Sophos Cloud Optix
Experts at SophosLabs have discovered that cybercriminals have taken advantage of the critical zero-day flaw vulnerability in Java, sending out malicious emails which pretend to come from an accountancy firm announcing a rise in the tax rate.
Unsuspecting internet users who click on links contained inside the email – perhaps concerned that there has been a rise in the VAT rate – risk instantly infecting their computers.
SophosLabs discovered the email in one of its global network of spamtraps. The email purported to be from the Dutch branch of the accountancy firm BDO Stoy Hayward:
From: BDO Accountants & Adviseurs <helmond@bdo.nl>
Of course, the email doesn’t really come from the accountancy firm. A closer look discovers that it has been sent from a hosting provider in the Netherlands:
Received: from tandarts by cpanel1.redbee.nl with local (Exim 4.77)
(envelope-from <tandarts@cpanel1.redbee.nl>)
The subject line (which is in Dutch) reads as follows:
Subject: Let op! BTW tariefverhoging per 1 oktober 2012
Google translates the subject as:
Attention! VAT rate increase per 1 October 2012
The email’s message body can be translated as follows:
Dear Sir or Madam,
As you may have already understood, the high rate of turnover tax by October 1, 2012 increased from 19% to 21%.
The moment of conduct performance (either date of sale / supply of goods or services) determines the amount of the VAT rate.
The invoice date on the sales receipt is not (!) Important for the handle VAT rate (or for the period of turnover tax).Look what the VAT increase for you can mean. You will also find useful tips to correct the increased VAT to implement in your organization.
For entrepreneurs, the VAT increase sales or no additional cost. For individuals, prices will rise.
Keep an eye on the changes, an error using the correct VAT rate may result in additional tax.For further details and answers to other questions, please visit the dedicated webpage, prepared by the Ministry of Finance.
Normally, we would expect the link to go straight to a phishing site but here under the folder ‘tariff’ (in Dutch it’s ‘tarieven’) is an obfuscated script that attempts to load an applet detected by Sophos products as Exp/20124681-A – malicious code which exploits the current Java zero-day vulnerability.
Although this particular attack uses Dutch language to try to trick users into following the link there is, of course, no reason why cybercriminals wouldn’t also try similar tactics in other more commonly-used languages too. So, no-one should be complacent about the threat posed by this Java vulnerability.
We recommend disabling Java or downgrading to Java 6 on any systems with humans actively interacting with internet-enabled applications.
Chet Wisniewski’s recent article about the Java zero day vulnerability gives details about how to disable Java:
- How to disable Java in Internet Explorer
- How to disable Java in Firefox
- How to disable Java in Chrome
- How to disable Java in Safari
- How to disable Java in Opera
* Exp/20124681-A: the malicious Java code exploiting CVE 2012-4681.
Rise in VAT roadsign image from Shutterstock.
Downgrading to Java6, not really your suggestion or? Getting rid of a 0-day exploit and get instead 20 other exploitable bugs.
I would suggest to disable java or use extensions like noscript for firefox or enable user acceptance in chrime browser for each java applet.
Java 6 is still supported by Oracle, and is updated on the same patch cycle as Java 7. (any bugs present in both are patched at the same time)
How Do You Disable Java In RockMelt?
My relative got an email from a friend's account this week. The friend passed away of cancer in early July!! The email was really upsetting especially as it was selling Islamic literature. They traced it back to Iran. All very curious and upsetting!!
How do you disable it?
I have on my PC but my girl plays on POGO and needs Java.
You can’t disable Java,its part of all software in some way
Disabled mine & my browser seems to be running faster.
Java “CAN” be disabled but not something done by a normal user.
@Charlie. Have a read of the article posted two hours ago, which explains ‘How to turn off Java’.
I disabled mine….and everything is still working just fine. If I should come across something that says that I need Java…. I can simply go to the tool bar at the top and turn it on!
Easy to do, though.
click where it says zero-day etc,on that page is link on how to disable
If you use Firefox, you can get No Script add-in that let’s you decide when to allow Java to run.
In the case of this email, the smart recipient won’t click the link. There are countless ways an infected email can cause problems, so disabling Java isn’t enough. The best defense is a savvy user.
Java is in wide use all over the web. Disabling it altogether is like taking the wheels off your car to prevent accidents.
Oracle needs to take immediate action to close the security flaws. Until that happens, the suggestion to make Java only run on demand is a good one.
@David No I haven’t. Where’s the link to it?
Disabled mine in two seconds and I’m a normal user so laughs @ mike
I took it off my computer until oracle comes up with a patch.
Is there a way to disable it for firefox and ie in a corporate environment? Like a batch script or something? For firefox maybe just renaming the plugins directory under program files/java/jre7/plugins2 ?
read one article (didn’t read this one again so it may or may not have been in this one) saying it targeted Java 7, not 6. Since several things I do need Java, I uninstalled 7 and replaced it with 6. What do you think, good enough or being stupid?
My chrome broswer has java ver 10
Instructions for windows explorer are for 7, I have 9. I was able to disable it very easily. My pc does seem a little faster also.
Thanks for the help.
I just did mine! I had a friend request from someone claiming to go to my highschool. I saw that a few of my classmates had already friended him. I waited because his name didn’t sound right (David Simth) – this was the spelling. Later that day, my friends reported that their screens were locking up and when they questioned him he disappeared! Be careful to check our anyone that friends you that you don’t know.
Angie Kenny – That’s not true. Java can be disabled. It can even be removed.
An Java update is available: http://www.java.com/it/download/manual.jsp Someone knows if the vulnerability is fixed? I am unable to find the release notes for this version
I removed java7 and reinstalled java6, works like a charm. Java6 doesn’t have that particular flaw.
Can it affect my blackberry?? it is java enabled?
How about not opening obvious spam in the first place? Or, if you receive a notice purporting to be from a site on which you have an account, going directly to the site rather than clicking on the link in the message? Seems to me that a lot of these vulnerabilities could be avoided if folk would just exercise some sense in these instances.
I disabled my Java this morning. Computer’s working fine.
I’d recommend getting a NoScript plugin. That way nothing runs, let alone Java unless you say so.
I need Java and specifically Java for my online college classes so I can’t disable it unless I want to fail.
Kierie, why not run two browsers, one for your college work with Java enabled, and one for everything else with Java disabled.
@Anna Harris: NOOOOO! Taking Java back down to an earlier version will make you less safe, not more, as there are holes in earlier versions you have just “unpatched”. Click the link in the article and follow the instructions!
http://support.mozilla.org/en-US/kb/How%20to%20turn%20off%20Java%20applets
Warning
@Alan Harrison: re your comment to Anna Harris – I’m confused. One of the Sophos articles I just read said “We recommend disabling Java or downgrading to Java 6 on any systems with humans actively interacting with internet-enabled applications” So I guess what Anna said is correct?
oracle has fixed it, download new version http://www.oracle.com/technetwork/java/javase/downloads/index.html
hi i am getting emails that see to be mimicking my friends names on facebook .. on hovering over the addresses I can see they are not .. however the 1st time it happened I got caught out and it sent me to a viral link has anyone else had this happen and what can be done about it