Today, I feel like telling you a true story that happened at Fortinet, the story of Jane Doe.

Jane Doe works for Human Resources at the reception desk, so she is used to receiving lots of mail, UPS or DHL parcels for the company. Some time ago, Jane received an e-mail from DHL, notifying her they had been unable to deliver a parcel (see figure below). She does handle plenty of DHL parcels every day, consequently, she did not give this e-mail any particular attention and, quite absent-mindedly, tried to open the attachment. Fortunately, she did not manage to unzip anything because the attachment had been removed by FortiMail. Only then did Jane realize there was something strange about the e-mail.

Figure 1. Bredolab spam example. Apart from the sender, they look real. Click on the image to enlarge.

Apart from covert advertisement for FortiMail ;) this example just perfectly illustrates the efficiency of targeted spamming. Forge a plausible e-mail (as a matter of fact, UPS or DHL often include attachments in their e-mails to track this or that parcel) and send it to the right mailbox (a person expecting DHL parcels): this is close to guaranteed infection. Proof: it would have worked even at Fortinet where employees are particularly well-aware of the dangers of viruses. So, spammers, please don’t do this: it is an unfair blow.

Incidentally, we had a look at the stats of our scanning system. There was a large spike of DHL spam, October 13th being the largest (around 3,000 spam mails collected by our system), and recently tapered off. This increased from about 50-100 spam mails per day in mid-late September. This spam campaign infects victims with Bredolab.

Guillaume Lovet, Derek Manky, Doug McDonald, Alexandre Aumoine and Jane Doe are the main contributors to this blog entry. Many thanks !

Well that would be the usual boring answer from the guy down at the pub who isn’t really entering in to the spirit of the conversation. How about this one… Be shot out of a cannon – that’s pretty dangerous. But with a little thought we can make it safer. For a start, how big is the cannon? Where is it aiming? Can I wear a crash helmet? Can I land in a very large safety net? Can I get someone else to do it for me?

Of course, reading email can be a pretty dangerous business to, with all those requests from your bank, or someone else’s bank, to make sure you validate your password just one more time. Or the links to special interest web sites eager to part you from you money. Or even some distant relative desperate to give you a share of those millions you thought were lost forever.

Of course we take precautions here, too, looking left and right, not doing anything stupid. But what if we are taken over by a feeling of wanting to know just what it would be like to be shot from a cannon?

The tempting invitation for the Cannon Shoot arriving in your inbox in the first place meant that your first antispam line of defence has been breached. Of course, you could still have some client software installed, but that has also failed you this time. So you click the Cannon Shoot registration, but the site has been blocked by your content filtering safety net, phew! Someone’s been busy rating dodgy websites on your behalf. Had you been able to access the site, download that little software application, then you too could soon be hosting your own Cannon Shoot. Of course a compromised PC would still need to be able to install this little piece of malware. Even if that happened,  here again someone has been working on your behalf making sure that even in this worst case, that software you’d installed wouldn’t be able to call home for the latest invitation instructions for the Cannon Shoot.

If we didn’t have antispam, content filtering, antivirus, and intrusion protection defences, pretty soon it wouldn’t be safe to cross the road, you’d be dodging all those crash helmet clad cannon balls flying up the street.