MX Logic
Resources Support Contact MX Logic Login
Search
MX Logic Advantage Services Technology Partners News & Events About MX Logic

MX Logic » MX Logic IT Security Blog
14 April 2008

New Government Phish - This Time Targeting the US District Court

C-level execs on the radar once again

It looks like the folks who were spoofing government agencies and targeting C-level executives are at it again; this time spoofing the U.S. District Court. 

If you recall, starting around the end of May, 2007 we started to see a month and a half long wave of messages that were being targeted to C-level executives that carried a keylogger payload and used a lure of fake complaints against that executive's company in an attempt to get them to infect themselves.  This tactic was, unfortunately, very successful which is why it hung around for as long as it did.  These spoofs used an effective social engineering tactic that included both the name of the person receiving the scam as well as the name of their company.   This fooled many into believing that the message was indeed legitimate because it didn't carry the earmark of most of your scams that are generically blasted en masse. 

This new scam follows this same basic social engineering tactic except it takes it one step further in that it also includes the phone number of the company being targeted.  This is just another way that the scammers are attempting to establish legitimacy with their intended target since it doesn't look like your everyday, run of the mill type of spam.

By targeting C-level executives, the technique used in this type of attack is called "whaling."  It is called whaling because they are trying to get the largest fish that they can on the hook; people who are generally more affluent and stand more to lose, both personally and professionally.

Below is an example of one of these messages (Some personal information has been redacted):

 
AO 88(Rev.11/94) Subpoena in a Civil Case
________________________________
 
Issued by the
UNITED STATES DISTRICT COURT   
________________________________
 
Issued to:      XXXXXXXXXXXXXXXXXXX
COMPANY NAME HERE
 
COMPANY PHONE NUMBER HERE    
 
SUBPOENA IN A CIVIL CASE
 
        
Case number:    91-201-NKE
United States District Court    
  
YOU ARE HEREBY COMMANDED to appear and testify before the Grand Jury of the United States 
District Court at the place, date, and time specifiied below.        
________________________________
 
Place:   United States Courthouse
880 Front Street
San Diego, California 92101     
        
Room:    Grand Jury Room
room 5217       
Date and Time:   May 7,2008
9:00 a.m. PST   
  
Issuing officers name and address: O'Mevely & Meyers LLP; 400 South Hope Street, Los 
Angeles, CA 90071       
________________________________
 
Please download the entire document on this matter(follow this link) and print it for your 
record. <hxxp://cacd-uscourts.com/ViewCase.php?case=91-201-NKE>  
 
This subpoena shall remain in effect until you are granted leave to depart by the court or 
by an officer on behalf of the court. 
 
Any organisation not a party to this suit thas is subponaed for the taking of a deposition 
shall designate one or more offcers, directors, or managing agents, or other persons 
to testify on its behalf, and may set forth, for each person designated, the matters on 
wich the person will testify. Federal Rules of Civil Procedures,20(b)(6).
 
Failure to appear at the time and place indicated may result in a contempt of court 
citation. Bring this subpoena with you to the courtroom and oresent it to the bailiff. Direct 
any questions to the person requesting you to appear: City Prosecutor.

You'll notice a few spelling errors which is your typical dead giveaway that something isn't quite right here (of course, the US District Court trying to communicate with you via email, which it never does, should have been the first one).  They also went to the trouble of registering a new domain, cacd-uscourts.com. 

Here is where it gets funny:

-- cacd-uscourts.com is the domain used.  If this were really a government domain, would it have a .gov TLD?
-- This domain was registered two days ago to someone named Michael Rice who lives in the U.K.
-- Registration for the domain was done by a company named WEB4AFRICA

It's been a while since we have seen this type of scam outside of the IRS spoofs that we have been seeing in accordance with tax season so I am sure it will get its share of victims.  No solid information yet on whether these new phish are being sent to the same C-level execs who were targets of last year's scams.  More information to come as it becomes available.


**** UPDATE 1 (4/15/2008 12:00pm MDT): We are still seeing these emails hitting our system at a rate of about 30 per hour.  Obviously very low overall volume, but that speaks to the precision of the targeting being used.  The highest hour that we have seen so far today was the 10am hour where we saw 50, and we basically saw none between midnight and 7am.  It appears that the cacd-uscourts.com domain that was hosting the malware yesterday has had its registration suspended by WEB4AFRICA.  The web site is no longer accessible.
Categories: Phishing Malware Government Scams
Posted by smasiello at 1:29 PM | Link | 9 comments
Comments
Re: New Government Phish - This Time Targeting the US District Court
I saw these yesterday and began blocking at the firewalls.
Is there any info on what was downloaded when the site was accessed? harmfull or not-harmfull?
I accessed it as a test; I received a activex message that imediately closed the browser. Now IE intermittantly crashes with an acrobat.dll reportable error.
Posted by Lyle on April 15, 2008 at 12:43 PM

Re: New Government Phish - This Time Targeting the US District Court
Oh, man. I just found this post after my CEO brought it to my attention. The problem is he didn't tell me until after he downloaded the activex on his home computer. Does anyone know what I can do to neutralize the problem? I don't think my antivirus is going to be able to digest this one...
Posted by Damon on April 16, 2008 at 10:07 AM

Re: New Government Phish - This Time Targeting the US District Court
Since when is the government or any other judicial body sending subpoenas via email?!?! Are you people that f-ing stoopid?
Posted by Gary Black on April 17, 2008 at 7:14 AM

Re: New Government Phish - This Time Targeting the US District Court
I just spoke with a friend of mine who is working on remediating a customer of his that bought into this scam. And the customer is a very large organization who should know better - I guess you can't expect attorneys to understand technology, let alone security.
Posted by Sam Van Ryder on April 17, 2008 at 11:19 AM

Re: New Government Phish - This Time Targeting the US District Court
Damon,

Unfortunately, once a machine has been compromised, you really can't trust anything on it anymore. Whether it is a keylogger or some kind of rootkit component it's difficult to be sure without spending a lot of time doing forensics whether there are any fragments of the malware remaining on the machine.

In my opinion, your best bet in that type of situation is to give them a new PC and destroy the infected hard drive. That might be a bit extreme to some, but guarantees that the infection can't reintroduce itself as a result of some kind of rootkit that might have been contained as part of the malware payload.
Posted by Sam Masiello on April 18, 2008 at 1:45 PM

Re: New Government Phish - This Time Targeting the US District Court
Sam Van Ryder,

You bring up a good point.

It's unfortunate that people keep getting tricked into these types of scams, but that is also the exact reason why they are targeted the way that they are. A Federal Subpoena will mean a lot more to the CEO of a company than it will to the guy who works in the mail room. Even if the scam isn't very well orchestrated because of grammatical errors or other inconsistencies you can sometimes get a "knee jerk" reaction out of people also where they know they shouldn't open the attachment, but by the time they realize what they did it is too late.
Posted by Sam Masiello on April 18, 2008 at 1:49 PM

Re: New Government Phish - This Time Targeting the US District Court
Gary,

As other people have mentioned, it is not a matter of being stupid. When a CEO gets an official looking email whether it's from the IRS, US Court or BBB, it gets their attention.

What I find more troubling is your attitude. As IT professionals we're supposed to support and educate our customers not denigrate them.
Posted by Sean on April 24, 2008 at 7:24 AM

Re: New Government Phish - This Time Targeting the US District Court
Sean,

It's not even about IT, these people should know better. It is frightening that these are top-level people, not mail room schlubs. They could have brought these emails to the attention of their respective legal departments. There is no reason why a phone call or letter that couldn't have been used to verify any claims made in some random email.

Do you see my point now? That is what they call "leveraging your resources". You can try and take the high road but, even you know they should have known better.
Posted by Gary Black on April 29, 2008 at 7:50 AM

Re: New Government Phish - This Time Targeting the US District Court
Sean,
One more thing, as far as "support and educate" my customers, I am not a lawyer nor can I educate anyone in common sense. Now if these people had any problems receiving or sending these scam emails, then that is where my support comes in.
Posted by Gary Black on April 29, 2008 at 8:01 AM

Post a Comment
Name:   Required
Email:   Required your email address will not be publicly displayed.

Anti-spam key

Type in the text that you see in the above image:

Your comment:

Sorry, no HTML allowed!

Privacy Policy
© MX Logic, Inc.
All Rights Reserved.

MX Logic
9781 S. Meridian Blvd. Suite 400 Englewood, CO 80112
Toll-Free: +1.877.MXLOGIC