354 Lotus blogs updated hourly. Who will post next? Home | Downloads | Events | Pods | Blogs | Search | myPL | About 
 
Latest 7 Posts
Time-lapse of Product Showcase Taken from my GoPro Camera
Tue, Feb 4th 2014 190
Refrigerators Now Send Spam as Well as Keeping it Cold
Mon, Jan 20th 2014 186
Increase in Virus Activity
Thu, Jan 9th 2014 128
Virus Names translated from Chinese
Tue, Jan 7th 2014 107
Notice to Appear in Court
Thu, Jan 2nd 2014 253
Blocking EXE attachments is working great!
Fri, Dec 13th 2013 158
Popular Virus Subjects this Week
Fri, Nov 15th 2013 138
Top 10
A spear-phishing attack detailed: Moving from "selling" to "stealing".
Fri, Jul 26th 2013 645
Notice to Appear in Court
Thu, Jan 2nd 2014 253
Time-lapse of Product Showcase Taken from my GoPro Camera
Tue, Feb 4th 2014 190
Refrigerators Now Send Spam as Well as Keeping it Cold
Mon, Jan 20th 2014 186
Blocking EXE attachments is working great!
Fri, Dec 13th 2013 158
CryptoLocker
Fri, Oct 25th 2013 149
Popular Virus Subjects this Week
Fri, Nov 15th 2013 138
Increase in Virus Activity
Thu, Jan 9th 2014 128
Virus Names translated from Chinese
Tue, Jan 7th 2014 107
Hurricane Sandy and MX Failover
Wed, Oct 31st 2012 101


Notice to Appear in Court
Frank Paolino    

Yes, the title of the blog appears scary and that is what the senders of the email want, to scare you into opening the message and reading the body, then launching the phony "notice".


Here is a sample of a phony notice that appears to come from JonesDay.

A picture named M2





Here are the Law firms that were spoofed in these virus outbreaks, and a sampling of the from addresses that were used. To be perfectly clear, these messages are spoofing the law firms, trying to get the recipient to open them, and have no relationship to the actual law firms. The virus senders rotate through a list of reputable law firms in the hope of getting past the virus filters and tempting their target into opening the message.


Spoofed Law firm name: Baker Botts
"Notice to Appear" <manager@bakerbotts.com>
"Notice to Appear" <appear_support.5@bakerbotts.com>
"Notice to Appear" <service.753@bakerbotts.com>
"Notice to Appear" <ticket469@bakerbotts.com>
"Notice to Appear" <no_reply@bakerbotts.com>
"Notice to Appear" <appear_support.7@bakerbotts.com>
"Notice to Appear" <information@bakerbotts.com>
"Notice to Appear" <appear_528@bakerbotts.com>
"Notice to Appear" <manager@bakerbotts.com>


Spoofed Law firm name:
Covington and Burling
"Court Notice WA" <support405@cov.com>
"Court Notice WA" <your_notice@cov.com>
"Court Notice WA" <notice_support.7@cov.com>
"Court Notice WA" <support382@cov.com>
"Court Notice WA" <aa.support369@cov.com>
"Court Notice WA" <information@cov.com>
"Court Notice WA" <service.734@cov.com>
"Court Notice WA" <information@cov.com>
"Court Notice WA" <manager@cov.com>
"Court Notice WA" <your_notice@cov.com>


Spoofed Law firm name:
Jones Day
"Notice to Appear" <ticket_support.7@jonesday.com>

"Notice to Appear" <personal.information@jonesday.com>
"Notice to Appear" <service.615@jonesday.com>
"Notice to Appear" <service.723@jonesday.com>
"Notice to Appear" <ticket_248@jonesday.com>
"Notice to Appear" <help420@jonesday.com>
"Notice to Appear" <ticket_service@jonesday.com>
"Notice to Appear" <your_ticket@jonesday.com>
"Notice to Appear" <service.301@jonesday.com>
"Notice to Appear" <ticket_609@jonesday.com>
"Notice to Appear" <ticket_support.2@jonesday.com>
"Notice to Appear" <ticket_support.2@jonesday.com>
"Notice to Appear" <support.8@jonesday.com>
"Notice to Appear" <ticket020@jonesday.com>
"Notice to Appear" <order.723@jonesday.com>
"Notice to Appear" <ticket_162@jonesday.com>

Spoofed Law firm name: Latham and Watkins
"Notice to Appear" <ticket_support.3@lw.com>

"Notice to Appear" <support838@lw.com>
"Notice to Appear" <service.252@lw.com>
"Notice to Appear" <ticket340@lw.com>
"Notice to Appear" <help432@lw.com>
"Notice to Appear" <ticket_support.4@lw.com>
"Notice to Appear" <ticket_support.7@lw.com>
"Notice to Appear" <service@lw.com>
"Notice to Appear" <service_ticket@lw.com>
"Notice to Appear" <support.5@lw.com>
"Notice to Appear" <service_ticket@lw.com>
"Notice to Appear" <information@lw.com>
"Notice to Appear" <no_reply@lw.com>
"Notice to Appear" <support.9@lw.com>
"Notice to Appear" <ticket_support.5@lw.com>

Spoofed Law firm name: McDermott Will & Emery
"Notice to Appear" <manager@mwe.com>

"Notice to Appear" <ticket_support.5@mwe.com>
"Notice to Appear" <ticket_service@mwe.com>
"Notice to Appear" <ticket_support.6@mwe.com>
"Notice to Appear" <support.6@mwe.com>
"Notice to Appear" <service@mwe.com>
"Notice to Appear" <support.2@mwe.com>
"Notice to Appear" <ticket_support.2@mwe.com>
"Notice to Appear" <support.6@mwe.com>


Spoofed Law firm name: Orrick
"Court Notice Orrick" <support.4@orrick.com>
"Court Notice Orrick" <your_notice@orrick.com>
"Court Notice Orrick" <service_notice@orrick.com>
"Court Notice Orrick" <service.959@orrick.com>
"Court Notice Orrick" <support.6@orrick.com>
"Court Notice Orrick" <support.7@orrick.com>
"Court Notice Orrick" <your_notice@orrick.com>
"Court Notice Orrick" <support.3@orrick.com>
"Court Notice Orrick" <support.3@orrick.com>
"Court Notice Orrick" <support.4@orrick.com>
"Court Notice Orrick" <notice_service@orrick.com>
"Court Notice Orrick" <order.510@orrick.com>
"Court Notice Orrick" <notice_support.5@orrick.com>
"Court Notice Orrick" <information@orrick.com>
"Court Notice Orrick" <notice706@orrick.com>
"Court Notice Orrick" <support.8@orrick.com>



Opening the messages. Don't try this at home (or the office)!


I took one message and loaded my Virus Testing Workstation, which is a virtual machine that I can infect then delete the machine.



A picture named M3


Here is one of the viruses that was caught as a ZIP file.

A picture named M4


Here is the attachment, which is disguised as a Word document, but is actually an executable file:

A picture named M5


As there was no response when I clicked the attachment, I clicked it again, so I infected the machine twice. Notice in the task manager, they use the file name to avoid suspicion and preventing some people from closing it.

A picture named M6


When I did close it, I got this error.


A picture named M7



I didn't try to dig into the mechanism of infection, or wait 24-48 hours and see what damage they did to my virtual machine, but that will be a subject for another post.








---------------------
http://blog.maysoft.org/blog.nsf/d6plinks/FPAO-9EXSX8
Jan 02, 2014
254 hits



Recent Blog Posts
190


Time-lapse of Product Showcase Taken from my GoPro Camera
Tue, Feb 4th 2014 9:22a   Frank Paolino
I wanted to have a little fun at #IBMConnect so I put a GoPro camera over our booth on the Product Showcase and snapped pictures of all of our visitors over 4 days. The Product Showcase was certainly "energized", so I choose suitable music in the "William Tell Overture". [read] Keywords:
186


Refrigerators Now Send Spam as Well as Keeping it Cold
Mon, Jan 20th 2014 2:02p   Frank Paolino
Refrigerators now do more than keep spam, that tasty treat, cold, they also send spam, the electronic email version. That is the story of a compromised refrigerator that sends cold "spam" to unsuspecting users via it's internet connection. Viruses makers will try to add anything to their botnets, and the latest attack on "refrigerators" does not surprise me at all. The target of this attack was a refrigerator model running a flavor of Linux that had not been hardened or pr [read] Keywords: email linux virus
128


Increase in Virus Activity
Thu, Jan 9th 2014 2:02p   Frank Paolino
The increase in recent Virus activity has been noticeable, and the sophisticated techniques the virus makers use to evade detection make the job of stopping them that much more challenging. Many times, a new message appears and I ask "Is this some new attempt to get me to infect my machine"? Many of my customers ask me the same question, so I put a live stream of recently caught viruses subjects and attachment names on our website. (Obviously, I did not put the viruses, just their names [read] Keywords: virus
107


Virus Names translated from Chinese
Tue, Jan 7th 2014 2:22p   Frank Paolino
[read] Keywords: virus
254


Notice to Appear in Court
Thu, Jan 2nd 2014 1:42p   Frank Paolino
Yes, the title of the blog appears scary and that is what the senders of the email want, to scare you into opening the message and reading the body, then launching the phony "notice". Here is a sample of a phony notice that appears to come from JonesDay. Here are the Law firms that were spoofed in these virus outbreaks, and a sampling of the from addresses that were used. To be perfectly clear, these messages are spoofing the law firms, trying to get the rec [read] Keywords: email office virus
158


Blocking EXE attachments is working great!
Fri, Dec 13th 2013 1:42p   Frank Paolino
We have advised customers of SpamSentinel for the last month to block EXE attachments, even (especially!) inside zip files. I have been monitoring the results on one of our servers, and they are spectacular in catching new virus outbreaks before their "signatures" are recorded. These are "zero hour" zero hour viruses, fresh off the computers of the virus makers. Here is a screenshot showing the recent patterns, piggybacking on popular email types, like airline ticket confirma [read] Keywords: email virus




138


Popular Virus Subjects this Week
Fri, Nov 15th 2013 2:02p   Frank Paolino
There was a lot of virus activity this week. Here is a snapshot of 13,773 caught viruses caught on a single day. The subjects give clues to the latest approaches the virus senders are using in the hope that they can fool the recipient into opening the attachment, which releases the virus. I sorted the subjects and replaced the sender's attempt at making the message look unique with a Fed Express number, a case number or even a phone number with a sequential number, like 123-45 [read] Keywords: office virus
149


CryptoLocker
Fri, Oct 25th 2013 2:22p   Frank Paolino
CryptoLocker is such an evil virus that I wanted to create this resource of useful information and links. Cryptolocker is an extremely dangerous and virulent ransomware trojan. The virus encrypts local and network share drives and then demands either $100 or $300 ransom and gives the user 72 hours to pay. If you see this on your screen, it is already too late. Your files are encrypted and unrecoverable. Your only hope is a good backup. If you read the text, they are [read] Keywords: policies applications email microsoft network security server virus wiki
98


Mail Enhancement
Fri, Aug 23rd 2013 2:02p   Frank Paolino
Let's face it: We use email in more ways than it was designed. It was originally a simple container for messages, and now it is "where we live" and "where we work". What shows up in our Inbox can dictate the work we do that day. It is amorphous and it sometimes takes over our entire day. Email needs some enhancements to keep up with how we actually use it. To accommodate that way of working, we have built a set of sidebar widgets to improve the mail experience. Some people t [read] Keywords: notes email widgets
645


A spear-phishing attack detailed: Moving from "selling" to "stealing".
Fri, Jul 26th 2013 12:02p   Frank Paolino
Spear-phishers are increasingly attacking large organizations, trying to steal information or money. The attacks are getting smarter, and harder to detect as they learn what types of messages their targets will respond to. I recently investigated a spear phishing attack on one of our SpamSentinel clients. It is an attempt to have money wired to the spear-phisher. The attack details follow. This attack is very clever. Spear-phishing is generally a highly-targeted attack to st [read] Keywords: domino lotus notes email instant message network server




Created and Maintained by Yancy Lent - About - Blog Submission - Suggestions - Change Log - Blog Widget - Advertising - Mobile Edition