Fake USPS e-mail checks user IP to evade cloud URL filters

E-mail remains a popular method for distributing Malware due to a variety of techniques a scammer can try to trick users into launching it. One of the most common methods involves attaching the infection inside a Zip file and making the e-mail imitate an overdue invoice, parcel delivery failure notification, eFax message or something else attached that the user should look at.

With some providers such as Gmail blocking attachments containing any type of executable, the latest scams are turning back to links that downloads the file through the user’s web browser, such as the following example:

ADVERTISEMENT

USPS Fake e-mail

One problem with this technique is that cloud based URL scanners and bots often pick up on these links, particularly once users report suspicious links. So what they do now is use a dynamic link, which appears to be different in each file. This way the link can be unique in each e-mail, even if part of the link such as the host name remains the same.

So what if a cloud based URL filter checks a link? It'll likely get a 404 error. From our analysis, it appears that the Malware host checks the IP address of what is requesting the file to make sure it belongs to an ISP. For example, when we submitted the URL to Virus Total, it gave a “Response code : 404” and found nothing suspicious about it across the range of Internet security products it tests against. Sure enough, when we tested this link while connected to the HMA VPN service, we got the following, since HMAs servers hide the user behind an IP address issued by its hosting provider:

ADVERTISEMENT

USPS Fake e-mail link HMA

We tried a handful of HMA servers across several countries, but kept getting the same 404 error, giving a fairly good impression that the link is broken. That was until we tried the link while connected to an Irish VPN as HMA uses Digiweb hosting in Ireland, which also runs an ISP. So finally we got a download Window:

USPS Fake e-mail link Direct

ADVERTISEMENT

Going by the attachment file name, it appears that the host customises the attachment to appear to have a country code, in this case ‘IE’ as this would have been requested from an Irish IP address. When we retested the link a few hours later, it issued a different file, so another advantage of the link is that the Malware is fresh and less likely to be detected by many antivirus products.

Like most malicious attachments, this zip file contains an executable file inside, which when extracted is disguised with a Word icon. The icon is actually a little hazy, probably to try defeating antivirus products that check if an executable file is using a familiar PDF, Word, video, etc. icon. The right shows the properties of this file:

Fake document properties

When we uploaded each Zip file to VirusTotal for a quick check, just 4 virus checkers (of over 50) reported one as infected and 9 virus checkers reported the other as infected.

Our advice is to carefully check the e-mail before opening any attachment or link. If the e-mail does not greet you by your name, it’s most likely a scam. If the e-mail contains a Zip attachment or the provided link delivers a zip file, delete it unless you are expecting to receive a zip file from someone you know (e.g. several images.) To date, every legit courier notice we've seen has the user's details and tracking number mentioned right in the body of the e-mail, so discard any delivery service notice that does not mention the tracking number in the e-mail text.

We also strongly recommend enabling the displaying of file extensions, if not already shown. To do this, go into the Control Panel, then into Folder Options, open the 'View' tab and clear the checkbox for "Hide extensions for known file types", then click 'OK'. This way if such a zip file is accidentally extracted, the file extension will give a fairly good indication what is a fake, unlike the above screenshot where one would not have a clue, particularly if they used a better quality icon. Most malicious attachments contain files ending in .exe, .scr, .com, .lnk and .cpl. If you're unfamiliar with an extension, look it up online as there are many other potentially dangerous file extensions.

No posts to display