1

The context is long, so I'll ask my question first.

If an encrypted message is received from an unfamiliar sender and it's spam, how can I avoid receiving further messages of the same sort?

If it's a wrong address and not spam, I can simply respond to clarify the situation. But how can I tell whether it's spam or a wrong address?

I have a hunch that there's simply nothing to be done. Although, at the very least, guidance on whether to delete or mark as spam would be appreciated.

Some details:

  • I'm using Gmail.
  • The services used to deliver these messages (Cisco Registered Envelope Service and Proofpoint Encryption) seem to be on the up-and-up.
  • Each message comes from a different name that I'm not familiar with. The user parts of the email addresses happen to be formatted similarly to mine, with a dot between first and last name.
  • The email messages state that I should disregard them if they're not for me. No recipient information is provided beyond the To: address, so I don't really know whether they are.
  • I have no reason to expect that someone in the healthcare industry is desperately trying to contact me confidentially.
  • If these messages are not for me, I want them to stop. They get past the spam filters and are irritating. (Mostly they are irritating because they are actually addressed to my mother's inbox, so they get priority treatment.)
  • Would I even be able to read the messages if they are not for me? I.e., would these services require additional information, or would receiving the message be sufficient to read it?

I recently received the following message, apparently from someone at US Anesthesia Partners via Cisco Registered Envelope Service. I marked it as spam and forgot about it.

[From/To and boring info about time received]

Message-Id: <d0efcd$3vukp@iron01server.usap.com>
Content-Type: multipart/mixed; boundary="===============4057323444299023882=="
MIME-Version: 1.0
Date: 02 Dec 2015 11:54:46 -0600
Subject: SECURED

--===============4057323444299023882==
Content-Type: multipart/alternative; boundary="===============7485819488709674644=="
MIME-Version: 1.0

--===============7485819488709674644==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

You have received a secure message.

Read your secure message by opening the attachment, securedoc.html. You
will be prompted to open (view) the file or save (download) it to your
computer. For best results, save the file first, then open it in a Web
browser.  To access from a mobile device, forward this message to
mobile@res.cisco.com to receive a mobile login URL.

If you have concerns about the validity of this message, contact the sender
directly.

First time users - will need to register after opening the attachment. For more
information, click the following Help link.
Help - https://res.cisco.com/websafe/help?topic=RegEnvelope
About Cisco Registered Email Service - https://res.cisco.com/websafe/about">https://res.cisco.com/websafe/about

[full HTML version of the above, and an encrypted attachment]

Now I have another one. This time, it claims to be from the IT department (per the image header) of Hospital Corporation of America, via Proofpoint Encryption. The attachment link also happens to point to the legitimate-looking domain securemail.medcity.net.

[recipient address and boring info about time received]

Thread-Topic: <ENCRYPT>
Thread-Index: AdEzYsV/+0KIoAD4Rt2LdFw5Lb63sw==
Date: Thu, 10 Dec 2015 15:52:29 +0000
Message-ID: <ABB9DC19260B3144A2214C004AE02EEC16876627@FWDCWPMSGHCMD3A.hca.corpad.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator: 
x-originating-ip: [10.90.32.6]
X-CFilter-Loop: Reflected
Subject: 
Content-Type: multipart/mixed; boundary="PROOFPOINT_BOUNDARY_1"
X-ProofpointSecure: Encrypted; app="filterd"
MIME-Version: 1.0

--PROOFPOINT_BOUNDARY_1
Content-Type: multipart/alternative; boundary="PROOFPOINT_BOUNDARY_2"

--PROOFPOINT_BOUNDARY_2
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit 

<div style="padding:15px 30px 10px 30px;font-size:16px;color:#555;font-weight:bold;font-family:Verdana, Arial, Helvetica, sans-serif;text-align:center;"> <div align="center">This is a secure, encrypted message. </div> </div> <div style="font-size:14px;color:#FF6417;font-weight:bold;line-height:normal;font-family:Verdana, Arial, Helvetica, sans-serif;padding:0px;margin:0 0 5px;"> <div align="left">To view your secure message: </div> </div> <div style="font-size:12px;color:#2F2E2E;font-weight:normal;line-height:16px;font-family:Verdana, Arial, Helvetica, sans-serif;text-align:left;padding:5px 0px 0px 0px;margin:0px;"> <p style="margin: 0 0 10px;"> Open the attachment (SecureMessageAtt.html) and follow the instructions. </p> </div> <div style="font-size:10px;color:#2F2E2E;font-family:Verdana, Arial, Helvetica, sans-serif;padding:0px;margin:0 0 5px;"> <p style="margin: 0 0 10px;"> Use <a href="https://securemail.medcity.net/securereader/help.jsf?lang=enus">this link</a> for more information to assist in retrieving your secure message. </P> </div> Click here https://securemail.medcity.net/formpostdir/securereader?id=AYXf6oh20zxMEe8%2BN%2B3YHmrJ0Bm7n9UR&brand=7748b5d to read the message on a mobile device or via Outlook Web Access.  Please note: The above link will expire 4 days after receipt. 

[full HTML version of the above, and an encrypted attachment, and a few more "boundaries"]
Grault
  • 111
  • 5
  • Your first clue is the imperative to open attachments. Red Flag at full staff on that one. However, gmail is exceptionally good at intercepting messages with malware payloads. So it is easy to get complacent when using it. Just use the time-worn rule: If you didn't ask for it then you probably don't want it. – SDsolar Mar 23 '17 at 08:18

1 Answers1

2

You are very likely being phished in a slightly more sophisticated than usual mass spam campaign. Do not open the attachments.

Why do I say that? Simple: it's the only possibility that seems to make any sense at all (to me, at least).

Why would you suddenly start getting "secure email messages" from different (reputed) senders at different healthcare firms to different purported recipients? More importantly, how is content supposed to be "secure' when the steps for opening the content are merely "Save this html file, then open it in your browser."? On the other hand, opening an html file in your browser is the equivalent (more or less) to browsing to a malware-distributing site serving up exploits for your browser, Flash, Java client, etc.

It's actually a somewhat creative tactic by a malicious spammer to hook recipients who might be educated enough about phishing not to click on direct links in an email from an unfamiliar sender. Oh, and the bit about "if you have questions about the veracity of this email, reply to this" is very nice. Even if you're too skeptical to actually open the file straight-away the spammer gets you to confirm that the email address is active & in-use, while also helping to add some credibility to the message in the recipient's mind. Credit-where-credit is due.

mostlyinformed
  • 2,715
  • 16
  • 38
  • That was my initial suspicion, but after the second message I started to think that would be 1) unusual; is this "campaign" even seen by anyone but me? 2) expensive, because they probably need to pay the message service, and 3) not *mass-* anything at all; I doubt these services would tolerate that. But mainly I just don't want anymore of them. Thanks for the warning, though! I'm definitely not opening them unless I get new information. – Grault Dec 13 '15 at 04:29
  • Your edits seem to imply that the "messaging services" are complicit and not services at all. While I agree that they use unwrapping instructions that are perplexing, I think they are innocent (or incompetent) in whatever scheme is playing out. Also, I cannot find anything about "the veracity of this email" in what I posted. – Grault Dec 13 '15 at 05:03
  • Edited my answer to say why I think it's spam. (Wanted to get my initial statement out there immediately.) Good idea not to open any of the attachments. Also a good idea not to reply to any of them. As for the "mass" part, it's possible that you're getting hit with a more targeted attack here. But targeted spearfishing attacks usually rely on including some specific elements tailored to the recipient to make the email more appealing or credible to the recipient, drawn from what the sender knows about the recipient. Here is the exact opposite: the email isn't tailored to you at all. – mostlyinformed Dec 13 '15 at 05:03
  • What I was trying to get across is there likely *is no* "messaging service". The instructions just say to download the attachment and open it in your browser. At which point you'll either get hit with malicious code in the file or get redirected to a live site exposing you to malicious code. Referencing the stuff about Cisco's service is just a smokescreen to make you find the email more credible. – mostlyinformed Dec 13 '15 at 05:09
  • By veracity of the email I meant the statement in the email that "If you have concerns about the validity of this message, contact the sender directly." A good tactic to get someone to validate that their email address is in active use, even if they don't go for the open-the-file thing right away. – mostlyinformed Dec 13 '15 at 05:12
  • Ah, now I see that part of the message. All of the links that I can click that might put my box under someone else's control actually go to `https://res.cisco.com/`. The HCA email goes to medcity.net, which is more suspicious, but the Cisco email is actually coming through Cisco pipes. After researching the HCA, I sent them an email asking for information from their side. – Grault Dec 13 '15 at 05:14