The “.X” Files. Trust No One.

Intrusion, thy name is File Attachments. The great scourge of the internet, businesses, security, and roughly the reason for 95% of successful hacks starts with a completely avoidable action.

In previous posts, I’ve discussed the utmost importance of not opening attachments. I want to briefly revisit that, expand on attachments and explain what the mechanics at play are. Education is important to safety.

First, A Story

The inspiration for this particular blog post can be attributed to two emails I received over a couple days. Both of them looked to be from Apple (they were not) and both of them looked to be receipts for purchases I made (I did not).

This “Hey, your money was spent.” scam is pretty effective and relatively new. From a psychological standpoint, it plays on the second level of internet-paranoia: Having your information stolen is a complete possibility. The hacker would have you believe it’s already happened and someone has used your card. The result of said use is this notification of use which has been conveniently emailed to you. To start your sleuthing off right, the receipt is a handy .DOCX file attachment. They even give specific directions on when I should be concerned, what to do, and how to understand this email.

What can we take away from this story? There’s a good number of lessons. I want to highlight how I would suggest you handle this scenario, and why it’s important to keeping you safe.

Lesson 1: Attachments Are Potentially Unsafe.

What does the author of this email ultimately want? I can’t be completely sure, but I do know that attached file is the beginning of trouble.

The initial intention is to have me open this pretty common file type (document) so I can start to answer what type of problem I have. paradoxically, my problem doesn’t begin unless I open that document. For new readers, I’ll summarize our Best Email Practices blog. Don’t. Open. That. Attachment. Cardinal rule of email in all scenarios.

My first clue is that this is a .DOCX file. Usually the file extensions can give you a good indication of what someone is trying to accomplish. So why are we afraid of Word file attachments?

File Extensions*

Back in the day when Windows was a dominant infant ironically stealing its candy from a more mature Apple, they released Microsoft Office. Office included many the same programs it does today, notably Word. Until 2007, Word files saved with a .DOC extension. Many of the early Office extensions were simple and dumb, meaning they couldn’t really do much but be read and edited.

In 2007, Microsoft got fancy. If you worked with files during that time, you no doubt tried to open a document or spreadsheet on your computer and were met with “This file cannot be opened”. Looking closer, you would have noticed that the problem file’s extensions ended in “X” (i.e.: .DOCX, .XLSX, etc.). ** Files with the “X” are entwined with XML, a popular markup language When you open a .DOCX file, it’s executing XML.

Obviously, opening word documents is generally safe because you’re rarely opening them without knwoing the source. As email attachments, all files are anonymous, even the ones from people you know. That running XML can be used to compromise a machine’s security and this can be very dangerous in the wrong hands.  

Circling Back

Considering potential of the .DOCX file, you can see why no attachment is safe. Whereas most warnings talk about avoiding .EXE files or .ZIP files, the new Office files can be every bit as dangerous. They are effectively little .EXE files cloaked in curiosity.

Had I been worried enough about my financial life to open that document, I would have to rely on my anti-virus to make sure things were cool in the aftermath. I never want to rely on my anti-virus to do anything that I could have done with a second thought.

If I had to guess, the hacker is probably trying to run malicious code on my computer. This could be for an immediate attack, but most likely it’s going to live on my computer and report information back. Specifically, the name of the domain my computer belongs to, and my credentials to login. Knowing my domain would give away my employer. With an executable running inside the domain using my credentials, the hacker could get to work.

What was once a fact-finding mission sparked by a benign document, has potentially turned into a nightmare. 

Lesson 2: Attachments Are Potentially Unsafe!

This is very important to remember. In fact, I’m repeating it because maybe you skimmed through Lesson 1. I understand, it was a bit long… or maybe you’re not convinced. Be convinced.

Lesson 3: Spotting a Problem Email

Much like the mantra of every rural militia in the Northwest, you can’t trust anything you read. Using my example, there’s a few things I can identify in this email that put up immediate red flags about the validity of both the message and attachment.

• The “From” Address – In this case it was something like Apple@uvbuosd.com. It makes no sense that Apple would send an email from outside the Apple.com domain. They would not.
• The Receipt Attachment – No reputable company sends actual receipts anymore, and if they do, certainly not via attachments in email. They have an Orders section in your account, or the email’s content is the receipt. Rarely, if ever, is it an attachment.
• Specific Instructions – This is a less reliable indicator, but this applies to most scams. When the scammer needs you to do and think something, they give you very detailed information on how to do that. They also try to allay your fears about the weird instruction they’re sending you.
• Professionalism – The email didn’t have that polished feel that Apple likes to imagine themselves as having. This is no small amount of effort on Apple’s part and many scams will skip that work in favor of casting a wider net. This is also not a great indicator by itself, but good corroboration.

Lesson 4 – What If The Email Is Real?

Of course, there always exists the chance that this email is legitimate, and that something is very wrong and deserves my attention. How do I deal with this problem if the company is trying to warn me?

First thing I should do is close the email anyway. They let me know something might be awry. Mission Accomplished. I then open up a web browser and go to the site independently. In this case I would type in Apple.com, login and check it out.

I cannot stress this enough: If a company has taken the effort to send you an email and it’s urgent enough to attach a document, your account will have a record/warning/message regarding whatever it is they wanted to alert you to. In good companies, there are virtually no exceptions to this practice.

If the email was truthful, you will find the information you need in your account on the website. If you find nothing about what the email was saying, I congratulate you on your justified paranoia. Worst case, call customer service and have them investigate.

Bottom Line

The interesting thing about email is how it’s delivered right to you, and how you simply can’t trust it. Every major security failure starts with some situation like the above. Municipal ransomware incidents to corporate breaches… they all begin in a similar way. You can avoid the mess if you know how.

Where Crossroads IT Fits In

We fit in all over the place on this topic. We can run mini-seminars about security for your company, configure email filters and anti-virus, run network monitoring and firewall setup… There’s plenty of places for us to step in and take care of the details that we’re so good at providing insight for.

Give us a call and we’ll discuss your concerns.

 ___________________________________________

* A quick primer: File Extensions are used by programs to let computers know how to execute a file. For example: A file with a .XLS at the end of it is an Excel file, .PPT is Powerpoint, and so forth.

** Why the change? 2007 was burgeoning time in the young life of computing. Much like all late-teenagers, it was being taught that the euphoria of independent living had to be met with the brutal reality of co-habitation. Microsoft had created the .DOC format for its Word software, but it was proprietary and didn’t play nice with other programs.

.DOC is what’s called a Binary File. It is, in fact, two pieces of information. One half is the document content itself, much like what you’re reading now. The other half is the formatting information; font, size, etc. The Binary File was good because it kept the file generally small while still being flexible. The downside was the fact that other programs couldn’t handle opening it, and it was a relatively dumb format. Technology demanded more functionality and compatibility if Word was to stay at the headof the class. .DOC wasn’t able to deliver on either. Microsoft had effectively cornered themselves and opened the door for other players. Enter .DOCX.

.DOCX is an XML-based file cluster. Basically, it’s a zip file full of a bunch of ways to interact with the content. Microsoft’s intent was to create a more-open standard that other companies were familiar with and could easily adopt, and it’s worked. XML being an incredibly powerful and available language, they married it to Word and thus .DOCX was born. It was beautiful, but it had its drawbacks.

A problem with the new format is XML can be used in really malicious ways. With great power….