Legal Threat Spam: Sometimes it Gets Personal
Yesterday, I spotted the following tweet mentioning me:
Needless to say, I got intrigued, and luckily the sender of the tweet was willing to share a sample.
The sample turned out to be simple legal threat malware e-mail written in German. The e-mail claimed that the recipient downloaded a copyrighted movie and it asked for legal fees. The invoice for the legal fees was supposed to be included in the attached ".cab" file.
From: "Johannes Ullrich" Â
To: [removed].de
Subject: [vorfall:132413123]
Guten Tag,Am 01.08.2014 wurde von Ihrem Rechner mit der IP-Addresse 192.0.2.1 um 12:13:01 der Film "Need for Speed" geladen. Nach §19a UrhG ist dies eine kriminelle Handlung. Unsere Anwaltskanzlei  muss dies ans zuständige Amtsgericht melden, au�er Sie Zahlen ein au�ergerichtliches Strafgeld in Höhe von 436.43 Euro an uns.
Die Rechnung "1234.cab" entnehmen Sie dem Anhang.
Hochachtungsvoll,
Johannes Ullrich
+4991312341234
The attached .cab file runs a typical trojan downloader that could download various pieces of malware. A quick search shows a number of other reports of this email, with different "From:" names. It looks like it picks plausible German names, maybe from the contact list of infected systems. My names isn't that terrible unusual, so I don't think this is targeted at all. Sometimes it is just an odd coincidence, and they aren't really after you.
In the case above, the "From" e-mail address is not related to me. However, if an attacker sends spam using your e-mail address, it is very useful to have DMARC configured for your domain. With DMARC, you give the receiving mail server the option to report any e-mail that fails the DKIM or SPF tests to you. Only a few mail servers do so, but some of them are major public web mail systems. For example, here a quick report I just received for a domain I own:
(click on image for full size)
The attachment does include a report with details why the e-mail was found to be suspect (of course, you should still be careful with attachments. These reports can be faked too!) ;-).
Â
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments