What Should You Look out for And How to Prevent a Trojan Horse Email?

What should you look out for and how to prevent a 'Trojan Horse Email'?

The original Trojan Horse was kind of obvious. Giant wooden horse left outside your gates by people you’ve been fighting for 10 years. Come on, get real. Some of the modern ones are also obvious - “Final warning from the IRS” when you’re not a US citizen. Others are a bit more tricky - “Please pay the attached invoice” when you’re a buyer for a large company and that’s your job. If you’re an active eBayer and get a message about a package delivery, you’ll probably look at it, but you should know what a real FedEx or UPS email looks like. It doesn’t have an attachment, it gives a tracking code. You can go to the tracking website yourself, you don’t have to click the link in the email. Most trojan horse attachments are executables - program binaries for Windows, or scripts, or macros in Word or PDF documents. T may be inside a zip file, or protected with a password. There’s no good reason to send a Windows binary in email. I block them all on principle, but many sites don’t. There’s little reason to send an editable and active Word document to someone unless you are collaborating on it - send a PDF instead - but that’s too common to block. It’s still suspicious. Why should someone send an invoice as Word ? I could alter it and pay them less. If an attachment content does not match the suffix, that’s suspicious. An invoice should probably be JPEG or PDF or maybe HTML - invoice.jpg or invoice.pdf, not invoice_jpg.exe or invoice.pdf.js. The filetype icon should match. If you don’t recognize it, don’t open it. Or open it in notepad, don’t just double-click. It’s fairly easy to recognize JPEG, PDF, EXE etc. from the first dozen bytes in the file. Putting single files in a Zip file is suspicious - it makes it look like you have something to hide. Password-protected files are suspicious; it’s a way to evade pattern-based filters like antivirus or anti-spam. If in doubt, upload to e.g. VirusTotal without opening. Don’t rely on desktop or email antivirus - it takes hours or days to recognize new threats. Do not use an administrator account for normal work. Do not click “OK” without reading. Do not give an administrator password just to read an email. In one case I investigated last year, a buyer opened an “invoice” that was a javascript file. On his Windows system, that launched IE even though that was not his default browser, which executed an embedded VBscript, which downloaded and executed a cryptolocker executable which damaged both his own files and those on a network server. None of these were detected by desktop antivirus or Windows Defender till about 4 days later. Fortunately, the network server had backups. Recently, I’ve been getting reports of a PDF “invoice” which asks for a password. Inside there’s just a link, which downloads a malicious Word document with embedded macros. I don’t know what would happen if you run the macros, or have auto-run enabled; I don’t have Word. Nothing good, I imagine. The macros are obfuscated so I could not easily figure out what t did by looking at them. If you abandon Windows and run Linux for email, you’d be fairly safe. The overwhelming majority of trojans target Windows, at least for the actual payload.