Advertisements

Why Friends Don’t Let Friends Run Windows: Product Pictures? Really?

This email worked its way through the filters:

Dear Business Partner,

We are very much interested in some of your product. We try to contact you online but you are not online so we decided to attach the picture of the product we need to dropbox and put it in your offline. Open the bellow link and download the attachment to preview the product we need:

... dropbox url snippage ... /Product%20Pics.rar

Let me know if the product is still available for sale and how much it costs, also tell us the product details.

Regards,
Allen Moore,
Procurement Officer,
International Product Buyers

Well, I don’t generally rebuff the humble, but I don’t have any “product” for sale. Also pulling the suspicion trigger:

  • To: Recipients <Procurement@Officer.com>
  • Subject: Open Attachment For Product Picture

It’s not clear what “attach the picture of the product we need to dropbox and put it in your offline” might mean. Despite the Dropbox URL, the email sported an attachment named Product\ Pics.rar, showing they come from a different universe wherein every operating system has a native RAR extraction program.

Being a dutiful citizen of the Interwebs, I did what the nice man asked:

unrar e Product\ Pics.rar

That produced a single file which RAR described thusly:

Extracting Product Picjpg.SCR

At least that’s what it looked like on the command line. I think they were trying to overwrite the SCR with the jpg, as the file name was really Product Pic<U+202E>RCS.gpj, but the Unicode U+20E bidirectional text control character seems to be in the wrong place. I think they wanted Product Pic.SCR<U+202E>gpj, but I also confess to having no experience with sixth-level Unicode direction reversal rendering.

Anyhow, handing the entire RAR archive to VirusTotal produces the expected result:

VirusTotal - Product Pics malware file

VirusTotal – Product Pics malware file

It’s disconcerting to see ClamAV asleep at the switch on this one, but signature detection has become decreasingly relevant these days.

I opted to not respond to the request..

Advertisements
  1. #1 by madbodger on 2013-08-05 - 08:55

    Apparently .scr extensions are used for screen savers for windows, which are a common vehicle for viruses. This seems to cause some antivirus software to have a knee-jerk reaction to Eagle script files (which use the same extension). The attempted Unicode trick is a new wrinkle, however.

    • #2 by Ed on 2013-08-05 - 09:02

      a knee-jerk reaction to Eagle script files (which use the same extension)

      As if you could depend on the file extension to tell you anything about file’s contents… used to be, they’d pad the extension with a gazillion blanks to push it off to the right, out of the frame, but I suppose Unicode makes that easier.

      A few days ago I spotted a URL with non-ASCII characters, replacing the “c” in “.com” with something that rendered as a cursive. That sort of fakery is now the leading edge of scamming. [sigh]

  2. #3 by Frans on 2013-08-13 - 03:50

    I recently got a spam e-mail of similar persuasion. The Gmail-based e-mail address to which it was sent must be too easy to guess. :P

    Fransdejonge.com Team,

    I thought you might like to know some reasons why you are not getting enough Social Media and Organic search engine traffic for Fransdejonge.com.

    1. Your website Fransdejonge.com is not ranking top in Google organic searches for many competitive keyword phrases.

    2. Your company is not doing well in most of the Social Media Websites.

    3. Your site is not user friendly on mobile devices.

    There are many additional improvements that could be made to your website, and if you would like to learn about them, and are curious to know what our working together would involve, then I would be glad to provide you with a detailed analysis in the form of a WEBSITE AUDIT REPORT for FREE.

    Our clients consistently tell us that their customers find them because they are at the top of the Google search rankings. Being at the top left of Google (#1- #3 organic positions) is the best thing you can do for your company’s website traffic and online reputation. You will be happy to know that, my team is willing to guarantee you 1st page Google ranking for most of your targeted keyword phrases in our six month ongoing campaign.

    Sound interesting? Feel free to email us or alternatively you can provide me with your phone number and the best time to call you. I am also available to meet you in person and present you this website audit report.
    —————————————————————–
    Best Regards,
    Ethan Lim
    SEO Analyst
    … snippage …

    PS I: I am not spamming. I have studied your website and believe I can help with your business promotion. If you still want us to not contact you, you can ignore this email or ask to remove and I will not contact again.

    PS II: I found your site using Google search and after having a look over your website I recommend you to implement future technologies such as HTML5 and Responsive Design to make your site more accessible in mobile phone, tablets, desktop etc.

    I thought the content of “PS I”* was especially amusing.

    * Spammer people, it’s PS and PPS. Add more Ps as you go along!

    • #4 by Ed on 2013-08-13 - 08:39

      Yup, that looks familiar…

      I wonder what would happen if you took them up on the “meet you in person” option? They’d surely want cash up front, then vanish into the woodwork!