SPEAR PHISHING E-MAILS TARGET U.S. LAW FIRMS AND PUBLIC RELATIONS FIRMS
11/17/09—The FBI assesses with high confidence that hackers are using spear phishing e-mails with malicious payloads to exploit U.S. law firms and public relations firms. During the course of ongoing investigations, the FBI identified noticeable increases in computer exploitation attempts against these entities. The specific intrusion vector used against the firms is a spear phishing or targeted socially engineered e-mail designed to compromise a network by bypassing technological network defenses and exploiting the person at the keyboard. Hackers exploit the ability of end users to launch the malicious payloads from within the network by attaching a file to the message or including a link to the domain housing the file and enticing users to click the attachment or link. Network defense against these attacks is difficult as the subject lines are spoofed, or crafted, in such a way to uniquely engage recipients with content appropriate to their specific business interests. In addition to appearing to originate from a trusted source based on the relevance of the subject line, the attachment name and message body are also crafted to associate with the same specific business interests. Opening a message will not directly compromise the system or network because the malicious payload lies in the attachment or linked domain. Infection occurs once someone opens the attachment or clicks the link, which launches a self-executing file and, through a variety of malicious processes, attempts to download another file.
Indicators are unreliable to flag in-bound messages; however, indicators are available to determine an existing compromise. Once executed, the malicious payload will attempt to download and execute the file ‘srhost.exe’ from the domain ‘http://d.ueopen.com’; e.g. http://d.ueopen.com/srhost.exe. Any traffic associated with ‘ueopen.com’ should be considered as an indication of an existing network compromise and addressed appropriately.
The malicious file does not necessarily appear as an ‘exe’ file in each incident. On occasion, the self-executing file has appeared as other file types, e.g., ‘.zip’, ‘.jpeg’, etc.
Please contact your local field office if you experience this network activity and direct incident response notifications to DHS and U.S. CERT.
FRAUDULENT AUTOMATED CLEARING HOUSE (ACH) TRANSFERS CONNECTED TO MALWARE AND WORK-AT-HOME SCAMS
11/03/09—Within the last several months, the FBI has seen a significant increase in fraud involving the exploitation of valid online banking credentials belonging to small and medium businesses, municipal governments, and school districts. In a typical scenario, the targeted entity receives a “spear phishing” e-mail which either contains an infected attachment, or directs the recipient to an infected website. Once the recipient opens the attachment or visits the website, malware is installed on their computer. The malware contains a key logger which will harvest the recipients business or corporate bank account log-in information. Shortly thereafter, the perpetrator either creates another user account with the stolen log-in information, or directly initiates funds transfers by masquerading as the legitimate user. These transfers have occurred as both traditional wire transfers and as ACH transfers.
Further reporting has shown that the transfers are directed to the bank accounts of willing or unwitting individuals within the United States. Most of these individuals have been recruited via work-at-home advertisements, or have been contacted after placing resumes on well-known job search websites. These persons are often hired to “process payments”, or “transfer funds”. They are told they will receive wire transfers into their bank accounts. Shortly after funds are received, they are directed to immediately forward most of the money overseas via wire transfer services such as Western Union and Moneygram.
Customers who use online banking services are advised to contact their financial institution to ensure they are employing all the appropriate security and fraud prevention services their institution offers.
The United States Computer Emergency Readiness Team (US-CERT) has made information on banking securely online available at http://www.us-cert.gov/reading_room/Banking_Securely_Online07102006.pdf
Protecting your computer against malicious software is an ongoing activity and, at minimum, all computer systems need to be regularly patched, have up to date anti-virus software, and a personal firewall installed. Further information is available at http://www.us-cert.gov/nav/nt01/
If you have experienced unauthorized funds transfers from your bank accounts, or if you have been recruited via a work-at-home opportunity to receive transfers and forward money overseas, please notify the IC3 by filing a complaint at www.ic3.gov.
For a detailed analysis of this scam please visit http://www.ic3.gov/media/2009/091103-1.aspx
SPAMMERS CONTINUE TO ABUSE THE NAMES OF TOP GOVERNMENT EXECUTIVES BY MISUSING THE NAME OF THE UNITED STATES ATTORNEY GENERAL
10/27/09—As with previous spam attacks, which have included the names of high-ranking FBI executives and names of various government agencies, a new version misuses the name of the United States Attorney General, Eric Holder.
The current spam alleges that the Department of Homeland Security and the Federal Bureau of Investigation were informed the e-mail recipient is allegedly involved in money laundering and terrorist-related activities. To avoid legal prosecution, the recipient must obtain a certificate from the Economic Financial Crimes Commission (EFCC) Chairman at a cost of $370. The spam provides the name of the EFCC Chairman and an e-mail address from which the recipient can obtain the required certificate.
DO NOT RESPOND. THESE E-MAILS ARE A HOAX.
Government agencies do not send unsolicited e-mails of this nature. The FBI, Department of Justice, and other United States government executives are briefed on numerous investigations, but do not personally contact consumers regarding such matters. In addition, United States government agencies use the legal process to contact individuals. These agencies do not send threatening letters/e-mails to consumers demanding payments for Internet crimes.
Consumers should not respond to any unsolicited e-mails or click on any embedded links associated with such e-mails, as they may contain viruses or malware.
It is imperative consumers guard their Personally Identifiable Information (PII). Providing your PII will compromise your identity!
If you have been a victim of Internet crime, please file a complaint at www.IC3.gov.
FRAUDULENT E-MAIL CLAIMING TO CONTAIN FBI “INTELLIGENCE BULLETIN NO. 267”
10/05/09—A fraudulent e-mail message claiming to contain a confidential FBI report titled “New Patterns in Al-Qaeda Financing” has been circulating since August 15, 2009. The e-mail has the subject line “Intelligence Bulletin No. 267,” and contains an attachment titled “bulletin.exe.” This message, or similar messages, may contain files that are harmful to the recipient’s system and may try to steal user credentials.
DO NOT CLICK ON ANY LINKS ASSOCIATED WITH THIS E-MAIL OR SIMILAR E-MAILS, IT IS A HOAX.
The FBI does not send unsolicited e-mails or email official reports. Consumers should not respond to any unsolicited e-mails or click on any embedded links, as they may contain viruses or other malicious software.
Below is an example of the fraudulent e-mail message:
INTELLIGENCE BULLETIN No. 267
Title: New Patterns in Al-Qaeda Financing
Date: August 15, 2009
THREAT LEVEL: YELLOW (ELEVATED)
THE INTELLIGENCE BULLETIN PROVIDES LAW ENFORCEMENT AND OTHER PUBLIC SAFET= OFFICIALS WITH SITUATIONAL AWARENESS CONCERNING INTERNATIONAL AND DOMES=IC TERRORIST GROUPS AND TACTICS.
HANDLING NOTICE: Recipients are reminded that FBI Intelligence Bulletins =ontain sensitive terrorism and counterterrorism information meant for us= primarily within the law enforcement community. Such bulletins are not =o be released either in written or oral form to the media, the general p=blic, or other personnel who do not have a valid ?eed-to-know?with=ut prior approval from an authorized FBI official, as such release could jeopardize national security
As with many fraudulent e-mail messages, this message contains multiple spelling errors and poor grammar.
If you have been a victim of Internet crime, please file a complaint at www.IC3.gov.
FRAUDULENT E-MAIL CLAIMING TO BE FROM DHS AND THE FBI COUNTERTERRORISM DIVISION
10/05/09—Fraudulent e-mails containing the subject line “New DHS Report” have been circulating since August 15, 2009. The e-mails claim to be from the Department of Homeland Security (DHS) and the FBI Counterterrorism Division. The e-mail text contains information about “New Usama Bin Ladin Speech Directed to the People of Europe,” and has an attachment titled “audio.exe.” The attachment is purportedly an audio speech from Bin Ladin; however, it actually contains malicious software intended to steal information from the recipient’s system.
DO NOT CLICK ON ANY LINKS ASSOCIATED WITH THIS E-MAIL OR SIMILAR E-MAILS, IT IS A HOAX.
The FBI does not send unsolicited e-mails or e-mail official reports. Consumers should not respond to any unsolicited e-mails or click on any embedded links, as they may contain viruses or malware.
One example of this fraudulent e-mail message is as follows:
Subject: New DHS Report
New Usama Bin Ladin Speech Directed to the People of Europe
Prepared by DHS/I&A Intelligence Watch and Warning Division and the FBI Counter Terrorism Division
(U//FOUO) Media outlets are reporting the release of a new audio tape on Al Jazeera today from Usama Bin Ladin, in which he states that all European countries involved in the Afghanistan war should end their support of American oppression in Afghanistan. In the audio message, Bin Ladin claims direct responsibility for the 11 September 2001 attacks and emphasizes that neither the Afghan people nor the Afghan government had foreknowledge of the attacks.
////Signed////
Charlie Allen
Chief Intelligence Officer
Department of Homeland Security
As with many fraudulent e-mail messages, this message contains multiple spelling errors and poor grammar.
If you have been a victim of Internet crime, please file a complaint at www.IC3.gov.
FRAUDULENT E-MAIL CLAIMING TO CONTAIN AN FBI INTELLIGENCE BULLETIN FROM THE WEAPONS OF MASS DESTRUCTION DIRECTORATE
10/05/09—A fraudulent e-mail, initially appearing around June 16, 2009, claims to contain a confidential FBI report from the FBI “Weapons of Mass Destruction Directorate.” The subject line of the email is “RE: Weapons of Mass Destruction Directorate,” and contains an attachment “reports.exe.” This message and similar messages may contain a file related to the ‘W32.Waledac” trojan software, which is designed to steal user authentication credentials or send spam messages.
DO NOT CLICK ON ANY LINKS ASSOCIATED WITH THIS E-MAIL OR SIMILAR E-MAILS, IT IS A HOAX.
The FBI does not send unsolicited e-mails or e-mail official reports. Consumers should not respond to any unsolicited e-mails or click on any embedded links, as they may contain viruses or malicious software.
Below is an example of the fraudulent e-mail:
CLASSIFIED
FEDERAL BUREAU OF INVESTIGATION
INTELLIGENCE BULLETIN
Weapons of Mass Destruction Directorate
HANDLING NOTICE: Recipients are reminded that FBI Intelligence Bulletins contain sensitive terrorism and counterterrorism information meant for use primarily within the law enforcement and homeland security communities. Such bulletins shall not be released, either in written or oral form, to the media, the general public, or other personnel who do not have a valid need-to-know without prior approval from an authorized FBI official, as such release could jeopardize national security.
Link to malicious software (report.exe)
If you have been a victim of Internet crime, please file a complaint at www.IC3.gov.
TECHNIQUES USED BY FRAUDSTERS ON SOCIAL NETWORKING SITES
10/01/09—Fraudsters continue to hijack accounts on social networking sites and spread malicious software by using various techniques. One technique involves the use of spam to promote phishing sites, claiming there has been a violation of the terms of agreement or some other type of issue which needs to be resolved. Other spam entices users to download an application or view a video. Some spam appears to be sent from users' "friends", giving the perception of being legitimate. Once the user responds to the phishing site, downloads the application, or clicks on the video link, their computer, telephone or other digital device becomes infected.
Another technique used by fraudsters involves applications advertised on social networking sites, which appear legitimate; however, some of these applications install malicious code or rogue anti-virus software. Other malicious software gives the fraudsters access to your profile and personal information. These programs will automatically send messages to your "friends" list, instructing them to download the new application too.
Infected users are often unknowingly spreading additional malware by having infected websites posted on their webpage without their knowledge. Friends are then more apt to click on these sites since they appear to be endorsed by their contacts.
Tips on avoiding these tactics:
- Adjust website privacy settings. Some networking sites have provided useful options to assist in adjusting these settings to help protect your identity.
- Be selective of your friends. Once selected, your "friends" can access any information marked as "viewable by all friends."
- You can select those who have "limited" access to your profile. This is for those whom you do not wish to give full friend status to or with whom you feel uncomfortable sharing personal information.
- Disable options and then open them one by one such as texting and photo sharing capabilities. Users should consider how they want to use the social networking site. If it is only to keep in touch with people then perhaps it would be better to turn off the extra options which will not be used.
- Be careful what you click on. Just because someone posts a link or video to their "wall" does not mean it is safe.
Those interested in becoming a user of a social networking site and/or current users are recommended to familiarize themselves with the site's policies and procedures before encountering such a problem.
Each social networking site may have different procedures on how to handle a hijacked or infected account; therefore, you may want to reference their help or FAQ page for instructions.
Individuals who experienced such incidents are encouraged to file a complaint at www.IC3.gov reporting the incident.
FRAUDSTERS CONTINUE TO EXPLOIT TELECOMMUNICATIONS RELAY SERVICES (TRS)
07/08/09—The IC3 continues to receive complaints pertaining to scam artists using Telecommunications Relay Services (TRS) to defraud U.S. businesses and consumers. Under Title IV of the Americans with Disabilities Act, all telephone companies must provide TRS for individuals with hearing impairments or speech impairments.
This IC3 alert is to make the public aware of the continuing abuse of TRS to exploit U.S. businesses. Recent reports indicate scam artists are using TRS to exploit auto repair shops. The scam entails the fraudster using TRS to request services for a vehicle. The fraudster claims the vehicle has to be shipped to the auto repair business and requests the repairs and shipping fees be charged to a credit card. Unbeknownst to the business, the credit card is fraudulent or stolen; however, the charges initially go through without any complications. The business is then directed to wire the money to the shipper to cover the shipping costs. It is not until the shipper’s money is wired that the business is notified of the fraudulent credit card; therefore, the business bears the loss.
A previous PSA titled Notorious “Reshipper Scam” Transforms was released on February 9, 2004, covering this exploit. To view the PSA in its entirety, please visit the following link: http://www.ic3.gov/media/2004/040209.aspx.
Individuals who receive a communication, such as the one described above, are encouraged to file a complaint at www.ic3.gov reporting the incident
ASIAN EXTORTION SCHEME
06/10/09—The FBI is currently aware of a nationwide attempt to extort ethnic business owners, mostly of Asian decent, through telephonic threats of violence. The telephone calls appear to be originating from foreign countries. The caller acquires an adequate amount of open source information about the victim through Internet searches. This misleads the victim into believing the subject has personal knowledge about the victim. There have been no reported incidents of violence actually perpetrated to date.
Individuals who receive phone calls or e-mails containing threats of violence and their personally identifiable information (PII) are encouraged to contact law enforcement as well as file a complaint at www.ic3.gov.
CIRCULATION OF FRAUDULENT E-MAIL CLAIMING TO BE FROM U.S. CUSTOMS AND BORDER PROTECTION (CBP)
04/27/09—A spam e-mail claiming to be from former CBP Assistant Commissioner Thomas S. Winkowski is currently being circulated. This attempt to defraud is the typical e-mail scam using the name and reputation of a federal government official to create an air of authenticity.
The spam e-mail indicates the CBP has stopped a Diplomat who is carrying a consignment to be delivered to the recipient’s residence. This consignment allegedly contains millions of dollars, which is revealed to be an inheritance for the e-mail recipient.
As with many other scams, this e-mail advises the recipient they will be permitted to access this inheritance once the recipient has given the sender of the e-mail their personal information.
This e-mail is a hoax. Do not respond.
The U.S. CBP does not send unsolicited e-mails. Consumers should not respond to unsolicited e-mails or click on any embedded links, as they may contain viruses or malware.
It is imperative consumers guard their personally identifiable information (PII). Examples of a person’s PII include, but are not limited to: date of birth; social security number; and bank account numbers. Providing your PII will compromise your identity.
If you have received this e-mail, or a similar e-mail, please file a complaint at www.ic3.gov.
SCHEME PURPORTEDLY ANNOUNCING A MILLIONAIRE CONTEST
04/07/09—The IC3 has been alerted to the circulation of a fraudulent e-mail, purportedly from The Oprah Winfrey Show, notifying recipients of their nomination for the “Oprah Millionaire Contest Show.” To participate, recipients are requested to mail their contact information such as full name, address, telephone number, and e-mail address; however, no mailing address was provided. Verified contestants are then required to purchase airfare and a ticket to attend The Oprah Winfrey Show, as well as complete a forthcoming contest form containing personal questions. The contestants are then promised a seat for The Oprah Winfrey Show in April and asked to provide their responses to the personal questions for a chance to win a million dollars.
Consumers always need to be alert to unsolicited e-mails. Do not open unsolicited e-mails or click on any embedded links, as they may contain viruses or malware. Providing your personally identifiable information will compromise your identity!
Individuals who receive such e-mails are encouraged to file a complaint at www.ic3.gov.
FAKE MILITARY TWIST ON VEHICLE SALE SCAMS
03/05/09—The FBI continues to receive reports of individuals victimized while attempting to purchase vehicles via the Internet. Victims find attractively priced vehicles advertised at different Internet classified ad sites. Most of the scams include some type of third-party vehicle protection program to ensure a safe transaction. After receiving convincing e-mails from the phony vehicle protection program, the victims are directed to send either the full payment, or a percentage of the payment, to the third-party agent via a wire payment service. No vehicles are delivered to the victims.
In a new twist, scammers are posing as members of the United States military. The fictitious military personnel in the scam have either been sent to a foreign country to improve military relations, or they need to sell a vehicle quickly and cheaply because of their upcoming deployment to either Iraq or Afghanistan.
Consumers are advised to do as much due diligence as possible before engaging in transactions to purchase vehicles advertised online. Consumers are also cautioned to be aware of the rules of or warnings posted by the Internet sites they visit. If someone is asking you as a consumer to break or avoid the rules of the website, it is possible that person is trying to scam you.
If you have fallen victim to this type of scam, please notify the IC3 by filing a complaint at www.ic3.gov.
WORK-AT-HOME SCAMS
02/04/09—Consumers need to be vigilant when seeking employment online. The IC3 continues to receive numerous complaints from individuals who have fallen victim to work-at-home scams.
Victims are often hired to “process payments,” “transfer funds,” or “reship products.” These job scams involve the victims receiving and cashing fraudulent checks, transferring illegally obtained funds for the criminals, or receiving stolen merchandise and shipping it to the criminals.
Other victims sign up to be a “mystery shopper,” receiving fraudulent checks with instructions to cash the checks and wire the funds to “test” a company’s services. Victims are told they will be compensated with a portion of the merchandise or funds.
Work-at-home schemes attract otherwise innocent individuals, causing them to become part of criminal schemes without realizing they are engaging in illegal behavior.
Job scams often provide criminals the opportunity to commit identity theft when victims provide their personal information, sometimes even bank account information, to their potential “employer.” The criminal/employer can then use the victim’s information to open credit cards, post on-line auctions, register websites, etc., in the victim’s name to commit additional crimes.
If you have been a victim of Internet crime, please file a complaint at www.ic3.gov.
FLURRY OF SPAM TARGETING THE FEDERAL BUREAU OF INVESTIGATION
12/11/08—Consumers continue to be inundated by spam purportedly from the FBI. As with previous spam attacks, the latest versions use the names of several high ranking executives within the FBI and even the IC3 to attempt to defraud consumers.
Many of the spam e-mails currently in circulation claim to be an “official order” from the FBI’s Anti-Terrorist and Monetary Crimes Division, from an alleged FBI unit in Nigeria, confirm an inheritance, or contain a lottery notification, all informing recipients they have been named the beneficiary of millions of dollars. To claim the large sum, recipients are instructed to furnish their personally identifiable information (PII) and are often threatened with some type of penalty, such as prosecution, if they fail to do so. Specific PII information requested includes, but is not limited to, the recipient’s name, banking information, telephone number, and a copy of their passport.
The spam e-mail allegedly from the IC3 states that the recipient has extorted money and will be given a limited amount of time to refund the money or face prosecution.
Do not respond. These e-mails are a hoax.
The FBI does not send unsolicited e-mails of this nature. FBI executives are briefed on numerous investigations but do not personally contact consumers regarding such matters. In addition, the IC3 does not send threatening letters to consumers demanding payments for Internet crimes.
Consumers should not respond to any unsolicited e-mails or click on any embedded links associated with such e-mails, as they may contain viruses or malware.
It is imperative consumers guard their PII. Providing your PII will compromise your identity.
If you have been a victim of Internet crime, please file a complaint at www.ic3.gov.
NEW TECHNIQUE UTILIZING PRIVATE BRANCH EXCHANGE (PBX) SYSTEMS TO CONDUCT VISHING ATTACKS
12/09/08—The FBI has received information concerning a new technique used to conduct vishing (1) attacks. The recent attacks were conducted by hackers exploiting a security vulnerability in Asterisk software. Asterisk is free and widely used software developed to integrate PBX (2) systems with Voice over Internet Protocol (VoIP) digital Internet voice calling services; however, early versions of the Asterisk software are known to have a vulnerability. The vulnerability can be exploited by cyber criminals to use the system as an auto dialer, generating thousands of vishing telephone calls to consumers within one hour.
The vulnerability referred to in this alert is a known vulnerability. Digium, the original creator and primary developer of Asterisk, released a Security Advisory, AST-2008-003, in March of 2008, which contains the information necessary for users to configure a system, patch the software, or upgrade the software to protect against this vulnerability.
If a consumer falls victim to this exploit, their personally identifiable information (PII) will be compromised. To prevent further loss of consumers’ PII and to reduce the spread of this new technique, it is imperative that businesses using Asterisk upgrade their software to a version that has had the vulnerability fixed.
Further, consumers should not release personal information in response to unsolicited telephone calls. Providing your PII will compromise your identity!
If you have been a victim of Internet crime, please file a complaint at www.ic3.gov.
(1) Vishing utilizes caller ID spoofing via VoIP to contact potential victims in order to gain access to their PII by convincing the victim that the criminal is associated with a legitimate business with a need to know the victim’s PII.
(2) PBX Systems are used by companies to allow telephone calls between VoIP enterprise users on local lines while allowing all users to share a limited number of external lines
As with many scams, the e-mail advises the recipient that
they are the beneficiary of a large sum of money which
they will be permitted to access once fees are paid and
personal banking information is provided. The appearance
of the e-mail leads the reader to believe that it is from
FBI Deputy Director John S. Pistole.
The IC3 continues to receive and develop intelligence
regarding fraud schemes misrepresenting the FBI and/or
FBI officials. The scam e-mails give the appearance of
legitimacy through the use of pictures of FBI officials,
seal, letterhead, and/or banners.
These fraud schemes claim to be from domestic as well
as international FBI offices. The typical types of schemes
utilizing the names of FBI officials and/or the FBI are
lottery endorsements and inheritance notifications, but
can cover a range of scams from threats and malicious computer
program attachments (malware) to online auction scams.
These scams use the social engineering technique of employing
the FBI's name to intimidate and convince the recipient
the e-mail is legitimate.
Please be cautious of any unsolicited e-mail referencing
the FBI, Director Mueller, Deputy Director Pistole, or
any other FBI official claiming that the FBI is endorsing
any type of Internet activity.
Always be cautious when responding to requests or special
offers delivered through unsolicited e-mail:
