Monday, September 15, 2014

September 11th Thoughts

Where were you on September 11, 2001?

My own story actually begins on September 6, 2001. That is the day when I hosted the first InfraGard meeting in Birmingham, Alabama. More than sixty security professionals came to Energen headquarters to hear a description of the InfraGard program and a presentation by Special Agent Mike Mauldin who described to us that when terrorist decide to attack our country, they may actually attack our critical infrastructures rather than a direct military vs. military attack.

Five days later I was in Carlsbad, California where I was supposed to be speaking to a Network Associates Customer Council meeting. I received the phone call early (Pacific time) from my wife who told me to turn on the television. I got up, got dressed, and went down to the bar where people were gathering to watch the big screen tv and try to decide what to do. Obviously, the meeting was canceled. Both planes had hit before my wife called me, but we watched together in horror as the building collapsed. I went back to my room, called my wife, and told her that I would be home as soon as possible, but that I was going to have to drive.

I had 40 hours alone in the car to think about what was going on. To think about what was important. To think about whether I was "making a difference" in what I did for a living. It was a life-changing event.

The 9-11 Memorial

Last year, my wife and I had the chance to visit the 9-11 Memorial in New York City. When we first exited the subway, we could see the new Freedom Tower.

The memorial consists of two very large squares at the location of the original Twin Towers, each has a waterfall heading into a bottomless pit. The names of the victims of the 9/11 attacks are engraved on the edges of the memorial.

The key shows that the names of First Responders are at the bottom left corner of the South Pool, which is the first place that those visiting the memorial will see. The names of those in each tower are on their respective towers, and the victims of the Pentagon and the "non twin tower" flights have also been recorded in the memorial.

While my wife and I were there as both Americans and as tourists, I had come to the memorial looking for one particular name. While there is an option to look up the names before you go to find their exact location, I told my wife that I would rather just walk around both memorials until I found the name I was looking for.

I was looking for the name John P. O'Neill. John was featured in a New Yorker story called "The Counter Terrorist" and has a page on PBS FrontLine: The Man Who Knew. John started working the FBI at age 18 as a tour guide, but after college returned as an agent and was sometimes mocked for his obsession with terrorism in general and Al Qaeda in particular. He was already investing "the Blind Sheikh" prior to the first World Trade Center bombing and his dedication to the investigation revealed the relationships between the various attacks the U.S. and its interests suffered around the world. His story is also detailed in the book The Man Who Warned America: The Life and Death of John O'Neill, the FBI's Embattled Counterterror Warrior.

I wore my Birmingham FBI shirt that day and had my wife take a picture of me standing by his name.

Many that day were victims and many were heroes. John O'Neill was the latter. People like him inspire me to do what I do in my own small way to try to protect our country.

InfraGard

Last week I was able to attend the National InfraGard Congress up in DC. I saw dozens of other American citizens who each represented their InfraGard chapter and some of the tens of thousands of InfraGard members who are each doing their part to make sure our country is as safe as they can make it. We heard from FBI Director James Comey, who presented awards to many of our members and the FBI InfraGard coordinators who work with us. We heard from FBI Assistant Director Joseph Demarest, the creator of the FBI's "New Cyber" program, and from FBI Section Chief, John Riggi, National Cyber Operations and Outreach Section, and from FBI Unit Chief, John Pi, a computer programmer turned medical doctor turned FBI Special Agent who now leads the FBI's National Industry Partnership Unit, which leads the InfraGard program from the FBI side of the partnership. Each of them stressed the same point. The FBI can't do this job alone. They need the partnership and support of the American public, and ESPECIALLY that portion of the public who is trained in security and cyber security. If your job is related to Critical Infrastructure protection, I hope you will consider joining InfraGard, because as a member of the security community, you know things about YOUR critical infrastructure that our friends in government do not know, or do not know at the same level of expertise as you.

The Birmingham InfraGard still meets on the Second Tuesday of the month, as we have every month since 9/11. If you are in the Birmingham area, we'd love for you to join us.

And if you don't work in Critical Infrastructure, I still hope you will consider, "What can I do in my role at work, at home, or in our educational system, to help educate the public about risks and threats and to help make our nation safer?"

Monday, August 18, 2014

Counterfeit Legal Notices continue to spread malware

Counterfeit legal notices continue to spread malware

Today a friend mentioned that they had seen several ASProx messages being distributed by domains that looked like law firm names warning of court appearances. I was a bit surprised that this was news to him, as we've been seeing this for some time. I thought it might be interesting to try to identify when the campaign began.

First, I was fairly certain that the campaign my friend referred to was the "Notice to appear" spam that we've written about so many times at Malcovery, but this does seem to be a bit different than the "law firm of the day" notice to appear campaigns we've seen imitating groups like Green Winick and many others including Jones Day (jonesday.com), Latham Watkins (lw.com), Hogan Lovells (hoganlovells.com), McDermitt, Will & Emery (wme.com). Those campaigns were all examples of the ASProx malware. But how are those different than the "truck lawyer" campaigns? It seemed worth taking a look.

For the month of August 2014, so far the daily count on these spam messages has looked like this:

 count |    date    
-------+------------
  1528 | 2014-08-01
   204 | 2014-08-02
  1375 | 2014-08-04
  1670 | 2014-08-05
  1571 | 2014-08-06
  1967 | 2014-08-07
  1541 | 2014-08-08
   129 | 2014-08-09
     1 | 2014-08-10
  1182 | 2014-08-11
  1399 | 2014-08-12
   191 | 2014-08-13
    58 | 2014-08-14
    25 | 2014-08-15
     1 | 2014-08-16
    21 | 2014-08-18
(16 rows)
While many of the campaigns used subject lines that included randomization, quite a few subjects did not, including these:

11727  Urgent court notice
11693  Hearing of your case in Court
11182  Notice to appear
9935  Notice of appearance in court
8424  Notice to Appear
7433  Notice of appearance
7108  Notice to appear in court
6612  Notice to Appear in Court
 643  Court hearing notice
 568  Pretrial notice
 441  Mandatory court appearance
We've seen more than 200 different "law" names involved in this campaign, including many "truck" related law domain names. Here's the batch so far just in August:

  count |                            sender_domain                            
-------+---------------------------------------------------------------------
     7 | accidentlawyers505.com
     1 | addictionrecoverylawyers.com
   328 | alabamatruckaccidentlawyers.com
   375 | alaskatruckaccidentlawyers.com
   352 | albanycountyelderlawyers.com
    11 | americanaccidentlawyers.com
     8 | anewgenerationoflawyers.com
    17 | arizonaspecialedlawyers.com
   363 | arizonatruckaccidentlawyers.com
   358 | arkansastruckaccidentlawyers.com
    12 | auburnbankruptcylawyers.com
    11 | aviationlawyersnetwork.com
   387 | az-lawyersadvice.com
     6 | bellevuebankruptcylawyers.com
   379 | bensonlawyers.com
     1 | bestlawyersinphoenix.com
     8 | bestlosangeleslawyers.com
   355 | best-ontario-lawyers.com
   361 | biofuelawyers.com
   360 | bronx-injury-lawyers.com
   316 | bronx-personal-injury-lawyers.com
    15 | brooklynelderlawyers.com
   371 | brooklyn-lawyers.com
    12 | bvslawyers.com
   326 | calgarydependentadultlawyers.com
   356 | californiatruckaccidentlawyers.com
   299 | californiaviolentcrimeslawyers.com
     5 | canadianduilawyers.com
   362 | capeannlawyers.com
   311 | caraccidentlawyerskc.com
     8 | career-lawyers.com
   318 | childsupportlawyerslosangeles.com
    13 | colobklawyers.com
   409 | coloradotruckaccidentlawyers.com
   395 | columbus-dui-lawyers.com
     9 | commoninterestlawyers.com
   326 | compasslawyers.com
   390 | connecticuttruckaccidentlawyers.com
    14 | contracosta-caraccident-lawyers.com
    17 | criminalcourtlawyers.com
   334 | criminaldefenselawyers360.com
     4 | crownpointindianawilltrustsprobateestatelderlawattorneyslawyers.com
     9 | csduilawyers.com
     5 | deferredstatuslawyers.com
   401 | delawaretruckaccidentlawyers.com
     1 | divorcelawyersinjacksonvillefl.com
     8 | drugcrimedefenselawyers.com
     5 | dubairealestatelawyers.com
     4 | easternnclawyers.com
    11 | employmentlawyersfortlauderdale.com
    10 | ernestolawyers.com
    10 | escortdefenselawyers.com
     1 | estateprotectionlawyers.com
    12 | falveylawyers.com
   354 | familylawyersoforangecounty.com
    10 | fla-injury-lawyers-blog.com
     9 | fl-criminal-defense-lawyers.com
    10 | fl-criminal-lawyers-blog.com
     7 | fllawyersonline.com
    11 | florida-criminal-defense-lawyers.com
     9 | floridaseniorlawyersassoc.com
   370 | floridatruckaccidentlawyers.com
    15 | fortmyersrealestatelawyers.com
    12 | garzalawyers.com
     9 | gatewaylawyers.com
   388 | georgiatruckaccidentlawyers.com
    12 | gofindlawyers.com
    13 | greatnecklawyersassociation.com
    10 | hartfordctlawyers.com
   361 | hawaiitruckaccidentlawyers.com
     9 | hcvlawyers.com
   351 | highdesertlawyers.com
     7 | hounslowlawyers.com
   372 | houstonmesotheliomalawyers.com
     6 | hphlawyersonbloor.com
     9 | huntingtonaccidentlawyers.com
   385 | idahotruckaccidentlawyers.com
    13 | illinoisbicyclelawyers.com
   347 | illinoistruckaccidentlawyers.com
   308 | immlawyers.com
   330 | indianatruckaccidentlawyers.com
     7 | indy-lawyers.com
     5 | institutionalinvestorlawyers.com
   352 | iowatruckaccidentlawyers.com
   340 | kansastruckaccidentlawyers.com
   300 | kentuckytruckaccidentlawyers.com
     9 | kentuckyyounglawyers.com
   337 | lakelanddivorcelawyers.com
    12 | lancasterautoaccidentlawyers.com
     1 | lawusa.com
     6 | lawyeringforlawyers.com
   311 | lawyersadviceinarizona.com
   350 | lawyersadviceinphoenix.com
     8 | lawyersandloans.com
    14 | lawyersbankruptcysolutions.com
     9 | lawyersbocaraton.com
    11 | lawyerscaringforamerica.com
     7 | lawyerscaringforarizona.com
     8 | lawyerscfo.com
   393 | lawyers-connecting.com
     7 | lawyersforeclosuresolutions.com
     8 | lawyers-germany.com
     8 | lawyersinbalance.com
    15 | lawyersinthecloud.com
     3 | lawyerslawfirms.com
     7 | lawyerslongisland.com
    14 | lawyersonlineguide.com
    13 | lawyerstaxsolutions.com
     1 | lawyersthatrock.com
     5 | lawyersvirtualbookkeeper.com
    10 | lawyerswithdepression.com
    11 | loan-modification-lawyers.com
   364 | long-island-lawyers.com
   356 | louisianatruckaccidentlawyers.com
    11 | mailfrauddefenselawyers.com
   376 | mainetruckaccidentlawyers.com
    10 | malpracticelawyersnewyorkcity.com
   329 | manhattan-injury-lawyers.com
   362 | manhattan-personal-injury-lawyers.com
   318 | marylandtruckaccidentlawyers.com
   807 | massachusettstruckaccidentlawyers.com
    10 | medicalmalpraticelawyers.com
   388 | mesotheliomalawyersonline.com
   402 | michigantruckaccidentlawyers.com
     8 | millbrooklawyers.com
   398 | minnesotatruckaccidentlawyers.com
   374 | mississippitruckaccidentlawyers.com
   361 | missouritruckaccidentlawyers.com
     8 | mitpatentlawyers.com
    11 | mittrademarklawyers.com
     7 | mmspersonalinjurylawyers.com
   374 | montanatruckaccidentlawyers.com
    12 | mylawyersolicitors.com
    14 | myreallawyers.com
     7 | naplesbusinesslawyers.com
   373 | nassau-county-lawyers.com
   329 | nebraskaboatinjurylawyers.com
   315 | nebraskatruckaccidentlawyers.com
     1 | nebraskatruckaccidentlawyers.com.com
   351 | nevadatruckaccidentlawyers.com
   384 | newhampshiretruckaccidentlawyers.com
   398 | newjerseytruckaccidentlawyers.com
   370 | newmexicotruckaccidentlawyers.com
   365 | new-york-city-lawyers.com
     9 | newyorkscaffoldlawyers.com
   393 | newyorktruckaccidentlawyers.com
   339 | njlandlordtenantlawyers.com
   351 | northcarolinatruckaccidentlawyers.com
   377 | northdakotatruckaccidentlawyers.com
   284 | nyautoaccidentlawyers.com
   312 | nycaraccidentlawyers.com
    14 | ohadoptionlawyers.com
   383 | ohiotruckaccidentlawyers.com
   344 | oklahomatruckaccidentlawyers.com
   404 | oregon-lawyers.com
   373 | oregontruckaccidentlawyers.com
    11 | palmbayinjurylawyers.com
     8 | panamacitysocialsecuritydisabilityclaimlawyers.com
   321 | phoenixlawyersadvice.com
     8 | pittsburgaccidentlawyers.com
    12 | poptodorova-lawyers.com
     1 | portstlucie-duilawyers.com
    11 | prescriptiondiversiondefenselawyers.com
    17 | probateadministrationlawyers.com
   314 | productsliabilitylawyers360.com
     9 | refineryfirelawyers.com
   356 | rhodeislandtruckaccidentlawyers.com
    13 | robberydefenselawyers.com
   361 | rockland-county-lawyers.com
   343 | saintpaulinjurylawyers.com
    11 | seattlesbestduilawyers.com
     9 | seattle-trial-lawyers.com
    11 | sfmesolawyers.com
   401 | southcarolinatruckaccidentlawyers.com
   396 | southdakotatruckaccidentlawyers.com
     6 | southfloridaworkerscompensationlawyers.com
   316 | southhamptoninjurylawyers.com
   368 | staten-island-lawyers.com
   358 | stentinjurylawyers.com
    14 | success4lawyers.com
   324 | suffolk-county-lawyers.com
     7 | tacomabankruptcylawyers.com
   386 | tennesseetruckaccidentlawyers.com
    13 | thebusinessgrowthlawyers.com
   362 | thechicago-deportationlawyers.com
   307 | the-consumer-lawyers.com
    12 | thelawyerscfo.com
    12 | themauilawyers.com
   333 | thenationstoplawyers.com
     8 | topmultimilliondollartriallawyers.com
   294 | trivalleylawyers.com
   325 | tuscaloosa-lawyers.com
   359 | utahtruckaccidentlawyers.com
   326 | vermonttruckaccidentlawyers.com
   338 | villanuevalawyers.com
     6 | virginia-non-compete-lawyers.com
     7 | virginianoncompetelawyers.com
   395 | virginiatruckaccidentlawyers.com
   361 | washingtontruckaccidentlawyers.com
   338 | westchester-county-lawyers.com
   379 | westvirginiatruckaccidentlawyers.com
     1 | westvirginiatruckaccidentlawyers.com.com
     1 | whsbf-law.com
   386 | wisconsintruckaccidentlawyers.com
    12 | wolfegrouplawyers.com
     8 | wrongfulldeathlawyers.com
   377 | wyomingtruckaccidentlawyers.com
   283 | yourvegaslawyers.com
(208 rows)
This group tends to have email addresses that were a single word followed by three digits, so we use those to search in the Spam Data Mine:

([account|answer|confirmation|customer|customercare|customersupport|
customerservice|custservice|custsupport|details|dontreply|help|
identdep|infonum|login|mail|no-reply|noreply|onlinesupport|operate|
operator|reference|reply|security|support|supprefnum|time|update|
verification|][0-9]{3})

From June 1, 2014 to August 18, 2014 more than 25,000 different combinations of the above were used in emails that sent email to the Malcovery Spam Data Mine.

The attached .zip files during that period of time, when unpacked, revealed 39,571 distinct executables, all of which are variants of the "Kuluoz" or "DoFoil" malware.

Because of the apparent polymorphic nature of many of the samples, where each binary is unique, I've only shared the hashes of the non-polymorphic versions - where the same binary was used many times. If the final column is clickable, the link shows the VirusTotal detection rate at the time of our original reporting.

A recent trend in these file names is that the first character, which looks like the letter "C" is actually the Russian "S", a cyrillic look alike for our "C", expressed with the characters: С (ampersand, pound sign, 1057, semicolon). When the word "Court" is spelled with the Cyrillic S instead, a search for the word "Court" will not find it! Here is the word Court twice, first with a "C" and then with the cyrillic equivalent: Court Сourt

CountDateFilenameFilesizeMD5 (VT Link)
50 2014-03-07 Copy_Court_Notice.exe178688 55a60b91143c5c91849237f8e6bc3235
31 2014-03-07 Copy_Court_Notice.exe78447 6f8a65b02fea37530af50e65483300db
48 2014-03-10 Copy_Court_Notice.exe81400 13b519634c4a03001122def3f471616a
31 2014-03-10 Copy_Court_Notice.exe78446 1f9570e4b628f81578ae0fb03cddd137
33 2014-03-11 Court_Notice_Copy.exe140800 202a8720eddc389b91fb4d398df95da0
29 2014-03-11 Court_Notice_Copy.exe181248 49723312b73067e66b0f4db453231825
41 2014-03-11 Court_Notice_Copy.exe144384 8cd13060037ddd790c41a4ea4b209a06
34 2014-03-12 Court_Notice_Copy.exe78447 bc08d0c5f5a5e4e6a199fce5e243e8aa
43 2014-03-20 Court_Notice_Copy_doc.exe82856 0a2be62df1320b4f20d4777f7b69f1a4
34 2014-03-20 Court_Notice_Copy_doc.exe81395 1c549f6bc1afcfd7f0af9b2e3ada1e9f
29 2014-03-20 Court_Notice_Copy_doc.exe178688 786cb67c6f8409ce1933bb838e80d2a8
29 2014-03-20 Court_Notice_Copy_doc.exe78198 861530485284fc46c37b41400810477a
49 2014-03-20 Court_Notice_Copy_doc.exe78447 93b678cbcc583079cf7e0082910fc51f
50 2014-03-20 Court_Notice_Copy_doc.exe183808 99fc4dbc2082ee2d111086affd2c623e
29 2014-03-21 Court_Notice_Copy_doc.exe178688 040196c76bc37ede48262dddbb871df6
50 2014-03-21 Court_Notice_Copy_doc.exe78967 305bcd56a92c0ecfbe0a498bb920ea89
49 2014-03-21 Court_Notice_Copy_doc.exe181248 546608757bde754251975a5deefff67f
30 2014-03-21 Court_Notice_Copy_doc.exe181248 6e3021203febb924372c87af1d239b26
27 2014-03-21 Court_Notice_Copy_doc.exe78199 d4f214e94467070e09fac5f762769f39
39 2014-03-22 Court_Notice_Copy_doc.exe82265 e7175f3ac0f29146967da11375528d4f
159 2014-03-26 Court_Notice.exe181248 68c8cd0bde8b38780a2d2d7862f4e02d
27 2014-03-27 Court_Notice.exe114176 8b1fa6be2aa31212fe15cee8c4e0cedb
3634 2014-03-28 Court_Notice_Copy.exe177152 096402c1e21da0df9465511b600a135e
2244 2014-03-28 Court_Notice_Copy.exe110080 27c7f219798ad65b158dd9c4b4658743
1685 2014-03-31 Court_Notice_Copy.exe211968 36b3d44816b933c2a3c2000ed50d4685
3378 2014-03-31 Court_Notice_Copy.exe103936 d185a21bf355ad67b8e75e0ecb28acb8
6037 2014-04-01 Court_Notice_Copy.exe148480 4adee84193b467d0ea2a2a64e4767586
446 2014-04-02 Court_Notice_Copy.exe209920 3368e248a76a7b7d090d0ce7cb7335be
2183 2014-04-03 Court_Notice_Copy_03-04-14_AP.exe143360 790cba7836b71b666592891f7bf75b32
2698 2014-04-03 Court_Notice_Copy_03-04-14_AP.exe201216 7f268ff0850a623de27dbb835d13cd60
2248 2014-04-04 Court_Notice_Copy_04-04-14_AP.exe133120 0ef2108030990e2f8914639b3c1d2098
2049 2014-04-04 Court_Notice_Copy_04-04-14_AP.exe141312 24826d752ee438e78d689b5416170cd9
3657 2014-04-07 Court_Notice_Copy_07-04-14_AP.exe110592 52e5589b6fe5be00a3959e0da2d08413
1841 2014-04-07 Court_Notice_Copy_07-04-14_AP.exe146944 a1e0804d0bbc17b895194d88a61c85e4
1338 2014-04-08 Court_Notice_Copy_08-04-14_AP.exe110080 66b286f769753a9e51695205ae07ffb8
2165 2014-04-09 Court_Notice_Copy_09-04-14_AP.exe139264 7e28325f5bc307646097a1481512f726
228 2014-04-09 Court_Notice_Copy_09-04-14.exe216064 bccc5c02d4341de68dc5195497e5a909
38 2014-05-07 Court_Notice_Date_May-7_2014CV-D.exe181248 e3cbfdd4dfa6561e22e19177a4f60e7a
75 2014-05-08 Court_Notice_May-8_Date_2014FHK.exe181248 648401ae4f3b5f2f7f9198a2fc3fe072
106 2014-05-09 Court_Notice_May-9_Date_2014FHK.exe150016 413d43f0e5431b58de0d37d4fc5dd333
79 2014-05-09 Court_Notice_May-9_Date_2014FHK.exe78447 b6029ee57a3f6b8ca73fb1699106d9cf
255 2014-05-12 Court_Notice_May-12_Date_2014_FEN.exe178176 512c867583c1ba6cdf8857bdd8d84ff9
263 2014-05-12 Court_Notice_May-12_Date_2014_FES.exe108544 5752260d7e2ac9e57083792a5f87e4ce
197 2014-05-13 Court_Notice_May-13_Date_2014_A-DC.exe141312 530eed9bc14c386b10d38c77bef44a4d
167 2014-05-13 Court_Notice_May-13_Date_2014_D-SER-N.exe144384 b15932cb2a15f06de49773400c6e1f07
41 2014-05-14 Court_Notice_May-14_Date_2014_EXL-DC.exe150016 41d7b395ca4dd5b3150b35be4fad3737
51 2014-05-14 Court_Notice_May-14_Date_2014_.exe78200 71ab11b81995e8dd94b9c04813b95c04
54 2014-05-15 Court_Notice_May-15_Date_2014_EN_DOC_.exe139264 723770d9cff199c400ea0d472736428e
182 2014-05-15 Court_Notice_May-15_Date_2014_TN_DOC_.exe82857 f5a4690f12f64bbf4944980060dc56ec
120 2014-05-16 Court_Notice_May-16_Date_2014_ID-SER_DOC.exe78447 1bb1d62749258f4813c4cd1d1b62d92d
188 2014-05-16 Court_Notice_May-15_Date_2014_SE-ANDC_.exe108032 5e9b56bc10e7c1a5fcb26615de7f5923
94 2014-05-19 Court_Notice_May-19_Date_DOC-SER_2014.exe108032 fbcb2407e676c095b53196c630f16d9e
69 2014-05-19 Court_Notice_May-19_Date_DF-SER_2014.exe81396 fc89720c573184b6b0c740025bd8f0be
192 2014-05-20 Court_Notice_May-20_Date_IN-FN_2014.exe220672 110a0bc676dc2094ebaf8faad0423461
133 2014-05-20 Court_Notice_May-20_Date_EN-RM_2014.exe177152 76bd89ff3141fef1345053881797392a
147 2014-05-21 Court_Notice_May-21_Date_EN-RT_2014.exe78200 243d37f8fc6efac0a2e99d198af01d54
149 2014-05-21 Court_Notice_May-21_Date_EN-RT_2014.exe78445 8a70b33c64c5b48c9691f0ddc7826bbe
119 2014-05-22 Court_Notice_May-22_Date_DCSER-LS_2014.exe181248 08f2f21aae0c2917c19dbbe70842bf8e
111 2014-05-22 Court_Notice_May-22_2014_EN-OP.exe181248 46a6f5a0a8c2f31477cb5812f094640d
107 2014-05-22 Court_Notice_May-22_Date_DCSER-LS_2014.exe78447 d2d84503d4f43e8abeab158a351df290
286 2014-05-23 Court_Notice_May-23_Date_2014_SER-ERN-DC.exe209408 51e12bec75e8d5a0b2e434a45b7e1c67
599 2014-05-28 Plaint_Note_May-28_Date_FN-SE-DC_2014.exe209920 797f8d6da6c1ca6a6f3f60c257d9f6c5
1090 2014-06-09 DC_Court_Notice_June-09_Date_2014-SER.exe109568 7fb418b6c4ec42ca1ccc4c372293169e
1091 2014-06-10 Court_Notice_June-10_Date_2014-ID.exe229888 01535c6f5594790e458e011dc4cd7a3d
746 2014-06-10 DOC_Court_Notice_June-10_Date_2014-SER.exe109568 169e683b948ae1bce6a45350201b427d
727 2014-06-11 SR_Court_Notice_June-11_Date_2014-ID_DC.exe109568 f1542e83f0577f9d54370d9778074371
1009 2014-06-12 Court_Notice_June-12_Date_2014-DC.exe105472 9395698fbfcaa1f5b297c01e4aa52e1c
445 2014-06-13 SR_Court_Notice_June-13_Date_2014-DOC-NR.exe105472 0bc400ab22ab5fd82a3408477d7f20dd
809 2014-06-16 Detailed_Document_FAX_June-16_Date_2014_DOID.exe111104 3c5a4968f70f0883971d312f7f97d4a4
1059 2014-06-17 Detailed_Document_ID7723H_June-17_Date_2014_SRID.exe77824 55226242da24299345b45fb46751764a
700 2014-06-18 Doc_Court_Agent_Date_June-18-2014Y.exe77312 b0cae006c23ca33c36daecd32f50d9fc
1076 2014-06-19 Copy_of_document_Date_June-19-2014.exe74752 d6b9982d1b3abcb4530a7abd6a063944
27 2014-06-20 Copy_of_document_Date_June-20-2014.exe74752 73f03523e4c14ca55a92dce91b958ba1
262 2014-06-23 Copy_of_document_Date_June-23-2014.exe76800 c5b6a4c546be34642141660e7a0dbb1e
169 2014-06-24 Copy_of_document_Date_June-24-2014.exe76800 0829817d83d583f5a55075dc0017ef52
209 2014-06-25 Copy_of_document_Date_June-25-2014.exe76800 8c920901eca575593f580531e44ea62f
311 2014-07-04 Copy_of_document_Date_July-04-2014.exe80384 50daa5c135d5ad2da3b2c8a8dd4c3f50
496 2014-07-14 Copy_of_document_July-14-2014.exe135168 559fd034d76e45aec67be49c2f93cfae
552 2014-07-15 Copy_of_document_July-15-2014.exe135168 80aff3257ec4f6f7bd5e5259ea08815e
584 2014-07-16 Copy_of_document_July-16-2014.exe135168 cc19a778b730d310a1bea1518bdc7a6f
704 2014-07-17 Copy_of_document_July-17-2014.exe135168 b43e9210da3e06dc2b88ae028a13d8c5
526 2014-07-18 Copy_of_document_July-18-2014.exe139264 1531f529f73d79f1cf4dd1d6a7426429
614 2014-07-22 Copy_of_document_July-22-2014.exe135168 3c3944f52d194fd86d12ebccb2c7cf85
623 2014-07-23 Copy_of_document_July-23-2014.exe135168 046f9dbedcf03749d0e7ae5cc120897d
600 2014-07-24 Copy_of_document_July-24-2014.exe135168 a1eb4a25be83c770f38203fcc64f9419
717 2014-07-25 Copy_of_document_July-10-2014.exe135168 35850cfececd274ee5f182bd64c221ab
370 2014-07-28 Copy_of_document_July-28-2014.exe135168 6edec50da5540820682387c71434d209
613 2014-07-29 Copy_of_document_July-29-2014.exe106496 2f8a429f6e005cecc25f9bb86f4211dc
555 2014-07-30 Copy_of_document_July-30-2014.exe110592 529e7348bca26b22d0b42a7fe6c63e8d
604 2014-07-31 Copy_of_document_July-31-2014.exe106496 b2c8662858ed7a8c052a080b03ca26b2
806 2014-08-01 Copy_of_document_August-01-2014.exe102400 2ca1e3d6312c3f844de919caec77fc1f
711 2014-08-04 Copy_of_document_August-04-2014.exe110592 6c83a7e471421899141e7e13a635abbd
973 2014-08-05 Copy_of_document_August-05-2014.exe143360 1463aaa9b393a1591df049534e9f9ddd
734 2014-08-06 Copy_of_document_August-06-2014.exe106496 49985d6ae2805c2301bd941c783991e4
447 2014-08-07 Copy_of_document_August-07-2014.exe127488 659f348503f30952f19816e2afb1e595
447 2014-08-07 Сopy_of_Document_ID4923.zip75375 802529cf5a1c85eb0389f9e0e0f309da
826 2014-08-08 Copy_of_document_August-08-2014.exe106496 804f0d437f3c500c9d5a340d4f783b6b
4 2014-08-11 Copy_of_document_August-11-2014.exe118272 2fc5cc07700d3eacd0d063f93aebfa14
768 2014-08-11 Copy_of_document_August-11-2014.exe104448 ebb9e152618e4b0a871aceb1966b8f85
4 2014-08-11 Copy_of_document_August-11-2014.exe118272 ffa9f70e72fb7eea06fea313ef979502
739 2014-08-12 Copy_of_document_August-12-2014.exe103424 c6a53a80b7425215d2f32332e2721a49
22 2014-08-13 Copy_of_document_August-13-2014.exe113152 6bb5e1502b8cdfaa5ae78238cee7ab85
36 2014-08-14 Copy_of_document_August-14-2014.exe94720 956f9551579314bbe74e55fbdbe4b869
14 2014-08-15 Copy_of_document_August-15-2014.exe90624 d38c3aa977745be341ae26e439d8e111
15 2014-08-18 Copy_of_document_August-18-2014.exe92672 49aef017ad8880a7b4d24c8190acc068

Tuesday, July 29, 2014

SFR phish: the Gateway to all French banks

Back in April, we wrote about the French power company, EDF, being used as a universal phishing target in our article, Multi-Brand French Phisher uses EDF Group for ID Theft. Since that time we are seeing that those targeting French speaking victims are choosing yet another large utility to serve as proxy for all of the French banking world. This time the phishing lures are for SFR.

This phish has been especially popular this year. Malcovery's PhishIQ service has seen more than 1,000 SFR phish on more than 330 hacked servers so far this year, including dozens just in the month of July 2014. More importantly though, the attackers are growing more sophisticated! The attack described below is one of the most sophisticated phish we've seen to date, employing "man-in-the-middle" logins where SFR credentials are tested before the victim is allowed to proceed, and nearly a dozen customized bank security procedure questions being processed.

In a typical example of these phish, the victim receives an email that appears to be from SFR informing them that an error was made in their bill, "Ce mail vous a été envoyé dans le but de vous informer qu une erreur est survenue lors de l établissement de la dernière facture" and to "Cliquer ici pour ouvrir le formulaire de remboursement" (Click here to open the refund form). The victim is also warned that they need to fill out the form completely, or they won't get their refund (in some cases 95 Euros!):

Veuillez accepter nos excuses par cette erreur comptable. SFR : Service comptabilité de SFR Toute omission, mauvaise saisie, ou non réponse a ce mail entrainera automatiquement une amputation de la somme de quatre-vingt-quinze (95) euros sur votre compte, et aucune réclamation de sera acceptée.

While there are several versions of the SFR phish, the most sophisticated that we have encountered so far can be seen on a British horse enthusiasts website (obviously hacked). What makes this one particularly compelling is that it begins by requiring the victim to be using their true SFR userid and password. On the originating screen, the user is told to "Connectez-vous" by entering his userid (Identifiant) and password (Mot de passe).

The Action of this form of the phishing site actually passes the userid and password to SFR and confirms whether or not a true identifier has been used. If false information is provided, the phishing victim receives a message back informing him that

Vos coordonnées n'ont polo été reconnues. -- Your details have not been recognized.
Veuillez recommencer. -- Please try again.
Suite à 5 erreurs sur votre mot de passe, -- After 5 errors on your password
votre compte est bloqué. -- Your account will be blocked.

So, with a little incentive to not lie to the criminal, and a fairly strong reason to believe they are really speaking with SFR, the victim continues to page two after providing true login credentials.

On the second page, the victim is invited to choose their bank from a long list of French banks. Depending on which bank they choose, they will be prompted for appropriate additional verification details used by that bank. Banks on the list include:

  • AXA Banque
  • Banque AGF / Allianz
  • Banque de Savoie
  • Banque Dupuy de Parseval
  • Banque Marze
  • Banque Palatine
  • Banque Populaire
  • Banque Postale
  • Barclays
  • BforBank
  • Binck.fr
  • BNP
  • BNP Paribas La NET Agence
  • Boursorama Banque
  • BPE
  • Caisse d'Epargne
  • CIC
  • Coopabanque
  • Crédit Agricole
  • Crédit Cooperatif
  • Crédit du Nord
  • Crédit Mutuel
  • Crédit Mutuel de Bretagne
  • Crédit Mutuel Massif Central
  • Crédit Mutuel Sud-Ouest
  • e.LCL
  • Fortis Banque
  • Fortuneo Banque
  • Groupama Banque
  • HSBC
  • ING Direct
  • LCL
  • Monabanq
  • Societe Generale
  • Société Marseillaisle de Crédit
  • Autre Banque
Here are some examples: (Click on any image to enlarge)

Some banks require the visitor to enter their 3DSecure code

AXA Banque has a custom code for their clients

Banque Postale has security questions, such as:
  • Quel est le prénom de l'aîné(e) de vos cousins et cousines ?
  • Quel était le prénom de votre meilleur(e) ami(e) d'enfance ?
  • Quel était votre dessin animé préféré ?
  • Quel a été votre lieu de vacances préféré durant votre enfance ?

Caisse d'Epargne also provides a personalized Client code.

Even the "Cyberplus" electronic password generators used by Banque Populaire are included in this phish!

Some banks also require information about the victim's birthplace


After successfully acquiring both your SFR.com userid and password, and the necessary information to take over the bank account of the phishing victim, the criminal sends you on your way, after congratulating you on your success!
(The update was successful. SFR thanks you for using its Bank Assurance services. You can continue browsing the site with full security.)

After seeing this message briefly, the visitor is forwarded to the true www.SFR.fr website.