358 Lotus blogs updated hourly. Who will post next? Home | Downloads | Events | Pods | Blogs | Search | myPL | About 
 
Latest 7 Posts
IBM and Apple focus on the Enterprise
Wed, Jul 16th 2014 170
CryptorBit Virus
Mon, May 5th 2014 131
Time-lapse of Product Showcase Taken from my GoPro Camera
Tue, Feb 4th 2014 134
Refrigerators Now Send Spam as Well as Keeping it Cold
Mon, Jan 20th 2014 130
Increase in Virus Activity
Thu, Jan 9th 2014 139
Virus Names translated from Chinese
Tue, Jan 7th 2014 121
Notice to Appear in Court
Thu, Jan 2nd 2014 261
Top 10
A spear-phishing attack detailed: Moving from "selling" to "stealing".
Fri, Jul 26th 2013 1571
Notice to Appear in Court
Thu, Jan 2nd 2014 261
IBM and Apple focus on the Enterprise
Wed, Jul 16th 2014 170
Increase in Virus Activity
Thu, Jan 9th 2014 139
Time-lapse of Product Showcase Taken from my GoPro Camera
Tue, Feb 4th 2014 134
CryptorBit Virus
Mon, May 5th 2014 131
Refrigerators Now Send Spam as Well as Keeping it Cold
Mon, Jan 20th 2014 130
CryptoLocker
Fri, Oct 25th 2013 129
Popular Virus Subjects this Week
Fri, Nov 15th 2013 128
Blocking EXE attachments is working great!
Fri, Dec 13th 2013 128


Notice to Appear in Court
Frank Paolino    

Yes, the title of the blog appears scary and that is what the senders of the email want, to scare you into opening the message and reading the body, then launching the phony "notice".


Here is a sample of a phony notice that appears to come from JonesDay.

A picture named M2





Here are the Law firms that were spoofed in these virus outbreaks, and a sampling of the from addresses that were used. To be perfectly clear, these messages are spoofing the law firms, trying to get the recipient to open them, and have no relationship to the actual law firms. The virus senders rotate through a list of reputable law firms in the hope of getting past the virus filters and tempting their target into opening the message.


Spoofed Law firm name: Baker Botts
"Notice to Appear" <manager@bakerbotts.com>
"Notice to Appear" <appear_support.5@bakerbotts.com>
"Notice to Appear" <service.753@bakerbotts.com>
"Notice to Appear" <ticket469@bakerbotts.com>
"Notice to Appear" <no_reply@bakerbotts.com>
"Notice to Appear" <appear_support.7@bakerbotts.com>
"Notice to Appear" <information@bakerbotts.com>
"Notice to Appear" <appear_528@bakerbotts.com>
"Notice to Appear" <manager@bakerbotts.com>


Spoofed Law firm name:
Covington and Burling
"Court Notice WA" <support405@cov.com>
"Court Notice WA" <your_notice@cov.com>
"Court Notice WA" <notice_support.7@cov.com>
"Court Notice WA" <support382@cov.com>
"Court Notice WA" <aa.support369@cov.com>
"Court Notice WA" <information@cov.com>
"Court Notice WA" <service.734@cov.com>
"Court Notice WA" <information@cov.com>
"Court Notice WA" <manager@cov.com>
"Court Notice WA" <your_notice@cov.com>


Spoofed Law firm name:
Jones Day
"Notice to Appear" <ticket_support.7@jonesday.com>

"Notice to Appear" <personal.information@jonesday.com>
"Notice to Appear" <service.615@jonesday.com>
"Notice to Appear" <service.723@jonesday.com>
"Notice to Appear" <ticket_248@jonesday.com>
"Notice to Appear" <help420@jonesday.com>
"Notice to Appear" <ticket_service@jonesday.com>
"Notice to Appear" <your_ticket@jonesday.com>
"Notice to Appear" <service.301@jonesday.com>
"Notice to Appear" <ticket_609@jonesday.com>
"Notice to Appear" <ticket_support.2@jonesday.com>
"Notice to Appear" <ticket_support.2@jonesday.com>
"Notice to Appear" <support.8@jonesday.com>
"Notice to Appear" <ticket020@jonesday.com>
"Notice to Appear" <order.723@jonesday.com>
"Notice to Appear" <ticket_162@jonesday.com>

Spoofed Law firm name: Latham and Watkins
"Notice to Appear" <ticket_support.3@lw.com>

"Notice to Appear" <support838@lw.com>
"Notice to Appear" <service.252@lw.com>
"Notice to Appear" <ticket340@lw.com>
"Notice to Appear" <help432@lw.com>
"Notice to Appear" <ticket_support.4@lw.com>
"Notice to Appear" <ticket_support.7@lw.com>
"Notice to Appear" <service@lw.com>
"Notice to Appear" <service_ticket@lw.com>
"Notice to Appear" <support.5@lw.com>
"Notice to Appear" <service_ticket@lw.com>
"Notice to Appear" <information@lw.com>
"Notice to Appear" <no_reply@lw.com>
"Notice to Appear" <support.9@lw.com>
"Notice to Appear" <ticket_support.5@lw.com>

Spoofed Law firm name: McDermott Will & Emery
"Notice to Appear" <manager@mwe.com>

"Notice to Appear" <ticket_support.5@mwe.com>
"Notice to Appear" <ticket_service@mwe.com>
"Notice to Appear" <ticket_support.6@mwe.com>
"Notice to Appear" <support.6@mwe.com>
"Notice to Appear" <service@mwe.com>
"Notice to Appear" <support.2@mwe.com>
"Notice to Appear" <ticket_support.2@mwe.com>
"Notice to Appear" <support.6@mwe.com>


Spoofed Law firm name: Orrick
"Court Notice Orrick" <support.4@orrick.com>
"Court Notice Orrick" <your_notice@orrick.com>
"Court Notice Orrick" <service_notice@orrick.com>
"Court Notice Orrick" <service.959@orrick.com>
"Court Notice Orrick" <support.6@orrick.com>
"Court Notice Orrick" <support.7@orrick.com>
"Court Notice Orrick" <your_notice@orrick.com>
"Court Notice Orrick" <support.3@orrick.com>
"Court Notice Orrick" <support.3@orrick.com>
"Court Notice Orrick" <support.4@orrick.com>
"Court Notice Orrick" <notice_service@orrick.com>
"Court Notice Orrick" <order.510@orrick.com>
"Court Notice Orrick" <notice_support.5@orrick.com>
"Court Notice Orrick" <information@orrick.com>
"Court Notice Orrick" <notice706@orrick.com>
"Court Notice Orrick" <support.8@orrick.com>



Opening the messages. Don't try this at home (or the office)!


I took one message and loaded my Virus Testing Workstation, which is a virtual machine that I can infect then delete the machine.



A picture named M3


Here is one of the viruses that was caught as a ZIP file.

A picture named M4


Here is the attachment, which is disguised as a Word document, but is actually an executable file:

A picture named M5


As there was no response when I clicked the attachment, I clicked it again, so I infected the machine twice. Notice in the task manager, they use the file name to avoid suspicion and preventing some people from closing it.

A picture named M6


When I did close it, I got this error.


A picture named M7



I didn't try to dig into the mechanism of infection, or wait 24-48 hours and see what damage they did to my virtual machine, but that will be a subject for another post.








---------------------
http://blog.maysoft.org/blog.nsf/d6plinks/FPAO-9EXSX8
Jan 02, 2014
262 hits



Recent Blog Posts
170


IBM and Apple focus on the Enterprise
Wed, Jul 16th 2014 10:25a   Frank Paolino
Apple is working with IBM to push into the enterprise space. Apple really has mainly focused on the consumer market, but products like IBM Traveler have made BYOD a reality. Now, with IBM, Apple is going to focus on large enterprises. Tim Cook gets a corporate partner with a great enterprise player to promote Apple as enterprise ready. Ginny Rometti mentioned security, which is an overwhelming concern with BYOD. If Apple and IBM make new offerings that satisy I [read] Keywords: ibm traveler apple application blackberry enterprise security
131


CryptorBit Virus
Mon, May 5th 2014 1:25p   Frank Paolino
There is a new and improved version of CryptoLocker. Version 1.0 made the makers of this ransomware a lot of money, and this version 2.0 is, I predict, just one of many new "feature enhanced" releases. Judging by the Bitcoin activity, there are a lot of "willing" victims out there paying to get their files back. BleepingComputer is doing a great job documenting this, so I will point you there for good advice and a possible free fix made by Nathan Scott called the DecrypterFixe [read] Keywords: virus
134


Time-lapse of Product Showcase Taken from my GoPro Camera
Tue, Feb 4th 2014 9:22a   Frank Paolino
I wanted to have a little fun at #IBMConnect so I put a GoPro camera over our booth on the Product Showcase and snapped pictures of all of our visitors over 4 days. The Product Showcase was certainly "energized", so I choose suitable music in the "William Tell Overture". [read] Keywords:
130


Refrigerators Now Send Spam as Well as Keeping it Cold
Mon, Jan 20th 2014 2:02p   Frank Paolino
Refrigerators now do more than keep spam, that tasty treat, cold, they also send spam, the electronic email version. That is the story of a compromised refrigerator that sends cold "spam" to unsuspecting users via it's internet connection. Viruses makers will try to add anything to their botnets, and the latest attack on "refrigerators" does not surprise me at all. The target of this attack was a refrigerator model running a flavor of Linux that had not been hardened or pr [read] Keywords: email linux virus
139


Increase in Virus Activity
Thu, Jan 9th 2014 2:02p   Frank Paolino
The increase in recent Virus activity has been noticeable, and the sophisticated techniques the virus makers use to evade detection make the job of stopping them that much more challenging. Many times, a new message appears and I ask "Is this some new attempt to get me to infect my machine"? Many of my customers ask me the same question, so I put a live stream of recently caught viruses subjects and attachment names on our website. (Obviously, I did not put the viruses, just their names [read] Keywords: virus
121


Virus Names translated from Chinese
Tue, Jan 7th 2014 2:22p   Frank Paolino
[read] Keywords: virus




262


Notice to Appear in Court
Thu, Jan 2nd 2014 1:42p   Frank Paolino
Yes, the title of the blog appears scary and that is what the senders of the email want, to scare you into opening the message and reading the body, then launching the phony "notice". Here is a sample of a phony notice that appears to come from JonesDay. Here are the Law firms that were spoofed in these virus outbreaks, and a sampling of the from addresses that were used. To be perfectly clear, these messages are spoofing the law firms, trying to get the rec [read] Keywords: email office virus
128


Blocking EXE attachments is working great!
Fri, Dec 13th 2013 1:42p   Frank Paolino
We have advised customers of SpamSentinel for the last month to block EXE attachments, even (especially!) inside zip files. I have been monitoring the results on one of our servers, and they are spectacular in catching new virus outbreaks before their "signatures" are recorded. These are "zero hour" zero hour viruses, fresh off the computers of the virus makers. Here is a screenshot showing the recent patterns, piggybacking on popular email types, like airline ticket confirma [read] Keywords: email virus
128


Popular Virus Subjects this Week
Fri, Nov 15th 2013 2:02p   Frank Paolino
There was a lot of virus activity this week. Here is a snapshot of 13,773 caught viruses caught on a single day. The subjects give clues to the latest approaches the virus senders are using in the hope that they can fool the recipient into opening the attachment, which releases the virus. I sorted the subjects and replaced the sender's attempt at making the message look unique with a Fed Express number, a case number or even a phone number with a sequential number, like 123-45 [read] Keywords: office virus
129


CryptoLocker
Fri, Oct 25th 2013 2:22p   Frank Paolino
CryptoLocker is such an evil virus that I wanted to create this resource of useful information and links. Cryptolocker is an extremely dangerous and virulent ransomware trojan. The virus encrypts local and network share drives and then demands either $100 or $300 ransom and gives the user 72 hours to pay. If you see this on your screen, it is already too late. Your files are encrypted and unrecoverable. Your only hope is a good backup. If you read the text, they are [read] Keywords: policies applications email microsoft network security server virus wiki




Created and Maintained by Yancy Lent - About - Blog Submission - Suggestions - Change Log - Blog Widget - Advertising - Mobile Edition