c 

Technically this is not quite correct. You can run apps or daemons/processes out of your home directory without entering your root password to grant the app permission.

Hm. So could malware come embedded in a pdf, or not?

Originally Posted by besson3c 

However, if you were to download a standalone application, say Firefox or something, something that just ships on a disk image that you have to drag yourself into the Applications folder for instance, you could put this application anywhere in your home directory (including subdirectories) and just run it there without having to authenticate at all. It is possible that by invoking this code a trojan will be installed into your home directory somewhere that will phone home.

This would at least mean that you consciously install software on your computer, password or no password.

[Veltliner]

Originally Posted by Doofy 

Avoid Intego stuff, BTW. It's like a virus in itself.

Intego stuff? What is this exactly?

[besson3c]

Originally Posted by Veltliner 

Hm. So could malware come embedded in a pdf, or not?

Yes, it could also come in an image or probably any other data type.

[Doofy]

Originally Posted by Veltliner 

Intego stuff? What is this exactly?

Intego - Leading Security Software for Mac OS X
Avoid. It's a nightmare.

[Veltliner]

Originally Posted by besson3c 

I have seen older versions of WordPress compromised on my own machines and starting up IRC clients. Out-of-date versions of WordPress are far from the only web app that is compromiseable, you can compromise PHP, Apache, or pretty much anything else that is exposed to the world. I have seen a *ton* of web based forms be compromised to send out email, a ton of cross site scripting to pull from databases, etc. Web based exploits are a pretty big deal...

I see: do not operate outdated software that connects to the web.

Would an FTP application like Fetch be another such candidate.

I started this thread because I was feeling I was going over the top and needed to replace fear with facts.

I will install Little Snitch as a start. Thanks for the Symantec tip.

[besson3c]

Originally Posted by Veltliner 

I see: do not operate outdated software that connects to the web.

Would an FTP application like Fetch be another such candidate.

I started this thread because I was feeling I was going over the top and needed to replace fear with facts.

I will install Little Snitch as a start. Thanks for the Symantec tip.

WordPress does not connect to the web, it is a web application that runs on the web.

An FTP application like Fetch is more a risk if you use FTP at all rather than SFTP, but yes, the application itself could in theory be compromised. However, when you download software from the web it includes a digital signature called a "checksum" that I *believe* the OS X installer uses to make sure the application hasn't been altered - even changing a single character would change the md5 checksum hash.

If you are concerned about whether applications you download have been tampered with, you might want to learn about how to find the checksum on the site you download the app from (if they provide one) and how to compare this against the checksum you can verify on your own with the file you have downloaded.

Security is based on trust, a lot of this is going to come back to gut feeling since most of us don't take the time to verify everything. Still, knowing how to verify stuff is useful.

[Doofy]

Originally Posted by Veltliner 

I see: do not operate outdated software that connects to the web.

Would an FTP application like Fetch be another such candidate.

I started this thread because I was feeling I was going over the top and needed to replace fear with facts.

I will install Little Snitch as a start. Thanks for the Symantec tip.

Dude, as long as you've got Little Snitch installed and you're not an idiot (i.e. downloading stuff from obviously dodgy sites or unsolicited emails), you'll be fine.