Global Direct Investment Solutions

Corporate Development for a Networked World

OnTheShortList.com     SurgeUSA.org

ShortListNews.com

Virus warning : "spoofed" return address, subject in e-mails

Bruce Donnelly   bruce@gdi-solutions.com    (Biography)

There has been a sudden surge today of email bounce-backs which indicate that somebody is broadcasting e-mails which fraudulently represent themselves as coming from one of our domain names.

It is not clear whether these emails have any malicious purpose other than to encourage recipients to visit a website which is completely unrelated to this business, and which may be harmful.

Recipients of any such messages should remain vigilant, and delete them unread if they get through spam or virus filters.  None of these emails originate from any of our systems.

The latest spam / hacker attack related to this business seems to be a series of email broadcasts using fictitious return addresses as though they were coming from OnTheShortList.com .

Although these messages seem to be easily caught by spam-blockers and are easy to recognize as garbage to be deleted, such attacks have often been followed in the past by more malicious messages and may just be an attempt to test their email list. 

Thousands of recent bounce-back messages from spam blockers confirm that hackers are sending out messages once again which pretend to be from one or more of our business domain names.  These messages have nothing at all to do with this business, and seem to be easily blocked.  They do not come from our systems.  Their timing and reach suggests that they are actually originating in other countries.

Among the recent messages were some which seemed designed to fraudulently tout particular stock market investments.  Once again, this business has nothing at all to do with stock market investing, but it is quite possible that we have been targeted for such spam abuse simply because of the word investment in our business name.  We never, ever make any stock market recommendations to anyone.

A new serious of malicious e-mails now seems to be going out this afternoon.  Some are spoofing reserved domain names which we never use for outbound e-mails at all.

Once again, these e-mails have no connection to our business at all.  They are just fraudulently misrepresenting their return e-mail address as pertaining to our domain - so that we see the "bounce-back" messages as protective measures such as spam or virus filters start to catch many of them.

The early recipients (based on bounce-backs we have seen) seem to be mostly in other countries again.  This may be a variant on 419 fraud schemes common in Africa and elsewhere.

This latest attack may be more serious - as we suspected in recent days as a potential follow-up attack.

The subject line now says something like "Microsoft Office Enterprise 2007 ready to download", and presumably links to a malicious website with this obvious ruse - which could potentially be both a phishing (identity theft / credit card theft) and system attack (spyware, trojan virus, etc.).  There have been other variations.

The text of the messages we have seen is poorly written, so this may be a scam originating in another country.  There is a link to a website which has nothing to do with Microsoft or this business.

After a relatively lower volume of malicious e-mails spoofing our return address in recent months, this scourge seems to have reappeared now.  As far as we can tell, spam filters and other protective measures seem to be catching these messages, which do not actually come from any of our systems.

The messages typically have obviously fabricated subject lines, such as two randomly generated words with no real connection between them.

As explained in the past, such attacks sometimes seem to be a test run for more malicious follow-up attacks, such as to probe for poorly protected systems, so we would once again urge all our friends to maintain effective security measures and be skeptical of any messages which appear to be from us but do not have very specific and relevant subject lines.

The latest surge of hundreds of e-mails, on February 17 and 18, generally used fictitious e-mail return addresses with our domain name (i.e., not even our published e-mail addresses) and seem to have mostly gone to addresses in Europe and other parts of the world which have no known connection to our business at all.

We are unaware of any of our actual business contacts receiving any of these latest fraudulent messages.  The latest messages appear to just be spam that is easily recognized (rather than the old tactic of having virus-infected attachments), but may include links to malicious websites (as in phishing or other types of attacks designed to elude virus filters or firewalls).

Once again, these bogus messages do not actually come from any of our systems, so we have no control over them.

In the last two days we have observed a number of virus-infected e-mails which spoofed our published e-mail address, as listed in the header above for the convenience of our visitors.  These messages are generally being caught easily by anti-virus software, but anyone who unexpectedly receives a message with an unusual subject line which is purportedly from us should exercise caution.  Our messages always have a very clear and relevant subject line, and rarely have any attachments unless we are responding to a specific request.  As always, users should be very cautious and keep their anti-virus protection updated to defend against any new attacks like this.

As explained previously below, the latest messages are not coming from our computers or anyone associated with this company.  The perpetrators are fraudulently spoofing our published e-mail address from other computers which have nothing to do with us.

Most of the latest messages are very easy for users to recognize as suspicious because of their subject lines.  In past attacks of this nature, however, an initial wave of messages such as this has sometimes been followed by others which might seem more credible at first glance.

We have recently become aware that somebody is broadcasting e-mail messages to unknown recipients which fraudulently pretend to be from this business.  These messages do not come from any of our computer systems or anybody at this company.  They are a hoax to get unwary users to visit a potentially malicious website by following a link in the email.

Users should be cautious to not follow such links.  Recent messages we have seen pretended to be from administrator@ or other standard addresses which might apply to any domain.  The messages allege to be virus-checked, but the links are likely to be harmful.

Here is a sample of one of the recent fraudulent messages we have seen.

"It has come to our attention that your Gdi-solutions User Profile records are out of date. For further details see the attached document.  Thank you for using Gdi-solutions!  The Gdi-solutions Support Team "

There is no "Gdi-solutions" support team, nor do we ever refer to "Gdi" as opposed to GDI since it is an abbreviation.  There is also no such thing as a "User Profile" to update on our website.

Hundreds of recent "undeliverable" bounce-back messages indicate that somebody is once again spoofing our identify through bogus e-mail messages.  Instead of the usual annoying spam or virus attacks, the latest appears to be a "phishing" attempt to get unwary recipients to respond by following a link and giving up personal information in the process, thus evading the usual anti-virus measures against harmful e-mail attachments.  Among the recent messages we have observed are ones with the following subject lines :

"You have successfully updated your password" - with a link for unwary users who want to indicate that they made no such change.  We have no such process through for anybody to change any password, nor to have any account on which to make changes.

"MEMBERS SUPPORT" - again, there are no "members" to support here

"Your Account is Suspended for Security Reasons" - there are no accounts to suspend

As in the past, the latest attacks are spoofing addresses which we never use :

admin@  info@  service@  administrator@  support@

These were all used with the "you have successfully updated your password" message.

The messages do not appear to have been sent to anybody who would actually know us, nor does there seem to have been any attempt to identify valid e-mail addresses which we may use in our correspondence with our many contacts.  Instead, the latest attack still seems to be using standard names and our domain name, perhaps to test what works.  Given the nature of this latest attempt at identity theft, we suspect that the presence of the words "investment" or "invest" in our business name and header on our home page may be triggering automatic inclusion in such a phishing attempt, as though this business were a financial institution with client accounts and passwords to try to steal.

Another large spam attack has included messages spoofing our domain name (and that of other companies or individuals whose e-mail addresses the perpetrators have found).  These are generally easily recognized and blocked, but users should be alert because the latest attack includes viruses, so such messages should not be previewed or opened.  Among the ones we have observed are ones with the following subject lines

'Detected' Online User Violation   (with virus attachment)

Warning Message: Your services near to be closed    (with virus attachment)

Security measures    (with virus attachment)

Your password has been successfully updated

Security measures

Notice of account limitation

Once again, we never send messages such as the above.  The second would seem to be foreign in origin, given the error in English usage.  This is not unusual.

As in the past, the latest attacks are spoofing addresses which we never use :

admin@  register@  service@  mail@   webmaster@   support@

The first three were all used in an attempt to spread known viruses, as we observed through bounce-back messages from several which were blocked on undeliverable.

Once again, such e-mail does not originate at our company.

The recent spam attack continues with hundreds of similar messages, as well as some new variations, with vague subject lines such as

Members Support

Security measures

We never send messages with subject lines such as these.

Some of the latest messages come from false addresses such as

register@   admin@    mail@

Once again, no such messages are actually coming from any of our systems.  Some messages clearly contain virus-infected attachments, while others may link out to harmful websites.  As always, we urge caution with all such messages.

A further wave of spam which is spoofing published and fictitious e-mail addresses for our domain name (without coming from any of our systems) is in progress.  This is similar to the May 10 update below, with obviously irrelevant subject lines such as

Your Email Account is Suspended for Security Reasons

Notice of account limitation

Notice: **Last Warning**

*DETECTED* ONLINE USER VIOLATION

Important Notification

Status

As in the May 10 update below, the latest attack has spoofed our published address as above, plus some fictitious addresses.

support@

administrator@

info@

service@

No such messages are from us.  Recent attacks have included virus-infected attachments, such as one of the latest variants of the MyDoom virus.

We have received hundreds of virus-infected messages again this week, a few of which have been spoofing our domain name in the return e-mail addresses again, but in a new way.

These latest messages are easy to recognize (obvious titles like Hi, Hello, Good Day, Status, Error, Urgent, Server Report, or test) and anti-virus software is blocking them, but over the past few years such waves of new attacks have often preceded, by a few days, a more sophisticated attack.  We therefore urge caution once again, and remind our friends and any recipients of such messages that we never use subject lines such as these, and have no connection with the spammers and hackers behind these criminal attacks.

Messages have been sent out again as through they were from GDI-Solutions.com e-mail addresses.  This latest attack apparently generates invalid names - like lolita@ or peter@ or jack@) by following the same style (first name only) as our published addresses.  This differs from various past attacks using published or common addresses such as info@  webmaster@  administrator@  etc.  None of these messages are actually originating through our systems.  They are just spoofing our address.  We do not send out any e-mails from these addresses.  We just see the "bounce-back" messages when delivery fails, which helps us to monitor abuses of our identity so that we can report such criminal activity to the relevant authorities for law enforcement action.

We have been receiving over 100 virus-infected messages per day recently.  Although these were readily intercepted, clearly our increased visibility is also leading to increased attacks, so we must once again urge all of our friends to be careful, and alert those who don't know us that such messages have nothing to do with this business..  As explained at other times in the past below, real messages from us are deliberately easy to distinguish.

By contrast, the latest attacks have had irrelevant subject lines such as

Application Approval #  (number)      - when there is no application process for us

Pre-Approval Application # (number)    - again, we have no application to approve

Registration Confirmation  - when we also have no registration process

Re : Account # (number)   - when we never send emails such as this

Notice **Last Warning**   - when we never issue such warnings for any reason

Your email account access is restricted     

Notice ***Your email account will be suspected***

The latest spam, which may include malicious attachments, has come from many domain addresses other than our own, but has also spoofed addresses for our domain which are not actually in use by anyone.  These are just fabricated addresses, and have nothing to do with any of our computer systems, and are often broadcast at times when none of our systems are even in use.  The latest fabrications, for potentially harmful messages such as those described at left, include addresses for our domain such as :

staff@

Admin@

mail@

register@

None of these are valid addresses for us, and we never send out any e-mails which refer to an "email account" or imply some adverse action to prompt unwary users to open them.  We don't threaten our many friends through e-mails.  Only spammers and hackers do that.

We received another wave of around 50 virus-infected messages today.  Although none were spoofing our email address (unlike the prior examples below), they were also coming from unknown addresses, mostly personal (AOL, Yahoo, etc.) rather than any of our business contacts.

Even so, the hacker program involved must have picked up our address somewhere, presumably by crawling this website since we can't imagine why any of the return addresses involved would have our address on file (as in a Trojan attack), so once again we must encourage all of our contacts to be vigilant about timely anti-virus protection.

We suspect that the latest attack, which was easily picked up by anti-virus protection and common sense, may just be preparation for a further and more sophisticated attack, such as by screening the existing distribution list for easy vulnerabilities before another attack.  The messages this time had obviously suspicious subject lines such as

"Good day"  "hello"  "HELLO"  "ERROR" and various other entries.

We never send any e-mail with subject lines such as these.  The subject line of our messages is always quite specific and relevant to summarize our communication.

We noticed some more e-mails spoofing our address again yesterday.  These are not coming from our systems.  The return address is typically "bruce" or "enquiries", without upper case at the start of these names.  Both addresses are as openly published on this website, which helps us to monitor abuse.  We never send messages from "enquiries".  Real messages from us will look different from these, as our contacts should know.

These latest messages were not directly identified as virus-infected, but may contain links to other sites as in the case of trojans, "phishing" and other attacks.  Please be vigilant.  Such links may also be disguised to spoof a trusted address, and then lead elsewhere.

The latest spam which has been spoofing our address has the subject line :

Re: Contact me, it is important!!!

This has no connection to our business.  We never send out messages such as this.

Please note the repeated warning, at left, about the security threats posed by such messages.  Since these messages are not coming from our systems, any recipients of such messages will need to have timely protective measures and remain vigilant.

Another new e-mail virus attack is spoofing our address, generally sending messages to individuals with no connection to this business.  The return addresses we have seen used so far in this latest attack include "Bruce" as well as "webmaster" and "invest".

Once again, these messages do not originate through our company.  They are just the latest variation on this scourge which seeks to disrupt normal business activity, as in the case of the attacks at this time a year ago which coincided with anti-globalization events.

The latest messages we have seen use subject lines such as

"Registration is accepted", "Is delivered mail" and "You are made active"

We never send out messages of this nature.  Although anti-spam filters and timely anti-virus protection should catch these e-mail viruses, users should remain alert to this risk.  Please report serious attacks for criminal investigation and prosecution, as we do.

A new virus seems to be going around which is picking up published e-mail addresses from websites or from unprotected systems, and then sending messages to other addresses from the same or related sources with vague subject lines which might tempt unwary users to open them.  Some of these have spoofed our published address, and that of other contacts we know.  As always, we recommend caution about opening unexpected email messages which appear suspicious, and recommend very timely anti-virus protection.

Messages have also been received from fictitious email addresses for our company, such as from "support@" or "administration@", which are never used by us.  The subject lines refer to such things as "Email account security warning" and "Notify about using the email account".  This may be a "phishing" effort to seek information from contacts, or a prelude to a virus or spyware attack on recipients. Even if the current messages seem to be harmless, vigilance is in order.  Please report such abuse.  We never send such messages to anyone.

We continue to see undeliverable "bounceback" or intercepted spam and virus propagation messages which indicate that unprotected systems, spammers, or hackers are sending out messages which "spoof" our published return e-mail addresses (mostly "bruce" or "enquiries"), or sometimes fabricate invalid return addresses (see notes below).  Some of the latest ones today were confirmed to be virus-infected, but were readily intercepted.

Please note that we have no way to control this abuse of our company reputation and e-mail address.  These messages do not come from our computer systems, and in most cases the recipients have no logical connection at all to this business.  They just happen to be other people whose e-mail addresses have been harvested by such malicious programs, and would therefore have no reason to even open an e-mail which spoofs our address, regardless of the subject line.  One should be careful, however, because even the "preview" of e-mails can trigger some types of viruses.

The latest messages had suspicious subject lines, but also some plausible ones such as "Site changes" or other brief but vague expressions which might prompt an unwary user (or somebody who already communicates with us for legitimate reasons, and thus trusts us) to open these messages and perhaps even their virus-infected attachments.

Those who receive legitimate communications from us will usually recognize at a glance that our subject lines are quite specific about the content and reason for communication, and we never send unsolicited attachments.  Our e-mails would never contain just a brief line and instructions to see the attachment. 

Please be cautious, and help us by bringing any serious problems like this to our attention so that we can alert others as appropriate.  Some of the latest viruses and worms are quite malicious, and harm can be done before the anti-virus software companies detect them and distribute updates to protect against the latest variants.

Suspicious e-mails (spam or virus-infected) continue to be sent out using both valid and invalid return addresses from our company, but which are not actually coming from any of our systems.  The e-mails spoof our return address.

The latest today has a suspicious subject line : Re: Russian's

Typically the recipient is unknown to us - likely an address which the sender picked up through an unrelated virus-infected computer somewhere else.

Some spam-blockers correctly catch this, but unfortunately this has also triggered some blockers to quarantine or block legitimate messages to our contacts.

We continue to receive and block many virus-infected messages every day, mainly from users who would have no reason to communicate with us or be aware of our e-mail addresses, so clearly they are also victims of the same general problem.

The e-mail attacks seem to be growing in sophistication, so once again we urge all users to maintain strong firewall, anti-virus, and anti-spam protection measures.

For example, we have recently encountered cases in which an e-mail with a "spoofed" return address from us is actually sent to one of our contacts, such as others whose e-mail is listed on this website.  This clearly is an attempt to trick such contacts into thinking that it is a legitimate message from us.  The subject lines, however, continue to usually be meaningless and clearly suspicious, but this may also be changing (to generate plausible subject lines).

This appears to be a coincidence rather than a targeted attack on this business and our contacts.  In short, spam robots are probably harvesting e-mail addresses within the website and then sending messages among them, and we only become aware of it when some of them bounce back to us or include us as recipients.

We continue to receive bounce-back messages indicating that e-mails are being sent out with spoofed return addresses as though they were from our company, which is not the case.  They are using fictitious addresses or real ones published on this website.  Recent addresses have included "lizie", "annie", and "ann" followed by @gdi-solutions.com, none of which are valid.  We have no idea who is receiving these messages, as they rarely seem to be sent to any of our actual contacts.  Many have also come from "enquiries" (see footer below), which we never use for outbound messages.  This helps us to keep track of such fraudulent activities.

Frequently messages are going out at times when none of our computers are even in operation or on the Internet.  Since they are not being generated on our systems, which have anti-virus and other protection, we cannot control what is being sent out fraudulently elsewhere in our name.  We can only report their actions to the relevant authorities in the hope that they will be caught someday and punished severely.

Recent examples include messages with a variety of obviously suspicious subject lines such as "I just need a friend", "Hello!", and "I like you", but others are more plausible.  Others have referenced fictitious account numbers, as though they were invoices.  Viruses have been readily detected in the attachments.  In the past, similar patterns led to more sophisticated attacks later, as though these were just hackers testing a new virus tactic and e-mail list to find poorly defended systems.

Once again, real messages from us will have a subject line which is very relevant to our work and the message content, without any unsolicited attachments.  We only include links to content on this website, including relevant PDF files to download.

We continue to be inundated with e-mails from scam artists in Africa and elsewhere who are allegedly trying to launder large amounts of money, but of course are just fishing for personal financial records or opportunities for identity theft from the gullible.

If you are also being bothered by such messages, please see our section on African 419 scams with some suggestions about how to respond.  Unfortunately, there are so many such activities on a daily basis that it is hard to stop this plague, which is far more harmful than ordinary spam, because it directly victimizes unwitting people who have little recourse for the losses and identity theft problems they may incur.

A clear message needs to be sent to some of the African governments which have not made serious efforts to combat these schemes.  The high incidence of fraud, criminal identity theft, corruption, and other problems deter the productive capital investment activity which is so desperately needed in some of these countries.  If one of their main exports is going to be such criminal activity, the majority will continue to suffer greatly because of the corruption of a few who think they are beyond the law.

More e-mail worms were in circulation this week, identified by various names such as w32/mydoom @ mm and worm_mimail.R with infected file attachments of various types and a wide variety of e-mail subject lines, most of which were obviously suspicious (such as "HI" or "Test").  Some have been disguised as undeliverable message notices to prompt unwary users to open the infected attachments, and in recent months other viruses have even been disguised as broadcast e-mails by Microsoft about security upgrades (which they don't send out that way).

Once again, since some of our legitimate e-mail addresses are widely known, we receive many anti-virus warning messages as infected computers elsewhere send out e-mails which "spoof" our return address so that they appear to be coming from us when, in fact, none of our computers are involved.  For example, in some cases the worm generated e-mail return addresses for our company which do not in fact exist, as opposed to using legitimate addresses found elsewhere.

The Department of Homeland Security launched a new national Cyber-Alert System of the US Computer Emergency Readiness Team at :

www.us-cert.gov

Users can register to receive updates about current Internet security threats, and there are also some links to other resources.  Of course, this approach also poses some problems since it can readily spread information about software weaknesses faster than vendors can patch them and get the patches installed by users.  No doubt some hacker will also design infected e-mails to mimic these alerts.

Existing anti-virus and firewall software, and caution by users, are still the main defenses until a better approach to e-mail security and spam activity is found.

Updated August 19, 2003

Please be cautious about opening any e-mail messages from GDI Solutions or many other sources with vague subject lines such as:

Re : Your application

Re : Approved

Thank you!

Re : My details

Re : details

Re : That movie

Wicked screensaver

A very funny game

They typically include very simple and vague text, such as :

"Please open the attached file for details."

The attachment is likely to be infected by a virus, and should not be opened.  The virus involved seems to be w32.Sobig.F@mm and should be identified by current anti-virus software and their reference libraries about how this worm operates, and how to remove it if necessary.

We never send messages with vague subject lines or messages such as the above.  They are not being generated by a virus or hacker on our computers, even if they appear to be coming from a "gdi-solutions.com" return address.

We never send messages from addresses such as "admin@gdi-solutions.com" or "webmaster" or "enquiries".  We always specify employee names.  Since our email addresses are published on this website and elsewhere for convenience, they are also vulnerable to being "spoofed" as a fictitious return address.

There is a risk that just opening such a message to read it, as in an e-mail preview pane (without opening the attachment) can launch a trojan which may activate later.  If you receive such a message, please be sure that your anti-virus protection is current, and test your system to ensure that nothing has slipped through already.

Some types of worms or trojans may not be immediately apparent if they get past your anti-virus protection.  Some activate to do harm after a delay, which can make it difficult to recover from backup copies of your system (if you have them, and can figure out when the virus was received).

Instead of obviously suspicious subject lines and messages such as the above, some viruses capture old subject lines and messages out of saved e-mails found on an infected system, so that the messages appear to be more credible, and search the entire system for any e-mail addresses (not just an address book).

Some e-mail messages like this can trigger viruses automatically if you just use a "preview" pane in your e-mail software to screen messages before opening them to read completely.  Thus, they can pose a threat even if you delete them without opening them completely, or opening the attached file.

If you receive any suspicious messages which are allegedly from us, please let us know ASAP (TEL 847-304-4655) so that we can try to track down the source of the problem or alert our contacts to this new threat as appropriate, but please recognize that the sender probably has no association at all with our business, and it therefore is not a failure of our own anti-virus protection measures.

Warning : messages may also "spoof" users to think they come from us

The messages may not actually be sent from the indicated sender at all, unlike a virus attack from an infected system which uses the sender's address book.  Instead, a legitimate (or likely) sender address is used to send messages to many addresses through systems which have nothing at all to do with the apparent sender.

For example, we have received some undeliverable "bounce-back" messages from such messages which were allegedly from addresses which are not used, such as "admin@gdi-solutions.com", or addresses which we openly publish.  Anybody can "spoof" the return address of an e-mail message, making it look as though it comes from GDI Solutions or some other trusted source when in fact we have nothing to do with the message.  The actual source of such messages can be hard to track down.

This is an annoying problem for more than ourselves.  For example, we have received messages spoofing return addresses from "Microsoft Support" as well as many other addresses which might, at first glance, fool the user into opening the message.

We maintain our anti-virus and firewall protection on a daily basis, and never send (or open) e-mails with vague subject lines or messages such as these.

Recognizing legitimate messages from us

We use very specific subject lines and messages.

We usually only send file attachments to somebody with whom we have spoken in advance, so that they are expecting to receive the file, and the e-mail clearly identifies what is attached, and why.  These are generally Adobe Acrobat PDF files, rather than Microsoft Word or other files which may contain viruses or links to malicious websites where a trojan could download a damaging program if adequate controls are not in force at the time.

Note that some trojans are designed to disable anti-virus protection, so the risk of such attacks should not be taken lightly.  Simply deleting a previewed message may give the illusion that the threat is gone, while in reality it remains.  Once they infect a system, they may duplicate themselves in random ways which the anti-virus programs will not recognize to remove them completely, and they may download other damaging programs in the background from malicious websites which might also not be recognized by the anti-virus programs. 

Protection against sophisticated attacks of this nature can be challenging even for experienced IT professionals.  If you think your system may have been affected, seek professional help (typically from tech support offered by the original manufacturer of your computer, or your anti-virus or firewall software provider).

FBI, US Secret Service, and CIO Magazine reporting guidelines for cyberthreat reporting (network intrusion), such as hacker attacks, viruses / worms, etc.

There is also a process for anonymous reporting of attacks on business networks known as InfraGuard run by the National Infrastructure Protection Center.

http://www/secretservice.gov/net_intrusion.shtml

refer also to the CIO Magazine website at http://www2.cio.com for related articles, such as their "Alarmed" column or articles such as "Break Glass, Pull Handle, Call FBI" at http://www.cio.com/archive/060101/fbi_content.html