Threat Level: green Handler on Duty: Renato Marinho

SANS ISC: More Legal Threat Malware E-Mail - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
More Legal Threat Malware E-Mail

This is more of a reminder then "breaking news". But it may be worthwhile to include this in an awareness newsletter or similar presentation to keep your staff up to date on current social engineering malware. Our reader Andy sent us this e-mail he received. The domain name in the link has been modified. We of course had similar malware in the past claiming to be court documents or intellectual property violation notices.

----------------
Subject: Notice: Contract terms breached.

5 April, 2010
Hello,

You are hereby put on notice that as of 7/1/2010 you are in breach of our contract dated 3/12/2007.
The nature of said breach is: False Advertising, Breach of Contract, Bad faith Breach of Contract, Fraud and Deceit.
It is our desire to inform you of the foregoing and afford you the opportunity to cure said breach.
You may in any event be held responsible for all damages arising from said breach.

To view a copy of the complaint please visit our company website: http://---URL REMOVED---/
Please use the CASE ID located at the end of the document to find the copy of the complaint.


You have until 10th of May 2010 to cure said breach, after which we will be forced to pursue further legal action.
Regards,
Jim Karter

CASE ID: 4322524

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Johannes

3059 Posts
ISC Handler
We just received the same junk mail this morning, as well as another:

----------------
Subject: Complaint regarding Breach of Contract.

Notice is hereby given that we cancel our contract dated 0/1/2007 for the following reason.
That on 8/4/2010, you breached said contract in the
following respect: .
Cancellation of said contract is effected in respect to that certain installment delivered on 2/6/2010, and for any subsequent delivery of goods, contracted for in said contract, inasmuch as your breach impairs the contract as a whole.
We claim damages from you in the amount of $22,981.55

If you would like to view a copy of the full complaint please visit our website and search for your Case ID at the bottom of this letter.

http://---URL REMOVED---/

Sincerely,
Anonymous

Posts
We had six of these on 4/12 targeting HR and C-level users. The first URL was not blocked by our web filtering system. Following the redirect and obfuscated-script trail, the second two hops were blocked, so no users were affected, though one did click through...
Paul

44 Posts Posts
Would anyone be willing to post the URL so that I could block it?
Anonymous

Posts
Davef, here you go: (remove all of the spaces)

h t t p : / / w w w . l a w - t o - d a . c o m
Chris

4 Posts Posts
Has anyone seen a consistent Sender email address or domain that we could use to update our Spam filters? Thanks in advance
Anonymous

Posts
There is another URL as well, http://www. durand blaw. com
(remove spaces)

The sender addresses varied.
CBob

18 Posts Posts
No consistency to the senders or source IPs, this was very low volume and very targeted.
Paul

44 Posts Posts
A reminder: when you receive malware like this, _PLEASE_ report the domain names to malwaredomains.com so that others can benefit.

Thanks!
John Hardin

62 Posts Posts
I've had similar emails come through with a URL link via IP not domain name. The URL is http://75.119.193.234/
Anonymous

Posts
Another run over the past couple of days is using www.t h o m a s - a n d - h a r r i s.com
Paul

44 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!