Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Once a target, always a target: A second look at awareness training in action

Steve Ragan | Oct. 10, 2013
The one constant about user awareness training is that the awareness part is supposed to stick with you. Learning how to spot one type of phishing email is only good for that particular email, thus the concept of awareness is learning to trust your gut when something looks suspicious.

The form can be used for multiple years, however it needs to re-signed annually by employee and supervisor. Please confirm all employees that may travel using their private car on state business (including training) has a current STD 261 on file. Not having a current copy of this form on file in Accounting may delay a travel reimbursement claim.

ATTACHMENT:

Again, our awareness training drills the point that you never open random email attachments or follow random links into our heads. The attachment for this email was rather simple: Form.idgenterprise.com.zip

Like the previously covered phishing scam, this too contained a Zeus Trojan variant. Although, the uptick in detection was faster this time around, with 24 of 48 AV engines on VirusTotal detecting the malware for what it is, as of early Wednesday morning.

TECHNICAL:

This email likely originated from the same group of bots that sent the last one. As covered in the slideshow that examined the previous campaign's headers, this message also came from a Comcast user, but the headers show sources in Indiana and Florida. However, there were other ISPs included, which were scattered throughout the globe.

This scam spoofed the idgenterprise.com domain, but it also used aexp.com again as the Return-Path as well as the Received header. As mentioned previously, AEXP.com is American Express, and this domain has been spoofed by criminals many times in the last year, including several noted Phishing attacks. The domain itself is usually whitelisted by network defenses, due to the use of corporate credit cards.

For additional technical details, including a list of domains and IPs to block, as well as files dropped, the Malwr report has them.

 

Previous Page  1  2  3 

Sign up for Computerworld eNewsletters.