My next class:

More Legal Threat Malware E-Mail

Published: 2010-04-13. Last Updated: 2010-04-13 13:35:41 UTC
by Johannes Ullrich (Version: 1)
10 comment(s)

This is more of a reminder then "breaking news". But it may be worthwhile to include this in an awareness newsletter or similar presentation to keep your staff up to date on current social engineering malware. Our reader Andy sent us this e-mail he received. The domain name in the link has been modified. We of course had similar malware in the past claiming to be court documents or intellectual property violation notices.

----------------
Subject: Notice: Contract terms breached.

5 April, 2010
Hello,

You are hereby put on notice that as of 7/1/2010 you are in breach of our contract dated 3/12/2007.
The nature of said breach is: False Advertising, Breach of Contract, Bad faith Breach of Contract, Fraud and Deceit.
It is our desire to inform you of the foregoing and afford you the opportunity to cure said breach.
You may in any event be held responsible for all damages arising from said breach.

To view a copy of the complaint please visit our company website: http://---URL REMOVED---/
Please use the CASE ID located at the end of the document to find the copy of the complaint.


You have until 10th of May 2010 to cure said breach, after which we will be forced to pursue further legal action.
Regards,
Jim Karter

CASE ID: 4322524

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: malware social engineering spam
10 comment(s)
My next class:

Comments

We just received the same junk mail this morning, as well as another:

----------------
Subject: Complaint regarding Breach of Contract.

Notice is hereby given that we cancel our contract dated 0/1/2007 for the following reason.
That on 8/4/2010, you breached said contract in the
following respect: .
Cancellation of said contract is effected in respect to that certain installment delivered on 2/6/2010, and for any subsequent delivery of goods, contracted for in said contract, inasmuch as your breach impairs the contract as a whole.
We claim damages from you in the amount of $22,981.55

If you would like to view a copy of the full complaint please visit our website and search for your Case ID at the bottom of this letter.

http://---URL REMOVED---/

Sincerely,

kt

Apr 13th 2010
1 decade ago

We had six of these on 4/12 targeting HR and C-level users. The first URL was not blocked by our web filtering system. Following the redirect and obfuscated-script trail, the second two hops were blocked, so no users were affected, though one did click through...

PaulJ

Apr 13th 2010
1 decade ago

Would anyone be willing to post the URL so that I could block it?

Davef

Apr 13th 2010
1 decade ago

Davef, here you go: (remove all of the spaces)

h t t p : / / w w w . l a w - t o - d a . c o m

Chris

Apr 13th 2010
1 decade ago

Has anyone seen a consistent Sender email address or domain that we could use to update our Spam filters? Thanks in advance

DG

Apr 13th 2010
1 decade ago

There is another URL as well, http://www. durand blaw. com
(remove spaces)

The sender addresses varied.

Bob

Apr 13th 2010
1 decade ago

No consistency to the senders or source IPs, this was very low volume and very targeted.

PaulJ

Apr 13th 2010
1 decade ago

A reminder: when you receive malware like this, _PLEASE_ report the domain names to malwaredomains.com so that others can benefit.

Thanks!

John Hardin

Apr 15th 2010
1 decade ago

I've had similar emails come through with a URL link via IP not domain name. The URL is http://75.119.193.234/

phishphreek

Apr 19th 2010
1 decade ago

Another run over the past couple of days is using www.t h o m a s - a n d - h a r r i s.com

PaulJ

Apr 26th 2010
1 decade ago

Login here to join the discussion.


Top of page
Diary Archives