Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

A Federal Subpoena or Just Some More Spam & Malware?

Published: 2008-04-14
Last Updated: 2008-04-17 20:36:34 UTC
by John Bambenek (Version: 2)
0 comment(s)

We've gotten a few reports that some CEOs have received what purports to be a federal subpoena via e-mail ordering their testimony in a case. It then asks them to click a link and download the case history and associated information. One problem, it's total bogus. It's a "click-the-link-for-malware" typical spammer stunt. So, first and foremost, don't click on such links. An interesting component of this scam was that it did properly identify the CEO and send it to his e-mail directly. It's very highly targeted that way.

Second, the United States Federal Courts do not "serve" formal process over email. While there is an Electronic Case Management System, initial contact for a subpoena, lawsuit or other process is done the old fashioned way... someone serving you the old fashioned way. Presumably, if you did already get served you would have a lawyer handling the case for you. In that instance, the *lawyer*, not you, would be getting electronic notices from the court **after service has been handled**.

FOR LAWYERS ONLY:
Some key points for lawyers who are concerned about this. You know what a CM/ECF email looks like. They are all formatted exactly the same and do not come with any pleading attached or inline with the e-mail itself. For the sake of not pointing out the flaws in this particular scam so they bad guys can "do it better" next time, I'm being somewhat vague here.  All CM/ECF emails follow the same general format, have the same syntax in their subject, and look very form-based in the body. You've gotten thousands of these, if you see something radically different, I would log in directly into the CM/ECF system and check the docket record directly. Don't click on the links if you are suspicious. I'm sure a call to the Clerk of the Court would also help you get information. Odds are the Clerk has heard of these kind of e-mails circulating. But if you pay attention, the "fakeness" of these subpoenas should be obvious to you, the errors are pretty egregious. There are only two links that should be clickable links in these e-mails... you've gotten thousands, you know which two I'm talking about. Also, pay attention to the URL given in these emails.

FOR EVERYONE ELSE: If you get subpoenas, take it to a lawyer. Don't click on links. And most importantly, no one renders service through e-mail right now, and if you tried it wouldn't "count". If you have doubts, call the Clerk of the Court, the opposing party or a lawyer.

It would be nice if the CM/ECF e-mails were PGP signed or otherwise digitally signed to ensure authenticity and this scam might encourage them to take that step. However, key point, if you are not a lawyer (or not representing yourself pro se and have ECF access) you will never get an e-mail from the court.

TECHNICAL DETAILS: The malicious code that gets downloaded is a CAB with acrobat.exe inside. There is good AV coverage of this right now it looks like. The malware then creates a Browser Helper Object (BHO) at  %WINDIR%\system32\acrobat.dll and opens a hidden IE window to communciate to the command and control server. The BHO will also steal any installed certificates installed on the system. The C&C server is hard-coded to an ISP in Singapore at this time. (Thanks to Matt Richard of Verisign for the info).

UPDATE 13:04 CDT: Here is the VirusTotal results... guess coverage isn't that good. If you have someone infected, backup data and reinstall, targetted phishes like this ought to concern us more than general ones, and the only way to be safe is to "burn it down" and start over if an infection happens.

UPDATE 13:14 CDT: Here is another malware varient of the same thing, but VirusTotal only has 3/32.

UPDATE 4/17 We can share the two checkin/drop sites 124.217.251.118 and 124.94.101.48.
We suggest you watch out for port 80 traffic towards those systems or to block
 those IP addresses entirely.
The systems themselves are not currently offering any valid webpages.
Just acting as drop boxes/checkin sites. (djs)

--
John Bambenek / bambenek {at} gmail [dot] com

0 comment(s)
Diary Archives