Overview
Berkeley Lab is receiving malicious emails using a variety of new tactics to compromise your computer. The email's are commonly disguised as greeting cards, Valentine's Day cards, Super Bowl information, and Presidential Primaries information. This page is designed to help you identify these new tactics. As new tactics are discovered, the Cyber Security team will post them here. Below are the current tactics.
Links to .exe Files
Commonly, viruses are sent as attachments to email. However, as anti-virus protection for email has improved, it has become increasingly difficult for malicious people to send viruses as attachments.
Malicious people have modified their behavior. Now, instead of sending viruses as attachments, where anti-virus can detect it, malicious people are sending links to malware. Since the link does not actually contain a virus, the email avoids being flagged by email anti-virus protection.
For example, below is a recent email attack using this strategy.
You have just received a "special message postcard" from someone who cares about you.
Just click here (http://#) to receive your Animated Greeting!
Thank you for using www.compromiseyourcomputergreetings.com services. Please take this opportunity to let your friends hear about us by sending them a postcard.
The message has no attachment, thus making it impossible for anti-virus to detect anything malicious. Notice where it says "here" in the message. "here" actually links to http://1uu.us.no/greeting23742232-client.exe.
If you click the "here" link, your browser will download the virus. Your browser will then present a dialog box as shown below.
If you click "Run" (or Open on some browsers) your system is will become infected with a virus. This virus could delete all or your data or allow a malicious person to control your computer.
Links to IP Addresses
Malicious people have been sending links to malicious websites for some time, e.g. http://www.badsite.com. However, as anti-spam technology has improved, it has become increasingly difficult for malicious people to send these links. Malicious people have now evolved to send links to the IP address, as a method to avoid anti-spam filters.
For example, below is a recent email attack using this strategy.
Subject: Special Romance
Hugging My Pillow http://121.173.131.225
If you click the link and visit this site, you will be prompted to download malware. Notice the message is kept very vague to avoid spam filters. If you see a link with an IP address (e.g. 121.173.131.225), you should be especially suspect about the message.
Suspicious Link Warning
In order to assist Berkeley Lab users in identifying potentially dangerous links in email, Cyber Security has begun to insert a message into emails that have potentially dangerous links. Specifically, suspicious email messages will have the following lines inserted:
Subject:
[WARNING::SUSPICIOUS LINK]Footer:
Please be EXTREMELY careful about the above link(s).
The Berkeley Lab Computer Protection Program inserted this warning because the email contains a suspicious link.
For more information, see the Berkeley lab web page here: [link to this page]
The reason Cyber Security is only inserting this message, as opposed to deleting or quarantining the message, is that there are legitimate cases where these type of links are used. Therefore, for the time being, Cyber Security is raising awareness about these suspicious links while preserving legitimate links. The hope is that people will see this warning and spend just a moment to think before they click the link.
Guidance
If you are not absolutely, positively confident about an email, be extremely cautious. Many links are malicious.
If you are not sure, don't click.
You can forward suspicious email to [email protected] for further assistance.
Help / Feedback
If you have questions or comments about this website, please contact the Cyber Security team via email at [email protected].
If you need general computer assistance, please contact the LBNL Help Desk at x4357, [email protected], or online at .
