Fresh phishing served with AES obfuscation

Obfuscated phishing sites are nothing new (on the same matter check this article Web obfuscation technique using invisible spans ) but the use of AES in an attempt to evade detection from automated detection tools like our URLSand Sandbox service, is not very common.

Despite AES and encryption in general is not a newbie argument, I am surprised how easily this approach can be adopted by anyone with a basic programming knowledge.

The only thing needed is a Javascript library, freely available for download from Movable Type Scripts.

By including this library in your page you can then serve your encrypted webpage, with a few lines:

To explain the above lines:

Line 1) includes the JavaScript AES implementation, which it calls with the embedded password defined at Line 4) and embedded encrypted data at Line 6). The decrypted phishing content is then dynamically written to the page using document.write() after calling the decryption function at Line 8).

This process happens almost instantly when the page is loaded and once decryption is complete, the phishing site is shown as normal.

Note that the use of AES here is very basic, and there is no attempt made to hide the key or anything else. But I would not be surprised if this kind of attacks will become more sophisticated in the near future!

Eng.Paolo Frizzi

Web obfuscation technique using invisible spans

In order to delay detection, phishing and malware websites often use some obfuscation technique.
Obfuscation techniques are double-edged swords. They hide the malicious content from dumb crawlers, bots and sandboxes, but smarter algorithms that know what to look for can detect the malware just by looking at it’s attempts to hide. This is one of the ways we can detect zero-day malware.

In this example we have a fake PayPal website. This page interleaves invisible spans between visible text in order to avoid detection by automated systems that perform heuristic analysis of the web page content.
You’ll get a clearer idea by looking at the following pictures.

This is the fake PayPal website as it is displayed in the browser:

PayPal phishing website

Notice the text just above the login box on the left of the page. The text says “Bitte geben Sie Ihre PayPal-Dated ein”. You will not find this phrase in the source code of the page because the phrase (and especially the word PayPal) has been interleaved with a lot of text enclosed in invisible spans. This text is present in the page but it is not displayed to the user.

Here is a part of the source code of the page (click on the image to enlarge it):

The parts in brown are the invisible spans, they contain a lot of random text that the browser is instructed not to display to the user.

The parts surrounded by yellow boxes are visible and displayed to the user. These parts compose the phrase you see on the webpage but a bot that scans the page and that doesn’t skip the invisible parts cannot find this phrase or even the word PayPal in the whole page.

Invisible content is perfectly normal in legit web pages, often some parts of the page are made visible only on specific events, often most of the page is initially invisible and made visible only when everything has been loaded. Having invisible content is not bad by itself and this is why crawlers and sandboxes don’t ignore it. Using it in this way is certainly suspicious.

Our UrlSand sandbox searches for this and other obfuscation/evasion techniques in order to detect malware.


Rodolfo Saccani
Libra Esva R&D Manager

Pragmatic approach to security

This is the presentation that I used in my speech at the 2017 Security Summit in Milan.

Security Summit, organized by ClusIt, is the most important security event in Italy. My speech was about protecting from unknown threats delivered via email, the focus was on the relationship between pragmatism and security.

In this post I will go through the items of this speech.


The source of today’s security issues lays mainly in the great complexity of the systems we use, such complexity creates a big attack surface. If we link such a big attack surface to the strong motivations to violate our systems, mainly due to the ransomware and phishing business, we can understand why today the new threats, not yet known, are daily business. We’ve seen about 30 thousand new ransomware variants in 2016, which means tens of new threats every day. The security systems, in order to be effective, must be able to intercept such threats even if they don’t know them in advance.

Security systems, in computer science like in the physical world, must be maintained as simple as possible because complexity is the enemy of security. It reduces the reliability and increases the attack surface.

Some security solutions are more oriented towards marketing needs rather than security needs. A sanboxe based on virtual machines, for example, is a system even more complex than the one it should defend: it is a windows system virtualized in an environment instrumented with additional software that tries to observe the malware without being observed in turn by the malware itself. This must be done with short analysis times, typically within two minutes, not to excessively encumber on the company workflows (and to contain costs).

The malware authors have the very same sandboxes that we use, the malware can be tested in such sandboxes before being released. Malware authors quickly learned to trick the sandbox. While the sandbox has just a couple of minutes to provide a response, the malware, once it has infected the PC, has all the time to manifest itself, it can just wait some time not to be identified by the sandbox. The sandbox started tricking the malware into believing that time passed faster and malware learned how to use this characteristic to detect the sandbox. This very simplified example just to say that the etrnal fight between attack and defense just moved into a different environment without changing the background pattern. In this new environment it’s who defends the one in disadvantage.

But a sandbox is a strong marketing argument because complexity sells more than pragmatism.

These sandboxes are exceptional tools for the analysis and the study of the malware, but when they are used as filters they show many weaknesses and they offer a discrete attack surface. A few days ago at Pwn2Own, a cybersecurity contest, one team managed to escape from the vm and compromise the host. With just a click on a link. Imagine a malware that compromises the sandbox in order to infect all the analyzed files … how does it sound?

So, let’s use the complexity prudently and only where we really need it, knowing that every increase in complexity reduces the security, it has a cost.

Protecting from file-based threats

About the file-based threats, in my speech I’ve performed, along with the audience, the analysis of the problem starting from square zero. Let’s analyze the problem again starting from scratch and let’s add complexity until we’ve reached our goal.

Le’ts start from the “firewall” approach. Do you remember when on the firewall we used to close selectively the ports? All ports open by default except the ones we decided to close. Then we inverted this logic: everything is closed and we selectively open based on what we actually need. This simple change of paradigm alone drastically improved security.

Let’s have the same approach. Do we really need executables attacched to our emails? Do we need .exe, .js and so on? No, we don’t. The experience of over one billion emails per month tells us that we don’t need such files, removing them doesn’t impact on the company workflows, so let’s block them without even analyzing them.
Your technician of the IT dept needs to receive jar files? Fine, let’s add an exception for him. Firewall approach. Everything is blocked and we selectively unblock.

Very simple solution, trivial, to remove most of the attack vectors.
We still have the documents though. Office documents, pdf files, such formats now are so complex that they can contain code that can do anything. What do we do with those? For sure we can’t block them.

Ok, it’s time for a one notch increase in complexity. One step towards a greater complexity justified by a real need. Let’s do it.

Let’s analyze the document. Does it contain code or not? If not, it goes through. Firewall approach. But what if it does contain code? For sure we can’t block all the spreadsheets with a macro! Right.

One more notch of complexity is justified. let’s do it.
Now that we know that the document contains code, let’s roll up our sleeves and let’s inspect what it does. Does it perform calculations in a spreadsheet, other automation that is normal in a document? Ok, let’s define a set of safe operatione and let them go through. Firewall approach. This analysis can be done quickly and safely, let’s do it.

Great, we’ve given green light to documents with innocuous macros. What about the other ones? We can’t block them all, we risk creating some disservice.

Ok, one more notch of complexity. Why don’t we “clean” these files that we classified as “suspect”? We can remove the “active” content, the macro, the embedded ocx object, the javascript code in a pdf. Let’s remove such code and deliver an innocuous document. It can still be used as a document, but without code.

Here we are. We just need the finishing touches: define what to do with encrypted documents that we cannot analyze (easy, we block them because today they are one of the biggest vehicles of ransomware), and what to do in the unlucky case where a malware manages to crash my sandbox in order not to be identified: in this case we categorize it as “indeterminate” and by default we remove all the active content. It’s a simple good programming practice to foresee the case where someone manages to perform sabotage on your sandbox (we still see sandboxes that in such conditions let go through the malware that managed to undermine them).

Finally, let’s make configurable by the sysadmin the behaviour in case of safe, suspect, encrypted and indeterminate documents, so that the admin can decide what to let go through, what to block and what to “clean”. Let’s also make sure that everytime we modify a file we keep the original copy so that it can be recovered, should it be needed.

At this point the goal is reached, we protected from file-based attacks, including the ones that are not yet known, and we did it with the simplest solution possible. An analysis and a selective cleaning that are fast, that can be done while the mail is being analysed by the antispam engine, without uploading your files on a third party cloud service, without compliance and privacy issues, without introducing delays that impact on the workflows. Goal achieved with minimal complexity and minimal attack surface.

Protecting from malicious links

So? Should we absolutely avoid complexity in any case? No
We should just use complexity where we need it without fear but considering it a cost that must be justified.

For example, complexity is more than justified to protect from malicious URLs.

The most frequent attack today is a mail coming from a legit sender (whose account is being used illegally), with a short and very generic text, which contains a link to a legit site (infected five minutes ago) on which has been injected a malware that installs itself just visiting that page. One click and you get the ransomware.

This type of attack is a big problem because such a mail could slip through and not be identified as malicious. When the email is being analyzed, we rewrite the URL so that instead of pointing to that page, it now points to our sandbox, we’ll see that here a complex sandbox is justified. Let’s buy some time because time is on our side, the more time passes and the easier it will be of us to identify a legit site that has just been infected, so let’s just rewrite the URL and postpone the analysis to the very last possible moment: at the moment of the click.

Whe the click happens, the user’s browser lands in our sandbox which, only in this very moment, visits the page and analyzes it. It follows the redirects, it visits the page from multiple locations in order to highlight evasion techniques, it evaluates how it presents itself to the search engines, it looks for infection traces, phishing attempts and so on.

Let’s not economize complexity because here it is useful and pays back. Most importantly, here is the sandbox that is advantaged: thee malware cannot wait, it must immediately manifest itself, the infection must happen when the page is loaded. Also, the available techniques in order to hide from sandboxes are limited and we, visiting the page in many ways and from different “places”, can identify them. This is a huge advantage: just putting in place evasion techniques reveals the presence of the malware, including the most complex and not jet known one, making it extremely vulnerable to our analysis.

Here is where the complexity is justified.

If you want to go deeper, here there is an explanation about how the file analysis works and here the one for the URLs.


Rodolfo Saccani, Security R&D Manager at Libra Esva

Spam volumes are increasing again

Almost everyone has heard about the takedown of many of the major spam botnets with a general decrease spam volumes in the last years.
Well, spam traffic appears to once again be on the increase in this 2017.
EsvaLabs statistics show a steady increase in spam reports since the beginning of the year with a record of 96,4% spam rate in the last week!
From the above graphic – that summarizes spam rates for this 2017 –  it’s clear that almost all the spam emails have been blocked at SMTP level, thanks to reputation and RFC compliance checks. Yet Esvalabs researchers reported an increase of the percentage of malicious URLs and attachments in unsolicited emails.
The spammers don’t give up easily.

Anti-phishing techniques and tools

There is a big illicit business out there and it’s driven by a simple old trick: deception.
Deception is at the base of many online black and gray activities, from click baiting to ransomware.

Pair deception with email and what you get is email phishing.
The target of e-mail phishing campaigns is inducing the victim to perform an action at the advantage of the attacker. It’s as simple as this.

In order to induce you to perform an action against your own interest, the attacker uses the following deception tools:
– a message that grabs your attention
– a sense of urgency
– a call-to-action

What if I tell you that your Apple account has been disabled and that you won’t be able to use your devices until you fix it?
What if you happen to know that money has just been withdrawn from your bank account? Maybe you should check immediately.
What if your mailbox quota has been exceeded and you won’t receive emails until you act?
Of course there are also incredible offers or you may be the winner of a great prize or maybe a young beautiful girl wants to know you.

I guess you’ve already experienced some of these messages, if not all of them.

So far for grabbing attention and transmitting a sense of urgency. What about the call-to-action?
The call-to-action, as usual, varies from clicking on a link to land on a site that drops it’s infective payload or asks you to enter personal information to opening an attachment.

It’s important to note, though, the difference between mass phishing and targeted phishing, also known as spearphishing.
Spearphishing is phishing targeted to a specific person, building a credible message based on knowledge gathered on social networking sites or other sources. Spearphihing is much more difficult to detect.

For the first Libra Esva Partner Event, in may 2016, I’ve done an interesting experiment. I’ve used the open source framework gophish to create a phishing campaign in order to assess, in practice, how effective such campaigns are.
Gophish is one among many tools that make it easy to create and phishing campaigns, it assists you in the whole process from the creation of the email template and landing page to the real time metrics and analytics. It’s a complete framework, it also acts as a web server to serve your phishing site.

Such phishing tools are particularly valuable for training your users not to fall for real phishing. You can run, for example, a phishing campaign on the employees of your company and then follow-up with a training session. The phishing campaign has both the advantage of measuring the effectiveness of your training over time and also to make the training more effective by attaching it to a real and direct experience.

In my test, I created a fake LinkedIN contact request by grabbing the content of a real LinkedIN email. I also grabbed the content of a LinkedIN loging page to create my phishing landing page. Then I sent the phishing email to all the participants to the Partner Event.
The numbers suprised all of us.
We sent 44 emails, 24 of which have been opened. A respectable open rate of 54%.
18 “targets” clicked on the link and landed on our fake login page: 75% click-throug-rate.
We don’t know whether they attempted to enter their credentials or not because the page didn’t submit any data, it just informed the user of the phishing experiment when they pressed the “submit button”.

results of phishing test

In the end, 40% of the “targets” ended up clicking on the link and this is all you need in order to get infected.
40% is a huge number considering that this was a very security-literate audience.
Remember: just clicking on a random link can get you infected. If you are not convinced about this just have a look at a the security fixes that Microsoft releases every second Tuesday of the month, search for the ones flagged as “remote code execution vulnerability”.

Phishing is a real danger because it is effective and very affordable. The good news is that with a reasonable effort you can use phishing to rise awareness among your users and make your training more effective.

How can an email security appliance help with phishing?

The standard spam fighting techniques are not sufficient for phishing. Phishing emails often closely resemble real emails from your bank, your service provider, you colleagues. They often come from legit end-user email accounts illicitly used with passwords coming from database breaches (don’t reuse your passwords, use a password manager) or from infected computers. Content analysis must rely on the detection of subtle differences.

Besides AV engines, filename and filetype policies, nested archive scanning, Libra ESVA provides “ESVA Labs” which is based on collaborative detection and expert analysis. Administrators and users of our appliances can report false positives and false negatives to our ESVA Labs. These reports are immediately delivered to us along with the internal analysis performed by ESVA and most of them are very pertinent. We don’t have to dig through hundreds of thousands of non-pertinent reports and we can quickly analyze them. Our analysis team updates and releases new detection rules usually within 30 minutes form the report, the new detection rules are automatically downloaded by all ESVA appliances every hour. Being quickly reactive is the key to fight phishing.

Rodolfo Saccani

The Bot

From time to time a chatbot contacts me. If I have time, I enjoy to find out what kind of script the chatbot follows.

This time it was on gtalk.

As you can see from the following transcript, the chatbot didn’t care at all about my replies, it just waited for any input on my side and proceeded with it’s own script.

All the URLs have been truncated in order not to drive traffic towards them.



(15:17:23) [email protected]: Are you there??
(17:56:20) [email protected]: :-* hi
(17:56:50) Rodolfo Saccani: hi
(17:57:08) [email protected]: Im bored and wanted to meet new people… 24/female…you?
(17:57:26) Rodolfo Saccani: 4/dog
(17:57:43) [email protected]: I’m feeling a little naughty wanna have some fun ? 🙂
(17:58:09) Rodolfo Saccani: of course
(17:58:28) [email protected]: here’s a picture lol[truncated] you like? hehe =D
(17:59:26) Rodolfo Saccani: image no longer available
(17:59:36) [email protected]: Haha, you want some more?
(18:01:42) Rodolfo Saccani: more non existant images?
(18:01:59) [email protected]:[truncated] my turn.. wow. I’m soooo turned on right now!!
(18:02:44) Rodolfo Saccani: xyz
(18:02:57) [email protected]: Mmm…is the game getting “harder”? 😉
(18:03:03) Rodolfo Saccani: __
(18:03:24) [email protected]:[truncated] i want your cock baby really bad would you give it to me??
(18:03:54) Rodolfo Saccani: your images are very … texty
(18:04:13) [email protected]:[truncated] ok last one lol, you’d love to fuck me wouldnt you 😉
(18:04:54) Rodolfo Saccani: dddddddddddddddddddddddddddd
(18:05:14) [email protected]: Baby we really need to go on cam i cant wait anymore
(18:05:55) Rodolfo Saccani: qwerty
(18:06:10) [email protected]: Here i just invited you www.letsplayoncamz[truncated] try accepting that babe
(18:07:23) Rodolfo Saccani: ççç
(18:07:45) [email protected]: Its supposed to be the best app for this kind of thing, hurry up and accept!!!
(18:08:25) Rodolfo Saccani: abcdefghijklmnopqrstuvwxyz
(18:08:48) [email protected]: Its worth the annoying signup babe, wait until you see what we can do once you’re in
(18:09:19) Rodolfo Saccani: j
(18:09:43) [email protected]: Its free to join.. i promise.. but it will ask for a card i think.. im gonna get naughty and i cant have kids watching..
(18:10:10) Rodolfo Saccani: I love bots
(18:10:31) [email protected]: Ok babe.. talk to you in there.. gonna charge my phone.. mwa! xoxo
(18:11:04) Rodolfo Saccani: k

Rodolfo Saccani

A real email phishing experience

There are many email phishing techniques. Some phishing campaigns are mostly automated: a phishing landing page is created and a mass phishing campaign is launched to send victims to the landing page. On the attacker side, humans start getting involved only after the victims have provided personal information to the phishing landing page.

Other phishing campaigns involve a human interaction with the victim since from the beginning. It usually begins with an interaction via email (following a script) and then it moves on with direct contact on the phone.

In this post I tell you about a real phishing campaign I pretended to fall for a couple of years ago. I decided to reply to one of the phishing emails I received in order to check what kind of script the attackers were following. During the email conversation the attackers seemed to follow their script no matter what I replied.

The conversation is in Italian, a very bad Italian clearly managed through automated translation tools. I will summarize in English each email.

Here is the first approach from the attackers:

Dr. Zuli <[email protected]>

caro Amico Sono il dottor Zuliu Hu direttore esecutivo di HSBC Hong Kong, ho una transazione commerciale di $ 12.5M e vi darò un risarcimento del 30% per il tuo aiuto in questo transaction.Email: [email protected] Saluti Dr Zuliu Hu

As you probably guessed, in this email Doctor Zuliu Hu in person is writing to me. He is the executive director of HSBC Hong Kong and we wants my help for a transaction of 12,5 million dollars. He will give me 30% for my help. He writes from a account and provides a to write to.

Ok, it’s time to fall for the phishing. Here is my reply:

Rodolfo Saccani <[email protected]>
Re: ciao

Mi puoi spiegare meglio come funziona la cosa?
Magari facciamo uno scambio di favori, anche io ho qualche milione di dollari da trasferire a Hong Kong.


In my first reply to this kind of phishing I usually write something sarcastic that a real person would understand but a bot wouldn’t. I asked to Doctor Hu to explain me how it works and I added that maybe we can exchange favors as I also have some million dollars to transact towards Hong Kong.

In this case I don’t think I was talking to a bot, probably it was a sort of call-center that was following a script and they probably didn’t even understand Italian or bother to ready my emails.

In fact, here is doctor Hu in person replying to me from his account, this time with a very long email:

Zuliu Hu <[email protected]>


Grazie per la vostra risposta e il vostro interesse per aiutarmi in questa transazione. Come ho detto prima, a causa della questione a portata di mano ora, si reso necessario per me cerco il vostro aiuto, apprezzo il fatto che si pronti ad aiutarmi in esecuzione di questo progetto (transazione), e anche tu mi aiuter a investire i miei soldi nel vostro paese, sono abbastanza certo di questo. Non dovreste avere nulla di cui preoccuparsi, far di tutto per legge ad assicurare che il progetto va liscio, esso deve passare attraverso tutte le leggi della International Banking, hai la mia parola. Avendo deciso di affidare questa operazione nelle vostre mani, voglio ricordare che, ha bisogno del vostro impegno e diligente follow-up. Se si lavora seriamente, l’intera operazione dovrebbe essere finito in un paio di giorni perch tutto stato pianificato.

In primo luogo, io voglio sapere con precisione il tipo di occupazione che si fa e quanti anni hai, si dovrebbe notare che questo progetto alta intensit di capitale, questo il motivo per cui devo stare molto attento, ho bisogno della tua totale devozione e fiducia vedere attraverso questo. So che non abbiamo incontrato prima, ma io sono molto fiducioso che saremo in grado di stabilire la necessaria fiducia che abbiamo bisogno di eseguire questo progetto.

Apprezzo il fatto che si pronti ad aiutarmi in esecuzione di questo progetto; Mi piace noi per gestire questa transazione basata sulla fiducia e l’onest , prima di iniziare, lasciate che vi dia rapidamente le informazioni di prima mano sulla transazione. Come si gi a conoscenza, io sono il dottor Hu Zuliu l’ufficiale di credito in Hang Seng Bank Ltd., Hong Kong. Prima della guerra la Libia uno dei nostri Brg cliente. Mutassim Gheddafi che era con le forze Libia, ha fatto un deposito fisso vari per 18 mesi di calendario, con un valore di dodici milioni Five Hundred Thousand Stato Uniti Dollari nel mio ramo. Alla scadenza alcune comunicazioni stato inviato a lui, anche durante la guerra che ha avuto inizio nel febbraio 2011. Anche dopo la guerra un’altra notifica stata inviata e ancora nessuna risposta arrivata da lui. Pi tardi abbiamo scoperto che il Brg.Mutassim Gheddafi con suo padre era stato ucciso durante la guerra.

Dopo ulteriori indagini si scoperto che Brg.Mutassim Gheddafi non ha dichiarato alcun parente prossimo nei suoi documenti ufficiali, tra cui il lavoro di scrittura del suo deposito bancario. Cos , dodici milioni Five Hundred Thousand Stato Uniti Dollari giace ancora nella mia banca e nessuno sar mai fatto avanti per reclamarlo. Quello che mi preoccupa di pi che, secondo le leggi del mio paese alla scadenza dei tre anni i fondi torneranno alla propriet del governo di Hong Kong se nessuno si applica a richiedere i fondi. In questo contesto, il mio suggerimento per voi che io come voi come uno straniero di presentarsi come il parente pi prossimo al Brg. Mutassim Gheddafi, in modo che si sar in grado di file per il diritto di ricevere i fondi. Tutte le informazioni sui fondi sar noto a voi e atti di accordo con gli altri documenti di vitale importanza per la firma come nuovo beneficiario. Prima che io comincio avr bisogno di inviare me;

1 vostri nomi completi.:
. 2 Indirizzo attuale:
. 3 Occupazione:
. 4 Telefono:
5. Copia di qualsiasi forma di vostra identificazione (ID licenza Lavoro di guida o del passaporto internazionale) a scopo di documentazione. Voglio essere sicuro che sto transazioni con la persona giusta e io sar responsabile della tassa di documentazione giuridica.

Appena ricevo questi da te, io far iniziare il lavoro di carta. Spero che capirete perch ho bisogno di tutte queste cose, il denaro in questione grande e voglio garantire che conosco bene ed evitare future rappresentazione da qualcun altro prima di procedere a darvi tutti i dettagli per iniziare il progetto, lo far inviare il certificato di deposito che stato emesso a Brg.Mutassim Gheddafi al momento il denaro stato depositato.

La preghiamo di rispondere presto.

Dr Hu Zuliu


He thanks me for my interest and then he explains what information he expects from me.

He wants to know my profession and my age, my phone number and a copy of an ID document, this is an important transaction after all.

He explains that there is a bank account owned by Mutassim Gheddafi (one of the sons of Mu’ammar Gheddafi) who died. They found out that he hadn’t declared any relative in the official documents, so the plan is that I pretend to be one of his relatives and grab the money. Easy peasy.

Of all the information he asked, in my next email I only provide the ID document. I made a quick search and found a fake driver license for a fake person named “Soldi Finiti” which, translated into english, sounds like “No more money”.

I reply incredulous, do I really must act like I am a Gheddafi relative?? What am I supposed to to, to come over there???

And I sign the email as “Soldi Finiti” which, by the way, doesn’t match with the name in the From field:

Rodolfo Saccani <[email protected]>

Ti allego la mia patente ma non ho capito una cosa. Devo far finta di essere parente di Geddafi?
E come faccio a dimostrarlo?
Cosa devo fare in particolare? Devo venire li?

Soldi Finiti


In his replay, Mr. Hu calls me by name: Soldi.

He doesn’t seem to care that I didn’t send all of the requested information and goes on with the script:

Zuliu Hu [email protected] tramite
Power Of Attorney Document

attenzione: Soldi

ho visitato il avvocato (john wang), ho fatto tutte le indagini necessarie sopra la vostra fondo eredita approvato con hang seng bank e la procedura di legale. quindi, in mio breve incontro di emergenza con l’avvocato; in proposito, desidero comunicheremo tutti i processi fanno beneficiare di tale fondi devono essere legale e che l’avvocato hanno accettato per dare il meglio us dei servizi giuridici sulla fornitura di vostra richiesta legale i documenti dei vari ministeri, nonch magistratura high court qui in hong kong.
nelle mie discussioni oggi con i dipendenti esecutivi anche con il regista straniero rimessa servizio e anche attraverso la mia conferma dalla rete running telex stanza dove il fondo stata informatizzata di trasferimento, ho scoperto che la tua eredit sar facilmente approvato in bits attesa la presentazione del legalizzazione di fondo / backup dei documenti per l’avvocato e mi occupo del servizio rimessa, tuttavia io sar responsabile delle tasse di avvocato e altri oneri da qui finora.
se siete in accordo con questa operazione allora sei consigli per firmare il potere allegato procura inviare via email a me per l’avvocato per avviare l’elaborazione documenti, i shall aggiornarvi su il passo successivo dopo aver ricevuto questo documento firmato allegata alla presente mail .
nota: questa operazione deve essere confidenziale perch molto importante.
Dr. Zuliu Hu


He met the laywer and checked everything. Everything will be totally legal, of course, and all the papers from the various ministries and Hong Kong high court will be fine. He sends a document that I have to return signed.

Mr. Soldi Finiti signed the document and returned it:

Rodolfo Saccani <[email protected]>
Re: Power Of Attorney Document

Dr. Zuliu,

ecco il documento firmato. Aspetto istruzioni.

Soldi Finiti

driver license

Driver license

Mr. Hu sends me another long email, the tone is less formal and more friendly. After all, we are partners now:

Zuliu Hu <[email protected]>

a Rodolfo
Caro Partner,

Grazie per la risposta, io sono in arrivo della tua posta e di identificazione. Prego che quando questa e-mail arriva per voi trovare di voi e la vostra famiglia in ottima salute e le condizioni. Vi ringrazio per mostrare qualche grande responsabilità e fiducia. Devo anche farvi sapere che mi sento trattante agio con voi soprattutto dopo l’ultima e-mail, anche se non abbiamo avuto un verbale
conversazione, per favore non mi deluderà. Ho inviato i dati al mio avvocato che metterà insieme il lavoro di carta perfezionato da inviare alla banca per il rilascio dei fondi, questo dovrebbe richiedere non più di 2-3 giorni.

Promozione di questo, è corretto vi comunico che, quindi, abbiamo deciso di andare in partnership per vedere che questo progetto viene completato e sigillato presto, ci sarà bisogno definiamo le nostre responsabilità prima di arrivare lontano nel progetto che aiuterà entrambe le parti sapere che cosa si aspetta da noi a fare al momento molto giusto.
Nota; Ci sono due opzioni che sarà conveniente per trasferire questi soldi dalla mia banca a Hong Kong, sotto c’è l’opzione varie e come il mio compagno si dovrà scegliere quello che si pensa sarà adatto a noi in questa transazione, nel frattempo io sarà responsabile per le spese legali di perfezionare tutte le documentazioni legali per mettere voi come il parente più prossimo che è più costosa
rispetto alle opzioni sottostanti.
1. Posso trasferire i fondi ad una società di sicurezza in europea che hanno lo stesso convenzione bancaria con la mia banca, si dovrà viaggiare verso la società di sicurezza dopo che i fondi sono stati trasferiti con successo alla società di firmare per il rilascio di i fondi e trasferimento al vostro paese. Tuttavia questa società di sicurezza è quello che dovrò cercare in ufficio controllando la nostra sicurezza delle informazioni con i paesi europei.
2. Si può anche scegliere di impostare un account di transito in mare aperto in una banca rispettabile in Europa, che hanno lo stesso tipo di telex con la mia banca in modo che il trasferimento dei fondi su non sollevare alcuna sicurezza finanziaria occhio marrone, questo lo farò anche cercare. Io poi collegare il $ 12,500, 000 milioni di dollari per il nuovo conto di transito aperto che sarà fornito da voi. La scelta è vostra, ma io vi consiglierà fare la scelta saggia.
Tuttavia sarebbe stato molto possibile ottenere i fondi attraverso qualsiasi del tuo account designata della vostra scelta, ma è così sfortunato che questo metodo cant essere utilizzato in esecuzione di un progetto di questo tipo e la grandezza perché il corpo monetaria o potrebbe indagare sulla fondo in questione, quando una grossa somma di tale importo è stato trasferito nel tuo conto nel vostro paese
directly.Basically per questo motivo ho deciso che usiamo questa banca o società di sicurezza in Europa, che ha un accordo termini di transazione con la banca / a Hong Kong e anche entrambi condividono lo stesso tipo di telex.
Questo metodo si pone come il più veloce, più sicuro e più facile significa che il fondo può lasciare che escrow account, dopo tutti i documenti in suo nome e favore è stato depositato per l’applicazione del fondo release.Kindly tornare a me con la vostra risposta dopo aver letto attentamente il contenuto di questa mail così posso continuare a perfezionare i documenti in suo nome e favore e anche di arredare con le informazioni di contatto, tutte le copie di documentazioni saranno inviati a voi per il vostro esame e record del file pure. Appena ho letto da voi, il mio avvocato li avrà preparati.
Attendo la tua risposta tempestiva a questa mail.

Cordiali saluti a voi e alla famiglia.

Dr hu zuliu.

In his friendly (but professional) email, mr. Hu explains the available options.

Option 1 is to move the money to a european “security” organization that already has a partnership agreement with their bank (whathever this means), then I will go there to sign the papers and collect the money.

Option 2 is to let the money transit on an off-shore account in a respectable European bank that has the same telex type of his bank (?!) so that the transfer doesn’t rise suspects and than make a bank to bank money transfer to my own bank account.

It’s my choice but he provides a suggestion: option 2 is way too dangerous, we will go with option 1. So far for “it’s your choice”.

He expects I provide my opinion, so in my next email I say that I am not an expert in this kind of international transfers so I put all my trust into his experience and competence:

Rodolfo Saccani <[email protected]>

Mr. Zulu,
io non mi intendo di queste transazioni internazionali, pertanto mi affido completamente alla sua esperienza e competenza.

Scelga lei la procedura migliore.


Zuliu replies with another long email, this time he calls me Rodolfo instead of Soldi. That’s fine, if he doesn’t care I don’t do either:

Zuliu Hu <[email protected]>

caro Rodolfo,

Grazie per la risposta, vi ringrazio per mostrare qualche grande responsabilità e fiducia. Devo anche farvi sapere che mi sento trattante agio con voi soprattutto dopo l’ultima e-mail, anche
se non abbiamo avuto una conversazione verbale, per favore non mi deluderà. Ho inviare i dati al mio avvocato che metterà insieme il lavoro di carta perfezionato da inviare alla banca per l’
sblocco dei fondi, questo dovrebbe richiedere non più di due o tre giorni, ma io vi manderò tutti i documenti dalla procura per voi a firmare non appena la sono inviati a me dal procuratore.
In questa luce, vi ho inviato le informazioni della banca in modo da poter fare indagini sul mare aperto / apertura del conto on-line. Vi consiglio come ho detto in precedenza che si apre un conto con la banca in modo
che una volta che vengono rilasciati i fondi, saranno trasferiti direttamente sul tuo conto e il trasferimento non attirerà i corpi monetari, come il trasferimento si sarà visto come in-house. (stesso tipo di telex con
la mia banca). È quindi possibile trasferire i fondi in bit sicure al tuo account principale per entrambi noi. Delle informazioni delle banche prega di voler trovare.

Bank van der Post Belgio
Mr. Paul Vreke
Email: [email protected]
Tel: +32 484860420
Fax: +32 27065367

Si prega di contattare con le seguenti informazioni, i vostri nomi, recapiti telefonici (casa, ufficio e numero di cellulare e anche fax Number)
Si noti, che si sta per informare la banca che si desidera aprire un conto offshore con la propria banca rispettabile, e dovrebbero consigli su come account.I si attende un aggiornamento da voi. Si prega di fare

in contatto con la banca in modo che l’apertura del conto può essere veloce. Ti chiamo fratello così che entrambi abbiamo capito che la nostra fiducia in ogni altro è quello del sangue. Dio vi benedica per la vostra determinazione positiva

di influenzare le nostre vite.

Dr. Hu Zuliu


Here we are, he provides my contact at this “Security” organization that will manage the transfer and where I will go and sign the papers in order to get the money.

Now I am supposed to contact directly Mr. Paul in Belgium.

At this point I gave up, I stopped following the script, I provided all this information to the police and I contacted gmail and qq to report the abuse of those email addresses.


Rodolfo Saccani

Malware evades Sandbox, can security solutions catch up with it?

Yesterday evening, I was reading some security feeds and I came across a great blog article posted by @a_de_pasquale heading “New password Protected Macro Malware evades Sandbox and Infects the victims with Ursnif Malware!!”

I do not want to annoy you with the malware specific architecture and working, if you wish you can read the full story at following link:

Three magic words captured my attention: “Malware evades Sandbox”!

The article deepens into a sandboxing analisys and shows how opening the document with Microsoft Word in a fully sandboxed virtual machine  and observing it’s behaviaour cannot detect anything suspicious, considering the document safe while is not!

At Libraesva we declare that our QuickSand Protection technology is “Virtually immune to sandbox evasion techniques!”.

The principle of everything we do at Libraesva starts from real life experience and we stand for our commitment in delivering real protection and not pure marketing stuff !

Is that true ? Or is our brand new QuickSand Protection Technology vulnerable to this piece of Malware, that evades all the security controls to infect the targeted machines?

Passion in our work drives us to be “always on” and I was so keen to send this kind of stuff through our appliance and check the QuickSand Protection we offer, that I started searching for the original document with my Ipad.

Yesterday evening I promised myself to spare some family time and I left my notebook in the office, at least that was the intention.

Still, the temptation was too strong and with my iPad I was only able to get the malware samples hashes posted on Paylod Security ( without being able to download and uncompress the sample itself.


So I took my daughter’s macbook , I registered at Payload Security to download the malware, I have extracted it, renamed the file to malware_sample.docx and fired up my Gmail account to send a new email to my business email, protected with Libra Esva. Note that the malware has been analyzed for the first time on March 2nd 2017 by Payload Security, so I would expected some kind of security warning.

Surprisingly Gmail allowed to attach the malware sample without any warning, all good. I sent the email and after 10 seconds I got it in my business inbox.


What’s happened? The email came through but the original attachment (the malware sample) has been replaced by our QuickSand Protection warning: “QuickSand has removed the file “malware_sample.docx” because it contained suspect active content.”


To cross check the industry standards, I then submitted the sample to Virustotal: this kind of malware still slips through 53 out of 55 AV Engines on VirusTotal after 12 days since it’s first submission!

It seems the industry giants are still catching up with this kind of infections.

At that point I was pleasantly surprised about what we did and with a full sense of pride of our simple technology I started writing this article focusing on some questions about cyber-security :

  • do we need complicated and expensive technology to stop these threats?
  • Is the root problem due to a technological factor or to a social approach?

I trust we all agree on the latter, as the ransomware business relies on people actions. And certainly we do not need to have fancy screenshots of a virtual environment running the malware without detecting it, just to have a nice report that complacency. Without considering the resources and time needed to run it, introducing delays in people productivity and mining their privacy if sending the document to a cloud sandbox for the analysis. Libra Esva QuickSand Protection runs entirely at the gateway and does in deep source code analysis, it takes a few seconds and it is very effective!


  • Can the technology help educating people?

Sure it can! But what if we deliver a common sense of protection with marketing slogans that do not reflect the real like scenarios?

Why most security vendors do not disclosure their deductive calculations in classifying contents as safe or dangerous? Is there anything to hide? Why everything in cyber-security is so complicated?

I believe that the correct approach is definitively based on transparency: explain people your approach, tell them which checks you do, don’t be afraid to detail why you missed a malware or a malicious email. Do not build a wall in between customers and support with complicated policies that discourage customers from asking.

And finally do not let the fireworks of a fancy dashboard drive your development in the name of marketing. And do not stand with sentences that are simply stupid: the end of ransomware! We block 100% of known malware! And more… Be pragmatic, customers are not stupid.

We need that kind of approach in Cyber-security!


Lecco, March, 14th 2017

Eng. Paolo Frizzi