About Me

Allysa Myers

Allysa Myers

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

DOC files and social engineering

Tuesday, July 3, 2007 at 6:14am by Allysa Myers
Allysa Myers

There has been a raft of new variants of various Spy-Agent malware over the past few weeks, which arrive as DOC files which have a file inside which must then be double-clicked in order for it to run. Almost invariably, the files appear to be a notice of a complaint from some agency or other (IRS, Better Business Bureau, etc.) and when you open the DOC the text says only that the file inside must be double-clicked.

Note that I say nothing about any exploits, anything automatically running, or any of the sorts of scary technology we’ve become accustomed to. This is pure, simple social engineering. Scare a person into jumping through a variety of hoops. And all indications point to the fact that this technique is working remarkably well.

The question this brings up to me is, when did people stop filtering DOC files? It used to be de rigueur to filter office files at the gateway, back in the macro virus days. Despite the incredible popularity of targeted attacks using MS Office files, this seems to have fallen out of fashion.

So, I open this up to you, Dear Readers:

What file types, if any, do you filter at the gateway? Why did you choose that file type, and/or reject filtering for other file types?

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (4)

  • AZOR September 13, 2007 4:44PM

    People must flilter files by source, filtering type of files is not safety. There are a lof of formats with unknow overflow bugs. Example JPG seems as safety, but …

    Reply
  • Allysa Myers July 3, 2007 2:22PM

    Matt – This will vary depending on what filtering software you’re using. Filtering on these two things will save you from more “old-fashioned” techniques, but it will not necessarily stop the many exploits that have been targeting MS office files.
    John – You are correct, it is in fact an RTF file internally. RTF files have also been targeted for exploits and malware for many years, and in my opinion these should be considered equally as dangerous as other office file-types.

    Reply
  • John July 3, 2007 7:51AM

    It’s actually not a .doc file, its an RTF file with a .doc extension. If gateways are filtering on content and not extension, they maybe allowing RTF files.

    Reply
  • matt July 3, 2007 7:33AM

    How do you filter MS-Office files such that all files with embedded OLE objects or attached VBA code are flagged for review/deletion but all other office files pass through without delay or modification?….

    Reply