Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Legal Threat Spam: Sometimes it Gets Personal SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Legal Threat Spam: Sometimes it Gets Personal

Yesterday, I spotted the following tweet mentioning me:

Needless to say, I got intrigued, and luckily the sender of the tweet was willing to share a sample.

The sample turned out to be simple legal threat malware e-mail written in German. The e-mail claimed that the recipient downloaded a copyrighted movie and it asked for legal fees. The invoice for the legal fees was supposed to be included in the attached ".cab" file.

From: "Johannes Ullrich"  
To: [removed].de
Subject: [vorfall:132413123]

Guten Tag,

Am 01.08.2014 wurde von Ihrem Rechner mit der IP-Addresse 192.0.2.1 um 12:13:01 der Film "Need for Speed" geladen. Nach §19a UrhG ist dies eine kriminelle Handlung. Unsere Anwaltskanzlei  muss dies ans zuständige Amtsgericht melden, au�er Sie Zahlen ein au�ergerichtliches Strafgeld in Höhe von 436.43 Euro an uns.
Die Rechnung "1234.cab" entnehmen Sie dem Anhang.

Hochachtungsvoll,
Johannes Ullrich
+4991312341234

The attached .cab file runs a typical trojan downloader that could download various pieces of malware. A quick search shows a number of other reports of this email, with different "From:" names. It looks like it picks plausible German names, maybe from the contact list of infected systems. My names isn't that terrible unusual, so I don't think this is targeted at all. Sometimes it is just an odd coincidence, and they aren't really after you.

In the case above, the "From" e-mail address is not related to me. However, if an attacker sends spam using your e-mail address, it is very useful to have DMARC configured for your domain. With DMARC, you give the receiving mail server the option to report any e-mail that fails the DKIM or SPF tests to you. Only a few mail servers do so, but some of them are major public web mail systems. For example, here a quick report I just received for a domain I own:


(click on image for full size)

The attachment does include a report with details why the e-mail was found to be suspect (of course, you should still be careful with attachments. These reports can be faked too!) ;-).

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Intrusion Detection In-Depth - SANS Las Vegas Spring 2020

 Johannes

3834 Posts
ISC Handler
Subscribe Aug 5th 2014
5 years ago

Sign Up for Free or Log In to start participating in the conversation!