361 Lotus blogs updated hourly. Who will post next? Home | Downloads | Events | Pods | Blogs | Search | myPL | About 
 
Latest 7 Posts
Poodle + Domino SSL = Mail Problems
Wed, Oct 22nd 2014 267
IBM and Apple focus on the Enterprise
Wed, Jul 16th 2014 48
CryptorBit Virus
Mon, May 5th 2014 53
Time-lapse of Product Showcase Taken from my GoPro Camera
Tue, Feb 4th 2014 41
Refrigerators Now Send Spam as Well as Keeping it Cold
Mon, Jan 20th 2014 42
Increase in Virus Activity
Thu, Jan 9th 2014 38
Virus Names translated from Chinese
Tue, Jan 7th 2014 42
Top 10
A spear-phishing attack detailed: Moving from "selling" to "stealing".
Fri, Jul 26th 2013 568
Poodle + Domino SSL = Mail Problems
Wed, Oct 22nd 2014 267
Notice to Appear in Court
Thu, Jan 2nd 2014 72
CryptoLocker
Fri, Oct 25th 2013 57
CryptorBit Virus
Mon, May 5th 2014 53
IBM and Apple focus on the Enterprise
Wed, Jul 16th 2014 48
Virus Names translated from Chinese
Tue, Jan 7th 2014 42
Refrigerators Now Send Spam as Well as Keeping it Cold
Mon, Jan 20th 2014 42
Time-lapse of Product Showcase Taken from my GoPro Camera
Tue, Feb 4th 2014 41
Increase in Virus Activity
Thu, Jan 9th 2014 38


Notice to Appear in Court
Frank Paolino    

Yes, the title of the blog appears scary and that is what the senders of the email want, to scare you into opening the message and reading the body, then launching the phony "notice".


Here is a sample of a phony notice that appears to come from JonesDay.

A picture named M2





Here are the Law firms that were spoofed in these virus outbreaks, and a sampling of the from addresses that were used. To be perfectly clear, these messages are spoofing the law firms, trying to get the recipient to open them, and have no relationship to the actual law firms. The virus senders rotate through a list of reputable law firms in the hope of getting past the virus filters and tempting their target into opening the message.


Spoofed Law firm name: Baker Botts
"Notice to Appear" <manager@bakerbotts.com>
"Notice to Appear" <appear_support.5@bakerbotts.com>
"Notice to Appear" <service.753@bakerbotts.com>
"Notice to Appear" <ticket469@bakerbotts.com>
"Notice to Appear" <no_reply@bakerbotts.com>
"Notice to Appear" <appear_support.7@bakerbotts.com>
"Notice to Appear" <information@bakerbotts.com>
"Notice to Appear" <appear_528@bakerbotts.com>
"Notice to Appear" <manager@bakerbotts.com>


Spoofed Law firm name:
Covington and Burling
"Court Notice WA" <support405@cov.com>
"Court Notice WA" <your_notice@cov.com>
"Court Notice WA" <notice_support.7@cov.com>
"Court Notice WA" <support382@cov.com>
"Court Notice WA" <aa.support369@cov.com>
"Court Notice WA" <information@cov.com>
"Court Notice WA" <service.734@cov.com>
"Court Notice WA" <information@cov.com>
"Court Notice WA" <manager@cov.com>
"Court Notice WA" <your_notice@cov.com>


Spoofed Law firm name:
Jones Day
"Notice to Appear" <ticket_support.7@jonesday.com>

"Notice to Appear" <personal.information@jonesday.com>
"Notice to Appear" <service.615@jonesday.com>
"Notice to Appear" <service.723@jonesday.com>
"Notice to Appear" <ticket_248@jonesday.com>
"Notice to Appear" <help420@jonesday.com>
"Notice to Appear" <ticket_service@jonesday.com>
"Notice to Appear" <your_ticket@jonesday.com>
"Notice to Appear" <service.301@jonesday.com>
"Notice to Appear" <ticket_609@jonesday.com>
"Notice to Appear" <ticket_support.2@jonesday.com>
"Notice to Appear" <ticket_support.2@jonesday.com>
"Notice to Appear" <support.8@jonesday.com>
"Notice to Appear" <ticket020@jonesday.com>
"Notice to Appear" <order.723@jonesday.com>
"Notice to Appear" <ticket_162@jonesday.com>

Spoofed Law firm name: Latham and Watkins
"Notice to Appear" <ticket_support.3@lw.com>

"Notice to Appear" <support838@lw.com>
"Notice to Appear" <service.252@lw.com>
"Notice to Appear" <ticket340@lw.com>
"Notice to Appear" <help432@lw.com>
"Notice to Appear" <ticket_support.4@lw.com>
"Notice to Appear" <ticket_support.7@lw.com>
"Notice to Appear" <service@lw.com>
"Notice to Appear" <service_ticket@lw.com>
"Notice to Appear" <support.5@lw.com>
"Notice to Appear" <service_ticket@lw.com>
"Notice to Appear" <information@lw.com>
"Notice to Appear" <no_reply@lw.com>
"Notice to Appear" <support.9@lw.com>
"Notice to Appear" <ticket_support.5@lw.com>

Spoofed Law firm name: McDermott Will & Emery
"Notice to Appear" <manager@mwe.com>

"Notice to Appear" <ticket_support.5@mwe.com>
"Notice to Appear" <ticket_service@mwe.com>
"Notice to Appear" <ticket_support.6@mwe.com>
"Notice to Appear" <support.6@mwe.com>
"Notice to Appear" <service@mwe.com>
"Notice to Appear" <support.2@mwe.com>
"Notice to Appear" <ticket_support.2@mwe.com>
"Notice to Appear" <support.6@mwe.com>


Spoofed Law firm name: Orrick
"Court Notice Orrick" <support.4@orrick.com>
"Court Notice Orrick" <your_notice@orrick.com>
"Court Notice Orrick" <service_notice@orrick.com>
"Court Notice Orrick" <service.959@orrick.com>
"Court Notice Orrick" <support.6@orrick.com>
"Court Notice Orrick" <support.7@orrick.com>
"Court Notice Orrick" <your_notice@orrick.com>
"Court Notice Orrick" <support.3@orrick.com>
"Court Notice Orrick" <support.3@orrick.com>
"Court Notice Orrick" <support.4@orrick.com>
"Court Notice Orrick" <notice_service@orrick.com>
"Court Notice Orrick" <order.510@orrick.com>
"Court Notice Orrick" <notice_support.5@orrick.com>
"Court Notice Orrick" <information@orrick.com>
"Court Notice Orrick" <notice706@orrick.com>
"Court Notice Orrick" <support.8@orrick.com>



Opening the messages. Don't try this at home (or the office)!


I took one message and loaded my Virus Testing Workstation, which is a virtual machine that I can infect then delete the machine.



A picture named M3


Here is one of the viruses that was caught as a ZIP file.

A picture named M4


Here is the attachment, which is disguised as a Word document, but is actually an executable file:

A picture named M5


As there was no response when I clicked the attachment, I clicked it again, so I infected the machine twice. Notice in the task manager, they use the file name to avoid suspicion and preventing some people from closing it.

A picture named M6


When I did close it, I got this error.


A picture named M7



I didn't try to dig into the mechanism of infection, or wait 24-48 hours and see what damage they did to my virtual machine, but that will be a subject for another post.








---------------------
http://blog.maysoft.org/blog.nsf/d6plinks/FPAO-9EXSX8
Jan 02, 2014
73 hits



Recent Blog Posts
267


Poodle + Domino SSL = Mail Problems
Wed, Oct 22nd 2014 2:45p   Frank Paolino
If you use Domino today, you effectively cannot use SSL for email (SMTP) until the promised IBM fix is available. Here is why: The fix vendors applied that patched the POODLE vulnerability broke communications with Domino servers that use SSL. These patched servers will start a secure (SSL) SMTP session but will not fall back to plain text. This means messages queued up in mail.box for sending outbound, or mail queued up at the sender that will not be received by you. The best n [read] Keywords: connections domino ibm email smtp
48


IBM and Apple focus on the Enterprise
Wed, Jul 16th 2014 10:25a   Frank Paolino
Apple is working with IBM to push into the enterprise space. Apple really has mainly focused on the consumer market, but products like IBM Traveler have made BYOD a reality. Now, with IBM, Apple is going to focus on large enterprises. Tim Cook gets a corporate partner with a great enterprise player to promote Apple as enterprise ready. Ginny Rometti mentioned security, which is an overwhelming concern with BYOD. If Apple and IBM make new offerings that satisy I [read] Keywords: ibm traveler apple application blackberry enterprise security
53


CryptorBit Virus
Mon, May 5th 2014 1:25p   Frank Paolino
There is a new and improved version of CryptoLocker. Version 1.0 made the makers of this ransomware a lot of money, and this version 2.0 is, I predict, just one of many new "feature enhanced" releases. Judging by the Bitcoin activity, there are a lot of "willing" victims out there paying to get their files back. BleepingComputer is doing a great job documenting this, so I will point you there for good advice and a possible free fix made by Nathan Scott called the DecrypterFixe [read] Keywords: virus
41


Time-lapse of Product Showcase Taken from my GoPro Camera
Tue, Feb 4th 2014 9:22a   Frank Paolino
I wanted to have a little fun at #IBMConnect so I put a GoPro camera over our booth on the Product Showcase and snapped pictures of all of our visitors over 4 days. The Product Showcase was certainly "energized", so I choose suitable music in the "William Tell Overture". [read] Keywords:
42


Refrigerators Now Send Spam as Well as Keeping it Cold
Mon, Jan 20th 2014 2:02p   Frank Paolino
Refrigerators now do more than keep spam, that tasty treat, cold, they also send spam, the electronic email version. That is the story of a compromised refrigerator that sends cold "spam" to unsuspecting users via it's internet connection. Viruses makers will try to add anything to their botnets, and the latest attack on "refrigerators" does not surprise me at all. The target of this attack was a refrigerator model running a flavor of Linux that had not been hardened or pr [read] Keywords: email linux virus
38


Increase in Virus Activity
Thu, Jan 9th 2014 2:02p   Frank Paolino
The increase in recent Virus activity has been noticeable, and the sophisticated techniques the virus makers use to evade detection make the job of stopping them that much more challenging. Many times, a new message appears and I ask "Is this some new attempt to get me to infect my machine"? Many of my customers ask me the same question, so I put a live stream of recently caught viruses subjects and attachment names on our website. (Obviously, I did not put the viruses, just their names [read] Keywords: virus




42


Virus Names translated from Chinese
Tue, Jan 7th 2014 2:22p   Frank Paolino
[read] Keywords: virus
73


Notice to Appear in Court
Thu, Jan 2nd 2014 1:42p   Frank Paolino
Yes, the title of the blog appears scary and that is what the senders of the email want, to scare you into opening the message and reading the body, then launching the phony "notice". Here is a sample of a phony notice that appears to come from JonesDay. Here are the Law firms that were spoofed in these virus outbreaks, and a sampling of the from addresses that were used. To be perfectly clear, these messages are spoofing the law firms, trying to get the rec [read] Keywords: email office virus
34


Blocking EXE attachments is working great!
Fri, Dec 13th 2013 1:42p   Frank Paolino
We have advised customers of SpamSentinel for the last month to block EXE attachments, even (especially!) inside zip files. I have been monitoring the results on one of our servers, and they are spectacular in catching new virus outbreaks before their "signatures" are recorded. These are "zero hour" zero hour viruses, fresh off the computers of the virus makers. Here is a screenshot showing the recent patterns, piggybacking on popular email types, like airline ticket confirma [read] Keywords: email virus
36


Popular Virus Subjects this Week
Fri, Nov 15th 2013 2:02p   Frank Paolino
There was a lot of virus activity this week. Here is a snapshot of 13,773 caught viruses caught on a single day. The subjects give clues to the latest approaches the virus senders are using in the hope that they can fool the recipient into opening the attachment, which releases the virus. I sorted the subjects and replaced the sender's attempt at making the message look unique with a Fed Express number, a case number or even a phone number with a sequential number, like 123-45 [read] Keywords: office virus




Created and Maintained by Yancy Lent - About - Blog Submission - Suggestions - Change Log - Blog Widget - Advertising - Mobile Edition