Skip to end of metadata
Go to start of metadata

Alerts

No Alerts at this time.

E-mail: security@lbl.gov

Berkeley Lab is receiving malicious emails using a variety of new tactics to compromise your computer. The email's are commonly disguised as greeting cards, Valentine's Day cards, Super Bowl information, and Presidential Primaries information. This page is designed to help you identify these new tactics. As new tactics are discovered, the Cyber Security team will post them here. Below are the current tactics.

Commonly, viruses are sent as attachments to email. However, as anti-virus protection for email has improved, it has become increasingly difficult for malicious people to send viruses as attachments.

Malicious people have modified their behavior. Now, instead of sending viruses as attachments, where anti-virus can detect it, malicious people are sending links to malware. Since the link does not actually contain a virus, the email avoids being flagged by email anti-virus protection.

For example, below is a recent email attack using this strategy.

You have just received a "special message postcard" from someone who cares about you.

Just click here (http://#) to receive your Animated Greeting!

Thank you for using www.compromiseyourcomputergreetings.com services. Please take this opportunity to let your friends hear about us by sending them a postcard.

The message has no attachment, thus making it impossible for anti-virus to detect anything malicious. Notice where it says "here" in the message. "here" actually links to http://1uu.us.no/greeting23742232-client.exe.

If you click the "here" link, your browser will download the virus. Your browser will then present a dialog box as shown below.

If you click "Run" (or Open on some browsers) your system is will become infected with a virus. This virus could delete all or your data or allow a malicious person to control your computer.

Malicious people have been sending links to malicious websites for some time, e.g. http://www.badsite.com. However, as anti-spam technology has improved, it has become increasingly difficult for malicious people to send these links. Malicious people have now evolved to send links to the IP address, as a method to avoid anti-spam filters.

For example, below is a recent email attack using this strategy.

Subject: Special Romance

Hugging My Pillow http://121.173.131.225

If you click the link and visit this site, you will be prompted to download malware. Notice the message is kept very vague to avoid spam filters. If you see a link with an IP address (e.g. 121.173.131.225), you should be especially suspect about the message.

In order to assist Berkeley Lab users in identifying potentially dangerous links in email, Cyber Security has begun to insert a message into emails that have potentially dangerous links. Specifically, suspicious email messages will have the following lines inserted:

Subject:
[WARNING::SUSPICIOUS LINK]

Footer:
Please be EXTREMELY careful about the above link(s).
The Berkeley Lab Computer Protection Program inserted this warning because the email contains a suspicious link.
For more information, see the Berkeley lab web page here: [link to this page]

The reason Cyber Security is only inserting this message, as opposed to deleting or quarantining the message, is that there are legitimate cases where these type of links are used. Therefore, for the time being, Cyber Security is raising awareness about these suspicious links while preserving legitimate links. The hope is that people will see this warning and spend just a moment to think before they click the link.

If you are not absolutely, positively confident about an email, be extremely cautious. Many links are malicious.

If you are not sure, don't click.

You can forward suspicious email to security@lbl.gov for further assistance.

If you have questions or comments about this website, please contact the Cyber Security team via email at security@lbl.gov.

If you need general computer assistance, please contact the LBNL Help Desk at x4357, help@lbl.gov, or online at http://www.lbl.gov/help.