Not found by Norton

I obtained a copy of the ZIP file mailed to the victim. My AVG antivirus spotted the email as containing the virus. The victim said that her Norton AV didn't flag the email and didn't recognize the virus when she specifically had Norton AV scan it. I forwarded the virus laden ZIP file to someone who kept their Nortons up to date. Again, Norton failed to respond when that email arrived or was scanned.

Conclusion, people who rely on Nortons to find this virus are going to be infected. The best approach is to not run executables, zipped or not, that you receive from strangers.

The received file attachment was entitled 'ThePictures.zip' or something like that. The executable was something like viewpics.exe.

Title

I would say that the moral of the story is not so much to stop using

eBay or PayPal but rather to stop using Windows. Try using a Mac

or Linux system (for the more advanced). A Mac, although on the

pricier side, costs way less than $8600.

User Error

This is simply user error, No Antivirus out there can detect every virus or alike the ,minute it comes out, people claim AV being better but i personally have found it lets more viruses pass then any other ( remember a virus is no longer what it was ten year ago ) Adware and Spyware are all a form of a virus just with different name.s. im still baffled why anyone would wire that much money without the car in sight, if your not where the car is you use a service like pay pal to make the payment then you can fall back on there policys if ripped ( Maybe ) there was much more this user could have done to protect herself, people need to start realizeing there is nothing different from the internet and real life, you should be taking the same cautions here as you would down the street.

It's a windows thing

"So she has opted to close down her eBay and PayPal accounts and vowed never again to do business with the company."

- You can't blame ebay or paypal, it's Microsoft's insecure operating systems coupled with the way they confuse ordinary users through a poor interface.

PS did you see the yellow bar? WTF!

The bank

she opened an attachment in an email, how many times do we get told not to do that ? Any decent zip program will let you view the contents of a zip file without unzipping it, and who would trust an exe file when you were expecting pictures.

As for her money, I would have thought the first course of action would be to contact the bank she transferred the money to. They must have records of who had that account, and where there are records, there is usually CCTV. As far as I know, what happened is a federal crime in the USA, so the FBI should have been notified. But I expect she has left it too long, and the trail has gone cold by now.

I know for a fact I wouldn't be sitting on my ass if someone had ripped me off for that much cash, even if I had to do all the work myself. A hundred you can put down to experience, but over 8 grand ?

Don't open attachments

> She got infected after clicking on the email attachment

...

> "I don't know what i would have done differently"

What she should have done differently is NOT CLICK ON ATTACHMENTS.

Surely that's the most basic rule that all windows users must learn. Just don't, ever, ever, open an attachment that comes in an email. Ever. Simple as that.

Proxy server vs Hosts file.

Why go to all that hassle when you can add an entry to the hosts file and make www.ebay.com go wherever you like?

This story reminds me of another recent Reg story about a phishing attack where the screenshot showed the correct URL in the address bar - are they related?

And finally - even with Norton being the crap that it is, the user must have ignored a load of warnings in order to run an executable that they'd been sent in email, no?

Blaming the victim

People keep saying "don't open attachments", and blaming this poor woman for the crime. If she went out alone at night and was attacked would you blame her for that too?

Non tech-savvy users could be forgiven for asking why they are presented with the option to open attachments if it's such an unsafe thing to do. If their computer does let them open attachments why does it not protect them?

What if the malware had been introduced by another mechanism, for example a vuln-exploiting website constructed for that purpose. Or even a legitimate website that had been hacked to deliver malware? How could we blame the user then?

If people stop trusting their PCs to make financial transactions there will be a lot of negative consequences. If we as an industry can't prevent this stuff happening it will drag us all down.

@Steven Hewittt

Not "installed" - just clicked on:

> "eBay's security team says she got infected after clicking on the email attachment sent in response to her bid"

Blimey - so that constitutes an application installation on the oh so ready for the desktop Windows platform? From within an e-mail body? Windows won't ever be ready for the desktop until attachments can be opened without fear of something exploiting one of its gaping holes. Well, there are *so* many to choose from - all aided by 'user-friendly features' of the OS.

> Write one for Linux, Mac, even HP-UX and the app will do as it's told.

Well it can try, but (1) the application wouldn't run just by clicking on an icon in an e-mail - that's a Windows-only stupidity and another example of it not being ready for the desktop, (2) it would need to be run as root before being able to do anything worrying, (3) there are many forms of an 'executable' file under Linux so something malicious would need to be the correct type and (4) it would need to be written for the correct host CPU - not something Windows has had to concern itself with very much, which must make one aspect of creating malicious code for Windows even easier.

And (5), for a user to actually succeed and install something malicious into the OS they'd need to work on it and 'get out and push'.

errr - where are the police?!?!?

Am I missing the point here --- the woman has the other party's bank details. They have defrauded her of $8600 --- surely there's cause for the police to be brought in on this? Seems to me that the thieves still have to get away with the money.

Re: Warning flag

Good story, I like it.

This has little to do with operating systems, or even AV software - I'm sure we'll see more sophisticated exploits arise, and on Macs too, as the rewards become greater. 8k per gullible person is a rare treat.

It's all about education. You wouldn't let your kid cross the road if they didn't know to look left & right first, would you? And they wouldn't know unless you told them...or it was too late.

Education has to start with the software author - warnings about email attachments the first time they appear in a specific context ...

I mean, come ON we all know .exe files are BAD news.. so WARN people!

Duh/.

Apples to oranges

>People keep saying "don't open attachments", and blaming this poor woman for the crime. If she went out alone at night and was attacked would you blame her for that too?

Not a good comparison. More along the lines "If she went out alone at night, found a bad guy doing nothing in a street corner, asked him politely to hit her and then blamed him for doing it.

AFAICS, there is no mention whatsoever that there was any flaw exploitation. It was a simple email attachment. It happened to be an executable one. The user opted for running it, why should the OS stop her? Since when does an OS dictate what i can or can not do?

Sorry, she has my sympathy, but not a "slap in the wrist and more careful next time". It cost her 8G, might cost someone else much more.

Its high time we stop looking to technology as a panacea that can cure all wrongs. Its not. Its a tool. Use it the way it is supposed to be used and it will do its job. Use it in a dangerous way and it might have dangerous results. And if that means that Joe Avg can not use a computer because he does not have the knowledge to do so in a responsible way, so be it. We don't let people driver without a drivers license or do surgery without a degree in medicine. Joe Clueless is the reson you have spamm in todays scale and botnets and just abou everything BadWareTM that plagues IT.

Computers have made themselves trivial and accessible to all users. Unfortunately, that ease of use has a price. The avg user has no clue about what he is using. They do not understand the underlying technology, how can they shore themselves up against this kind of things? Knowledge is power, and it empowers the individual. As long as we keep it "easy for dummies" they will remain clueless and vulnerable. Only through knowledge can they avoid such pitfalls.

Somewhere along the line we will have to stop blaming this and that for everything. People have to be responsible for their actions. If we keep blaming all but ourselves for the problems, we solve nothing and keep things just the way they are.

Still...

It could have been much worse though ,

imagine it...... ( music ) ....

You're still eight grand down ..... and......

You've got a JEEP .

soz , coat , cape , winglets etc etc .

Something for the fraud squad

The only technical solution for this kind of attack would be to prevent PC's from having any form of local name service. Whether a webserver is installed or whether /etc/hosts (or wherever it is in Windows) is immaterial, the user will receive a different URL from the one they are expecting. While this might be desirable and applicable for 99% of PC's it would probably only move the target to the name server configuration.

The point is that this is not an IT story. It is a simple case of fraud and should be treated as such and the woman should be protected under consumer protection legislation: she has paid for a car and not received the car. The crime is no different to the reported sales of London Bridge to gullible tourists.

We have become extremely used to the comfort afforded by online services. Why should it surprise anyone that criminals seek to take advantage of that?

I agree wholeheartedly with those critics of eBay for it's rather cavalier approach to consumer protection as there are more than a few problems with the platform eBay and PayPal which make child's play of abusing the system.

Confused?

Ok maybe someone can explain how this happened to me, maybe im missing something?

First she put a bid on a jeep on ebay? Then she receives the email confirmation letter from ebay acknowledging the bid (or the fake one pretending to be from ebay). In this email there's an executable supposedly containing pics. OK yes she's been a bit of a twit to run an executable, but how is it the scammers knew she'd bid on that jeep in the first place?

Surely ebay doesnt send the email address of every bidder to the seller? So how did they get her email address and know she'd bid on that specific product? Am i missing something here?

Oh and agree totally that ebay and paypal are absolute bastards when it comes to customer service - been screwed by paypal for £70 because although i checked the e-cheque method of payment for an international transfer to another account they decided to do it as an instant transfer - difference £7.50 for e-cheque, 3.5% for instant transfer (which came to £80+). When i complained they refused to accept that id checked the e-cheque box and basically told me to get lost. Havent used paypal since...

The real culprits...

..., as far as I am concerned, are the whole Web 2.0 bunch - both users and pushers (sorry, developers).

We (the general public) have been fed the concept of multi-media Mail and we swallowed it. We have been told that our desktop whould behave like a gigantic web browser, and we swallowed it. We have been told that your web-brwser should be abkle to do anything a local application can do, and we swallowed it.

Is it any wonder remote attacks are so prevalent when we keep on having "multi-functionality" pretties jammed down our throat?

I do not use Outlook at home. I refuse to read HTML mail (anything that does not have a text-only version gets automatically deleted). I do not use a browser which requires ActiveX to work properly.

Take back the Web! Fight against feature-creep!

Windows security

Ok fine, so it is possible to have a more secure setup than running as admin, but I honestly don't believe I know of a single windows user who uses a limited account day to day who is not forced to because they have no admin account. This ranges from lusers to IT consultants.

Why? Software on the platform expects full reign. It's easier to run as admin than go without flakey software.

But why? Lazy developers? Or just historical? Or "backward compatibility"? (yeah, bit of +ve spin...)

I'll say all three. And this probably accounts for well over 95% of these instances.

re: No, the real moral of the story is...

@ Franklin

Computers + internet are now aimed at and used by people who don't know, don't want to know and don't care what an exe file is. Or a virus. Or the difference between disk and RAM, etc etc. You can tell them. You can tell them in BLOCK CAPS. What they do know is that if you click OK for long enough you get a result, and it's usually the result you want. My kids use eBay, I tell them it's a snake pit, and they shake their heads and think "what's the daft old bugger on about now?".

They aren't going to understand until they get burnt, and them getting burnt is bad for everyone who works in the biz.

No rules are absolute - I don't open attachments, I have javascript disabled, I don't buy things over the internet etc etc. Except I do sometimes when I think it's ok. Ebay and paypal make great play of how safe they are and how well they protect people and they should be put out of business. How about RICO?

It's no good for computer fanboys to hide behind the "user is a wanker" shield; like or not, t'interent is a consumer appliance. If I buy a microwave oven I have a reasonable expectation that it won't cook my gonads while I'm waiting for it to cook my tea.

Good old Norton

First of all, to all the Mac Fanboys "If you buy a Mac this won't happen to you" crap, can I just say STFU! She might not have been scammed on the car purchase if she had a Mac, but then again she will have already been scammed on her computer purchase.

It would seem that the lady in this story had not done anything wrong, and had pretty much everything in place that you would expect a consumer to have (patches, AV, awareness about phishing, etc) it would seem that Norton AV had let her down. We used to use Norton AV here across all our workshtations and servers . After the e-mail server got infected for the 3rd time (even though Norton was scanning all incoming email.... well it looks like Norton was actually running the incoming email) we decided to change. We now use Kasperkey Client/Server and so far (touch wood) we have not had the same problems, infact Kaspersky regularly gives warnings about e-mails that Norton did not do.

Re: NEVER. RUN. AN EXEUTABLE. YOU. RECEIVE. IN. AN. EMAIL.

It's true.

But do we think she knows what an executable file or ".exe" file is? Especially when the default these days is to "hide known file extensions".

But rewinding a little, there's a time and a place for everything. And, at this time, eBay is not the place for buying cars before seeing them in person. Especially if you're not a motors expert.

But having chosen eBay to buy a car, I'm inclined to side with the "don't hand over thousands of pounds/dollars/euros for a car before you have inspected the car in question and the keys are in your hand.

Would this victim go to a doctor for a diagnosis and then eschew the high street pharmacist in order to acquire the necessary treatment via a random email contact?

Ultimate verdict in this case: User error - see the police about getting your money back, not eBay/Paypal, MS or Norton/Symantec.

Criminal Fraud

Sympathies for the victim here. This appears to be a case of criminal fraud, in which case the police should be involved. If the crime crossed state boundaries then I believe it becomes a federal crime, and the FBI would handle it. Nevermind whinging to ebay or Norton, she really should report this to the authorities, if she hasn't already.

Of course...

Of course, if she had been using Vista she would be using the one operating system that might have warned her about this on its own...

On another note, Norton is terrible, yet has no need to improve itself because it's sold as part of so many package PCs. In order to fix the problem of people using bad software to protect themselves there needs to be a change in the way that companies such as PC World get away with flogging bad support and bad software to the people that don't know what they are doing.

Insofar as complaining about Windows is concerned, people are too easily overwhelmed by Linux to make it a viable solution for the general public (although being capable of using Linux might be an interesting requirement for ownership of a PC), and for those of us who like playing pretty games on our PC, Windows is a must, Macs (while I dislike Apple for many reasons, not least their environmental impact) are a decent solution, but their gaming potential rules them out of my home PC decisions.

@nickj

"It's no good for computer fanboys to hide behind the "user is a wanker" shield; like or not, t'interent is a consumer appliance. If I buy a microwave oven I have a reasonable expectation that it won't cook my gonads while I'm waiting for it to cook my tea."

The problem is not the technology; con men have preyed on the credulous for as long as we've been recognizably human. The technology merely makes the credulous easier to exploit, that's all.

The basic problem here has absolutely nothing to do with computers, and everything to do with the fact that we have a large population of people who believe anything they read without question. "Oh, this executable file will show me pictures of a car I want to buy? This other executable file is from Microsoft and if I run it, I'll make my computer safer? Okay!"

And credulity *is* a social problem, not a technical problem. The woman lost nearly nine grand because she has been brought up to believe that she can trust the things that she reads. That's a problem that no technological measures can solve.

Wait a minute

I think it is terrible to just point the finger at the victim here. As I am sure all of you have a mother, sisiter, brother, friend etc that also is not the best with computers and would you be responding to them this way? Yes I know many of us our computer savy- but as a friend of the victim and someone who is computer savy I can verify this was a good scam. One the email was in response to an email she sent to the seller from a listing on EBAY for a vehicle. The fact that she initiated contact would already have most people putting their guard down. The email the seller sent was in response and had a zip file attached. Not everyone would have caught this (the zip had an exe. but warning was not given) Anyway this is a big deal because when you get on Ebay and make contact with others listing and selling items - you shouldn't have to think everyone is out to scam you. And then you should have seen her computer. Everything matched up - carfax showed exactly what the seller had told her, autocheck, the seller provided her with all of her checking account information, and her inbox in Ebay showed the vehicle with all details as "won" - and people do have vehicles shipped all over (not ups) but different auto transport companies. Anyway instead of blaming the victim for opening an email- How about the fact that Ebay should have a sign on their website that says AT YOUR OWN RISK- because they are allowing these fraud sellers to list vehicles for ten days at a time. Not that ebay opened the email..... but when you have these frauduant listing being posted for days on end and over and over again something bad as an result is going to happen. These people (she is one of many victims) wouldn't be getting scammed by this if they weren't getting connected with these people on Ebay's site to begin with.