Virus Scams

 

A client of mine recently received an email purporting to be from the Department of Justice (and another one from “the IRS” ) relating to claims made against their business. It had some official-looking language about case numbers and claims filed by so-and-so, and noted that a copy of the complaint was included “in the pdf below.” They were suspicious for several reasons, and asked me to check it out.

Even if you expect the IRS or DOJ to email you out of the blue with this kind of thing, addressing the recipient by the wrong gender is a big red flag. The other thing that made me immediately suspicious was the “pdf” file was zipped.

The ZIP format is an incredibly useful compression and archiving standard that was even more important back when internet access was typically via modem. The downside is that if the package is really a virus installer it will not only unpack the virus files but execute them, infecting your system. For this reason any decent virus scanner will search through .zip files as they come in, but some viruses still slip through, especially in email. Also, PDF files are already compressed so there is little benefit from further compressing them (technically speaking – the graphics are already compressed. You may save some space by compressing the text more). Someone legitimately sending a PDF – or any document small enough to reasonably email (a word DOC file, etc.) – will almost never go out of their way to zip it up. Laziness, if nothing else, practically guarantees this.

As a matter of nettiquette, never email someone a .zip file without warning them ahead of time, and if you receive one without a prior heads up from a known, trusted source, be very suspicious. One of the nastiest infections I cleaned out looked like it came from a trusted source so the client opened it up without checking with the sender.

To wrap the story up, I took a snapshot of my virtual Vista installation under VMWare Fusion so I could restore to that earlier point, and looked at the zip file.  As expected, the antivirus software immediately caught it and archived it.