E-mails spoof DOJ address
- By William Jackson
- Feb 29, 2008
A trickle of phony e-mails purporting to be from the Justice Department and carrying apparently malicious attachments has been found by security researchers from MX Logic, an anti-spam company.
The subject line mentions an update about a complaint with a complaint number, and the body of the message informs the recipient that a claim has been filed against his company. It includes a 124K attachment named 'complaint.zip.'
'We don't have any targeting information now,' said Sam Masciello, MX Logic director of threat management. But the e-mails are similar to a spate of spam that emerged in May and June last year, targeting C-level executives. Like those messages, these mention the recipient's name and company in the body of the message, adding to their credibility. 'They are trying to lend more legitimacy to the campaign.'
Last year's attack e-mails carried a keylogging program as their malicious payload.
High-level executives can be attractive targets for cybercriminals because they can have broad access to sensitive corporate information. They also can be larger security risks, because they tend to hold themselves above the security policies implemented to protect the organization, are mobile and busy and like to use the latest gadgets, but often are less savvy about technology and its risks.
The current attack is low and slow, flying under the radar with a low volume of traffic, Masciello said. It appears to have peaked two days ago at several hundred e-mails an hour and has dropped off some since then, although it still is being seen. Some examples of the e-mail came from an IP address in Italy.
The e-mail is well-formatted with an image captured from the DOJ Web site to add credibility, but the body of the message includes some grammatical errors and misspellings, such as using the word 'filled' instead of 'filed.' The same mistake was found in last year's e-mails.
'The level of sloppiness has been a tipoff for some time' to phony e-mails and is a common flaw in their social engineering, Masciello said, although some e-mails are getting better.
Because of the misspellings and the fact that the name of the attachment appears to remain the same in each copy, the e-mails are easy to block, he said.
William Jackson is a Maryland-based freelance writer.