Criminal actions in the Internet become even more sophisticated. Times are mostly gone, when virus-infested e-mails were written in bad English or German. Professional criminals are sending e-mails with correct spelling and syntax. They are sending e-mails with faked e-mails addresses as senders and are pretending, that the e-mail was send from a known person. Fake sender address are not very new, but actually even more cunning forgeries are seen, where criminals pretend to respond to e-mails, which were really send by the pretended sender previously.

At first that seems to be impossible, but the reason why this is possible is simple: Some varieties of malware are reading e-mails on infected computers and transfer contents of mailboxes (at least partially, i.e. information about senders, receivers, subject and first parts of e-mail content) to the criminals. Based on this stolen information contacts of the first victim are attacked subsequently. The faked sender and the citation of the previous e-mails create increased trust in such e-mails. The attackers are able to use known signatures and style, because they passed previous e-mails and are able to imitate those.

Additionally when embedded links for logins or downloads (of malware) are included, the attackers switch from a simple “Click here” link description, which may raise suspicions with trained users, to a reasonable link description like “http://my-institute.de/download/my_document.pdf” this seems to be a unsuspicious link, but behind the unsuspicious description a very different link my be hidden, like http://my-malware.com/download/malware.exe. The harmless description is only seemingly a link, but in truth only a description like “Click here”.

Furthermore, attackers try to hide malware in encrypted ZIP archives, which virus scanners are unable to analyze. A password is communicate inside the e-mail. Virus scanners usually don’t recognize the password, but the receiver is able to use it, open the archive and execute the contained malware.

Recommendation is again to check data types of attachments and links accurately before clicking on them. Executable files in e-mails should not be accepted and executed and macros in office documents should be prohibited (or only allowed for known files, if this can’t be avoided) and macros should not be allowed later on for files received via e-mail or downloads.

Currently the BSI (Bundesamt für Sicherheit in der Informationstechnik) is warning against this dangers.