AMITIAE -Friday 18 October 2013

Cassandra: Never Going to Give up - Phishing, Malware and the Zip File

apple and chopsticks


By Graham K. Rogers

One would think with all the information that there is about online dangers, users would be aware that clicking on a file in an email is not the wisest thing to do, especially these days with the henhouse guards turning into foxes. You may never know what you have given away.

As well as the regular emails offering me cheap Viagra, millions of dollars that someone forgot about, business deals that are not to be missed, there are some that have suspect contents by way of attachments.

My rule here is that, if I do not know you and you are sending me files, the email and the package go in the trash. Occasionally, the emails purport to come from someone I know. This has happened twice recently. A colleague with whom I have little content was allegedly in Egypt, all belongings stolen and in need of my largesse. As she has far closer friends in a better position to help, I smelled a rat. Another colleague confirmed this. A similar email this week (a few months after the first) was duly dumped.

Also this week saw the arrival of a rather gaudy circulation offering me (and others to whom it was addressed) amazingly cheap travel deals. This was due to the lifted contents of an in-house mailing list. A friend offered to assist the department involved tighten its security.

Sometimes there is a spark of innovation with these emails, although half a dozen at the same time with similar wording, are usually enough to arouse my suspicions. Some users are sadly not as mistrusting as me. I am occasionally sent emails starting with, "I know I shouldn't have done, but I clicked on an attachment and. . . ."

So when I have email that purports to come from HSBC, with whom I do no business, I am already alert, especially when there is an attachment. With no real information, I am told that an unnamed customer has paid me something. This is highly unlikely. PayPal sometimes, credit from Amazon to my credit card, direct payment to my bank account by someone I know: all these I can be comfortable with; but few ask me to open an attached file.


To add insult to injury, the email contained a number of fairly reasonable security suggestions and after a notice concerning confidentiality (which I am clearly breaking right now - sue me), the email ended with, SAVE PAPER - THINK BEFORE YOU PRINT! in capital letters.

More to the point, save your computer, think before you click.

As a Mac user I have a couple of useful tools that allow me to look at attachments, like PDFs and other file types, without opening them. This is called QuickLook (unsurprisingly) and may be accessed by using the space bar - or Command + Y - when a file is highlighted. However, Apple has never provided the ability to look inside a ZIP file, which is where a lot of these nasties are hidden.

Fortunately, there is a nice little utility from MacItBetter called The BetterZip Quick Look Generator, which is now up to version 1.2. As well as ZIP files, this can look inside TAR, GZip, BZip2, ARJ, LZH, ISO, CHM, CAB, CPIO, RAR, 7-Zip, DEB, RPM, StuffIt's SIT, DiskDoubler, BinHex, and MacBinary.

This is really useful because if you click on some files, the damage is already done.

malware The download opens as a ZIP file (of course) and the file generated has an icon that is like a piece of Lego, showing it is a plugin. Unlike normal files, users must install this themselves. I work in a User account, so in my case, this goes into the Library> QuickLook folder.

Library? That seems to be missing. Apple hides this nowadays in User accounts, so the Finder "Go" menu needs to be used. In the Home folder, use "Go to Folder" and type in the name Library. If there is no QuickLook folder, make one: Shift+Command+N does this, and then enter the name (with upper case Q and L).

If all users are to have access to this (or you only work in the Admin account - I question your security credentials), the QuickLook folder is found in the ~/Library/QuickLook folder.

The website gives some information about making it start work on first installation including using either the Terminal command "qlmanage -r" or by logging out and back in again.

This morning, when I saw the file marked both as a document and a ZIP file, I put the cursor over the file, and clicked once to highlight it. When I pressed the space bar, a black panel opened and showed me that inside the file was a single .EXE file: an executable file that would not work on OS X anyway.

I wonder what little trick that had inside it. I also wonder how many computers it did work on. . . .


Graham K. Rogers teaches at the Faculty of Engineering, Mahidol University in Thailand where he is also Assistant Dean. He wrote in the Bangkok Post, Database supplement on IT subjects. For the last seven years of Database he wrote a column on Apple and Macs.



Made on Mac

For further information, e-mail to

information Tag information Tag

Back to eXtensions
Back to Home Page