Heads Up! New Government Spoof with Malware Payload

Looks like the government agency spoofs from last summer have returned!

During May/June, 2007 we saw nearly weekly variants of emails being spammed that were spoofing different government agencies largely targetted towards C-level executives containing a keylogger payload.  These emails started off with the malware attached to the email message itself, then migrated to a pull infection model where the user downloaded the malware off of a web site via a link embedded within the message.

Starting today we've started to see a resurgence of this tactic, but this new variant is spoofing the Department of Justice.  This department had not been one of the spoof targets of the previous spam runs.  Below is a redacted screen shot of the new scam (courtest of McAfee):



As you can see from the above screen shot, the message has an attachment named complaint.zip which contains the malware payload. 

A couple of similarities in social engineering tactics between this scam and the previous scams from this summer are the inclusion of the name of the person and the name of the company that the message is being sent to.  You'll notice from the screen shot that there are also grammatical errors and misspellings. 

A few particular examples that I have seen were sent from IPs in Italy.  Somehow I doubt the DoJ has contracted with anyone in Italy to start sending legitimate complaint notices :)

Volumes of this scam have been pretty low; on the order of a few hundred being seen by our Threat Operations Center per hour.  No information yet as to specific targetting of this scam.  This post will be updated as more information becomes available.