Phishing with Java?

I just received spam claiming that USPS just delivered a shipment. The enclosed “shipping label” is a .jar file.

I thought the fundamental claim of Java is that code runs within a sandbox, that it is isolated so that it cannot corrupt the host system. Did Java in its infinite wisdom decide that the sandbox was too limiting and relax the restrictions?

1 Like

I’ve gotten a few of those. I always check the address. Plus USPS doesn’t send unless you tell it to. I just have them SMS messages. Easier and safer.

1 Like

I believe Java can open a web page from within a .jar applet. Semi-savvy users who might not click on a .exe attachment might still fall for a more innocent-sounding .jar attachment.

If the goal is to get a visitor to a page so that it can deliver the malware payload, a .jar might work.

1 Like

not all jar files are java archives. that may just be named that to get around file scanners and firewalls. if its a jar or even just an exe one can use 7zip to safely extract the contents. one wouldn’t get much results from the exe but at least then one can tell what kind of file it is then from there do other forensics on the file.

Wouldn’t it be dishonest to name files with an extension other than the genuine article?

The java environment has never been a sandbox in the security sense, it’s an execution environment. It’s using the java virtual machine to make things cross-platform compatible and provide easier development. It absolutely can touch the host machine like any other program.

Why would USPS go to that trouble to sneak a shipping label? It clearly is a scam hoping that I would click on malware.

1 Like

He’s saying that the scammers are using a different mode than usual to try and evade (i.e. PDFs and office docs get scanned more regularly). Jar files tend to raise even more alerts on an IDS than the others, however on some simpler systems they won’t be able to evaluate them effectively and may choose to let a file through if it cannot classify it properly.

Oh, so it may not be java bytecode.

I am not going to take the risk or bother to analyze what it is. Using a .jar file for malware made me curious enough to ask about it.

@bill hon1nbo is quite on the mark there.

If one can base64 encode it then feel free to send the encoded version to me. I tend to collect code and analyse it for the fun of it.

1 Like