Hang Out Your E-mail on the Siegfried Line

When your carefully crafted security defenses fail, it’s a reminder that the technology user remains the final line of defense.  This was brought home to me when I got a sketchy e-mail and decided to see how the defensive layers would work.  In short, they failed.  Lawyers who rely entirely on the fact that they’ve applied a system – anti-virus, anti-malware, whatever – may create a false sense of security.

The reality of this e-mail is that I am sufficiently watchful (my kids say “paranoid”) that I wouldn’t have actually opened it.  But it occurred to me that it would be interesting to walk through the steps I tell lawyers THEY should follow, and see what the results were.

The E-mail Address Was Wrong

The first problem was that the e-mail address had problems.  In many e-mail programs, you can see the sender clearly.  In my case, I only saw the problem when I opened the e-mail.  The sender’s name “Steve” was different from the sender’s actual address, “lara”.  Even without looking at the e-mail, I knew this was a problem.

In fact, before getting to this point, the weird kerning on the subject line, the fact that it was an unpaid invoice which I wasn’t expecting, and that there was an attachment were all giveaways.  But in a busier environment, I could see where those might be overlooked.

The Content Was Unlikely

Sage.com is the domain name for an accounting software company (Simply Accounting or Sage) and one I have interacted with, although I’ve never used their product.  The e-mail had a single line telling me to review and pay the attached invoice, a Microsoft Word document.  There was no contact information.

If I hadn’t already stopped, this would have confirmed for me that it was a bad e-mail.  If there had been a link, this would probably have been a phishing attempt.  I would have clicked the link and probably gone to a Web site that asked for login information.   Once I’d divulged my username and password, I’d be passed on to some other site.

A link can also cause malware, like ransomware, to be downloaded.  In this case, there were no links so the malware was going to be delivered by the Word document.

It’s worth noting that I have turned off the ability for any e-mail I receive to display an image.  Any e-mail I receive is just plain text, until I determine that I want to toggle images to appear.  This stops tracking beacons – where marketers leave a small, blank image in an e-mail that, when it is downloaded, shows I’ve opened their e-mail – as well as any other nefarious images.  We’re seeing e-mail providers start to disable Javascript in e-mails as well, since they can auto-run when the e-mail is opened.

Security Scans Failed

Normally, even if the e-mail looks entirely legitimate, I advise lawyers to download – not double-click – any attachments and run them against the virus scanner.  So I did this, with the complete expectation that it would flag the file as a problem.

First, I right-clicked on the file and selected the virus scan option.  On Windows 10, Windows Defender is installed by default and a right-click menu will say Scan with Windows Defender.  But we use Symantec’s endpoint security at my company, so the menu is worded slightly differently.  It popped up the virus scanner, checked the file, and reported no problems.

Huh.

Notice something, though, another warning.  I asked the software (below is my Windows Defender result) to scan one file.  It said it had scanned eighteen.  This means that the file is a compressed archive, not a single file.  If you were to use a tool to look at the binary contents of the file, like Hexdump, you’d see the multiple files, some of which are images, one of which is a Word document, and then some other stuff.

This is one of the reasons some people suggest getting rid of virus software.  Unless you are going to accept that your AV software can fail, you may not be doing yourself any favors.  Personally, I think you should use one but I wouldn’t pay for it.  It’s a foundation, not a fix.

Our company recently installed anti-malware support.  So I repeated the steps – right click, scan for malware – and had the same result.  Nothing.  Whatever this Word document was, it was not obviously infected.

Or was it?  I pointed my web browser to Virustotal.com and uploaded the file.  Virustotal compares the file with anti-virus definitions from multiple AV apps, so even if your product doesn’t catch it, you can see if other products would have.  It was immediately identified as being infected with a trojan (a type of infection that is itself relatively safe, but whose whole purpose is to download something that isn’t).

A quick recap.  If I hadn’t

  • noticed the weird e-mail address
  • wondered about the lack of contact information or content in the message
  • downloaded the file, but just opened it by double-clicking it

I would have infected my machine and, potentially, our corporate network.  The additional problem I have is that, even if nothing had tripped my paranoia, my security scans failed to turn up anything.  It is not hard to see a staff person, at this point, opening this attachment.  If the security software says it’s okay, it’s okay, right?

Disable Your Automation

I have written before about people automating their doom.  Microsoft Office macros are hugely useful and are, once again, becoming an attack target.  Macros are little programs, like mini apps, that run within your Word or Excel programs.  If you’ve ever recorded one, you know how simple they can be.  But they can also be highly programmed and this complexity can be turned against the user.

Normally, you will want your macro security turned on in Microsoft Office apps.  On my home PCs, our setting is the second most secure – disable macros but notify me that they are there, in case I want to run them.  Unfortunately, as is common in many businesses, our macro security is centrally managed by the network team.  Surprisingly, they have set it to accept all macros, all the time.  Since it’s centrally managed, once I open this file, the macro inside will be able to run automatically.

If you have disabled your macros, this infected Word document will fail to do anything when opened.  Even if you or your staff double-clicked without scanning it, you could avoid disaster by ensuring macros can’t run without your approval.

Stop Here

Hopefully you and your staff would have stopped ages ago.  The document, when it opened, contained an anti-virus warning, ironically, and a button to click to download the clean version.  You know where this is going.

I don’t recommend you ever doing what I’m going to do next.

A Word document (.doc) is slightly different from a Word document (.docx).  The older version has the macro built into the file and you have to open the Word documenet to see it.  In my case, with macros turned off, I opened up the Visual Basic editor to take a look at this VBscript trojan.

I saved the infected .doc as a .docm, which is the macro-enabled version of a .docx Word file.  Then I exited Word.

You may know this, but a .doc? file can be accessed without opening it in Word.  All you do is rename the file – my-infected-friend.docx – to a compressed zip file – my-infected-friend.zip.  I renamed the .docm file and could now navigate through the folders and files that were contained within the Word document.  I’ve talked about how this might be useful in litigation and discovery.  I was curious to see where the macro lived, but it appears to be in a compiled file.

All in a Flash

That’s a pretty long walk down what could potentially be a 15 second process, if you or your staff get an e-mail and open the attachment.  Many – most? – of the e-mails being sent to phish credentials or download malware have flags associated with them: unexpected, poor spelling or grammar, wrong address.  Hopefully, one of those flags will trip your security or watchfulness and save you from a problem.  If you want to verify, call the sender; don’t open the attachment.

In my case, our corporate security says the macro, if activated, would have been blocked by our network security from completing the download.  But technology can fail, and as the antivirus and antimalware apps did, a different network tool or one configured differently, might not have provided the same additional protection.  While I later forwarded it to my Google Mail account, and Google flagged it as an infected document and blocked download, most of us are not going to spend that much time considering an e-mail.

Many of us won’t have multiple layers of security to protect us.  If we slow down a bit, and look at the e-mails coming into our inbox with a heightened … curiosity, it may help to avoid potential business and professional disasters.  Train your staff so that they also see security technology as a helping tool, but not a complete answer, to protecting client information.