913346 - malicious phishing e-mail. Thunderbird should warn that "From" identity in my contact list has a different e-mail address

Status: UNCONFIRMED

(Thunderbird :: Security, defect)

Description

[Michael F Winthrop]

Attachment: Fwd: awesome site.eml

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0 (Beta/Release)
Build ID: 20130803215302

Steps to reproduce:

On opening this type of e-mail, nothing appears to happen. When I compose a new e-mail with the malicious e-mail open, Thunderbird shows a notice that your new mail is loading an attachment. 

The malicious e-mails were variations of this sort: family-name@yahoo.com. Subject: "Something you need to see", "Interesting site", etc.. Content: A few words and a URL. Looking at the "Reply To:" name after the "From" name I found a never ending variety of unknown e-mail names, some including things like "destructor (at) click.cz", "vicious", etc. I saved a few examples in a quarentine sub-directory and ran this scenario several times. I attached one.


Actual results:

Firefox: When I unwittingly opened the first malicious URL, it infected FireFox with a  virus, (It went to numerous web sites, rapidly overflowing Firefox, and would not allow closing the browser <kept reloading w/o me doing it>). I issued a UNIX "kill" command for Firefox and all related processes. Next I reloaded FireFox. No harm done. It was all designed for MS-Windows. Linux ain't Windows. I only hit the "open URL" one time. Never again since. Glad this was not MS-Windows.

Thunderbird: The "Preview" frame in your e-mail (or an open copy) of this type e-mail will infect your outgoing e-mail. On Thunderbird, with the infected e-mail open (even in preview mode) while you are creating another e-mail, the virus will try to infect the e-mail you are writing. Thunderbird shows a notice that your new mail is loading an attachment. Since you did not start one, Thunderbird never completes the load, but you cannot send the new e-mail until it finishes. I suspect it is loading a copy of the contact list. I expect it will add a new recipient for the e-mail also.

Moral of the story, look at the "Reply To:" name after the "From" name. If that is unknown, delete it, with prejudice.

Since all these e-mails are from Yahoo mail, I now consign all Yahoo mail to my "Quarantine" mailbox.

Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130804 Thunderbird/17.0.8
Application Build: 20130804001519


Expected results:

Thunderbird should give a warning that the "From" identity in my contact list has a different e-mail ("Mail to:") address than the one in the current e-mail. Then ask to quarantine,  ignore, or report as malicious mail. Reporting should point to Bugzilla/security. 


  WARNING:
  This contains sensitive information which shouldn't be forwarded or published without permission.

  Application Basics

    Name: Thunderbird
    Version: 17.0.8
    User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130804 Thunderbird/17.0.8
    Profile Directory: /media/sda3/ThunderbirdProfile
              (Unknown location)
    Application Build ID: 20130804001519
    Enabled Plugins: about:plugins
    Build Configuration: about:buildconfig
    Crash Reports: about:crashes
    Memory Use: about:memory

  Mail and News Accounts
    account1:
      INCOMING: account1, mwinthrop@comcast.net, (pop3) mail.comcast.net:995, SSL, passwordCleartext
      OUTGOING: smtp.comcast.net:587, alwaysSTARTTLS, passwordCleartext, true

    account2:
      INCOMING: account2, Local Folders, (none) Local Folders, plain, passwordCleartext

  Extensions
    Adblock Plus, 2.3.2, true, {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    EDS Contact Integration, 0.5, true, edsintegration@mozilla.com
    Global Menu Bar integration, 3.6.4, true, globalmenu@ubuntu.com
    Messaging Menu and Unity Launcher integration, 1.3.1, true, messagingmenu@mozilla.com
    Test Pilot for Thunderbird, 1.3.9, true, tbtestpilot@labs.mozilla.com

  Important Modified Preferences

    Name: Value

      accessibility.typeaheadfind.flashBar: 0
      browser.cache.disk.capacity: 358400
      browser.cache.disk.smart_size_cached_value: 358400
      browser.cache.disk.smart_size.first_run: false
      browser.cache.disk.smart_size.use_old_max: false
      extensions.lastAppVersion: 17.0.8
      font.name.monospace.el: Consolas
      font.name.monospace.tr: Consolas
      font.name.monospace.x-baltic: Consolas
      font.name.monospace.x-central-euro: Consolas
      font.name.monospace.x-cyrillic: Consolas
      font.name.monospace.x-unicode: Consolas
      font.name.monospace.x-western: Consolas
      font.name.sans-serif.el: Calibri
      font.name.sans-serif.tr: Calibri
      font.name.sans-serif.x-baltic: Calibri
      font.name.sans-serif.x-central-euro: Calibri
      font.name.sans-serif.x-cyrillic: Calibri
      font.name.sans-serif.x-unicode: Calibri
      font.name.sans-serif.x-western: Calibri
      font.name.serif.el: Cambria
      font.name.serif.tr: Cambria
      font.name.serif.x-baltic: Cambria
      font.name.serif.x-central-euro: Cambria
      font.name.serif.x-cyrillic: Cambria
      font.name.serif.x-unicode: Cambria
      font.name.serif.x-western: Cambria
      font.size.fixed.el: 14
      font.size.fixed.tr: 14
      font.size.fixed.x-baltic: 14
      font.size.fixed.x-central-euro: 14
      font.size.fixed.x-cyrillic: 14
      font.size.fixed.x-unicode: 14
      font.size.fixed.x-western: 14
      font.size.variable.el: 17
      font.size.variable.tr: 17
      font.size.variable.x-baltic: 17
      font.size.variable.x-central-euro: 17
      font.size.variable.x-cyrillic: 17
      font.size.variable.x-unicode: 17
      font.size.variable.x-western: 17
      gfx.blacklist.suggested-driver-version: 8.15.10.2202
      mailnews.database.global.datastore.id: 3882ee0b-9955-4e98-95e6-ad0a0a301e1
      mail.openMessageBehavior.version: 1
      mail.winsearch.firstRunDone: true
      network.cookie.prefsMigrated: true
      places.database.lastMaintenance: 1366139845
      places.history.expiration.transient_current_max_pages: 104858
      plugin.soname.list: libXt.so:libXext.so
      plugins.update.notifyUser: true
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.can_change_colorspace: false
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.can_change_downloadfonts: false
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.can_change_jobtitle: false
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.can_change_num_copies: true
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.can_change_orientation: true
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.can_change_paper_size: true
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.can_change_plex: false
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.can_change_printincolor: true
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.can_change_resolution: false
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.can_change_spoolercommand: false
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.colorspace.0.name: default
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.colorspace.count: 1
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.has_special_printerfeatures: true
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.orientation.0.name: portrait
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.orientation.1.name: landscape
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.orientation.count: 2
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.paper.0.height_mm: 210
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.paper.0.is_inch: false
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.paper.0.name: A5
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.paper.0.width_mm: 148
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.paper.1.height_mm: 297
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.paper.1.is_inch: false
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.paper.1.name: A4
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.paper.1.width_mm: 210
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.paper.2.height_mm: 420
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.paper.2.is_inch: false
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.paper.2.name: A3
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.paper.2.width_mm: 297
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.paper.3.height_mm: 279
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.paper.3.is_inch: true
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.paper.3.name: Letter
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.paper.3.width_mm: 215
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.paper.4.height_mm: 355
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.paper.4.is_inch: true
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.paper.4.name: Legal
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.paper.4.width_mm: 215
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.paper.5.height_mm: 431
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.paper.5.is_inch: true
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.paper.5.name: Tabloid
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.paper.5.width_mm: 279
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.paper.6.height_mm: 254
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.paper.6.is_inch: true
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.paper.6.name: Executive
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.paper.6.width_mm: 190
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.paper.count: 7
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.plex.0.name: default
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.plex.count: 1
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.resolution.0.name: default
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.resolution.count: 1
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.supports_colorspace_change: false
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.supports_downloadfonts_change: false
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.supports_jobtitle_change: false
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.supports_orientation_change: true
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.supports_paper_size_change: true
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.supports_plex_change: false
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.supports_printincolor_change: true
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.supports_resolution_change: false
      print.tmp.printerfeatures.Canon-PIXMA-iP3000.supports_spoolercommand_change: false

  Graphics

    Adapter Description: Tungsten Graphics, Inc -- Mesa DRI Mobile Intel® GM45 Express Chipset
    Vendor ID: Inc
    Device ID: set
    Driver Version: 2.1 Mesa 8.0.4
    WebGL Renderer: Blocked for your graphics driver version. Try updating your graphics driver to version 8.15.10.2202 or newer.
    GPU Accelerated Windows: 0/3

Comment 2

[Wayne Mery (:wsmwk)]

This isn't a application security exposure, but a phishing example. So opening up. Sanitized email below (remove submitters email - but I see now you've already exposed it in comment 0). 


X-Account-Key: account1
X-UIDL: 427520.rJaZUcAF8eA6sD2GVJwiAIUD5bI=
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:                                                                                 
Return-Path: destructor@click.cz
Received: from imta03.westchester.pa.mail.comcast.net (LHLO
 imta03.westchester.pa.mail.comcast.net) (76.96.62.29) by
 sz0121.wc.mail.comcast.net with LMTP; Wed, 3 Jul 2013 15:27:06 +0000 (UTC)
Received: from mailout2.t-email.cz ([62.141.0.167])
	by imta03.westchester.pa.mail.comcast.net with comcast
	id vrQ11l00p3cBSTA03rQ2wn; Wed, 03 Jul 2013 15:24:04 +0000
X-CAA-SPAM: 00000
X-Authority-Analysis: v=2.1 cv=OZyhUHjY c=1 sm=1 tr=0
 a=XyvXJEDnOAELHf4myRrJ3A==:117 a=XyvXJEDnOAELHf4myRrJ3A==:17 a=C_IRinGWAAAA:8
 a=lS0MHldHvS4A:10 a=wPDyFdB5xvgA:10 a=kj9zAlcOel0A:10 a=VJCQ-lsSzDQA:10
 a=SJa-Qq7GAAAA:8 a=pdDRC0oIpqVp-jEb2hMA:9 a=CjuIK1q_8ugA:10 a=QS-H9S7Q3OgA:10
 a=ENOtxBZL8GYA:10 a=zObNa7ddgCUA:10
Received: from mailout2.t-email.cz (localhost [127.0.0.1])
	by sagator.hkbl409 (Postfix) with ESMTP id AA93D3372BCF
	for <XX@comcast.net>; Wed,  3 Jul 2013 17:23:58 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on hkbl409.tmo.cz
X-Spam-Level:
X-Spam-Status: No, score=0.2 required=8.0 tests=ALL_TRUSTED,DATE_IN_PAST_03_06,
	MISSING_MID,URIBL_BLOCKED autolearn=disabled version=3.3.1
X-Sagator-Scanner: 1.2.1-1 at hkbl409;
	log(status(quarantine(drop(clamd(), antiloop()))),
	status(custom_action(quarantine(SpamAssassinD()))))
X-Sagator-ID: 20130703-172358-0001-03529-KX3ewI@hkbl409
Received: from localhost (agdf35.neoplus.adsl.tpnet.pl [178.43.83.35])
	by mailout2.t-email.cz (Postfix) with ESMTPSA
	for <XXX@comcast.net>; Wed,  3 Jul 2013 17:23:58 +0200 (CEST)
Date: Wed, 03 Jul 2013 04:19:32 -0800 (PST)
Subject: Fwd: awesome site
Content-Type: text/plain; charset=us-ascii
From: Barbara Winthrop <destructor@click.cz>
MIME-Version: 1.0
To: XXX@comcast.net
Message-Id: <20130703152358.AA93D3372BCF@mailout2.t-email.cz>

hi. how are you? awesome site http://www.astalive.com.au/whu/ 



Sent from my iPhone