U.S. Flag Official website of the Department of Homeland Security

Note: This page is part of the us-cert.gov archive.This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

TLP:WHITE

Alert (SA07-303A)

Federal Trade Commission Reports Spoofed Email

Original release date: October 30, 2007

Systems Affected

  • Any computer system can be affected when a person is a victim of social engineering, such as what can occur when malicious code is inadvertently downloaded from an attachment in a spoofed email.

Overview

The Federal Trade Commission (FTC) is reporting that spoofed email messages that appear to come from the FTC contain malicious attachments. If you open one of these attachments you may infect your computer with a keystroke logger or other malicious code.

Solution

Be suspicious

Exercise caution when opening email messages and attachments. In this case, the FTC describes the spoofed email as follows:

    The spoof email includes a phony sender's address, making it appear the email is from "frauddep@ftc.gov" and also spoofs the return-path and reply-to fields to hide the email's true origin. While the email includes the FTC seal, it has grammatical errors, misspellings, and incorrect syntax.
Attackers often construct email messages and web sites to imitate legitimate organizations in order to more effectively convince you to open and execute malicious attachments or click on malicious links.

For more information about social engineering, phishing attacks, and email attachments please see Tips ST04-014 and ST04-010

Install and update anti-virus software

Updated anti-virus software can protect you from malicious code. For more information about anti-virus software and how to recover from an infection, please see Tips ST04-005 and ST05-006.

Description

This spoofed email activity relies on social engineering techniques to convince you to open and run a malicious attachment. There is no software vulnerability involved and there is no software update to protect against this type of activity. For more information please see the FTC report.


References

  • Cyber Security Tip ST04-014 - Avoiding Social Engineering and Phishing Attacks - http://www.us-cert.gov/cas/tips/ST04-014.html>
  • Cyber Security Tip ST04-010 - Using Caution with Email Attachments - http://www.us-cert.gov/cas/tips/ST04-010.html>
  • Cyber Security Tip ST04-005 - Understanding Anti-Virus Software - http://www.us-cert.gov/cas/tips/ST04-005.html>>
  • Cyber Security Tip ST05-006 - Recovering from Viruses, Worms, and Trojan Horses - http://www.us-cert.gov/cas/tips/ST04-006.html>
  • Trends in Badware 2007 - http://www.stopbadware.org/home/consumerreport>
  • Don't Open Bogus Email that Comes from the FTC - http://www.ftc.gov/opa/2007/10/bogus.shtm>

.

Revision History

  • October 30, 2007: Initial release
    October 31, 2007: Updated references and links to Tips, added INFO#281692 tag, fixed ST04-014 link

This product is provided subject to this Notification and this Privacy & Use policy.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top