Domain suspended email notice contains malware attachment
Today I saw something new to me in the spam-containing-malware category. It was an email allegedly from one account on my own domain, sent to another existing account on my domain, notifying me that my domain had been suspended! FAIL!
Keep in mind as you read this, that I received this scam email from one of the email accounts on the supposedly suspended domain! I am posting about it on my blog, which is also hosted under the same domain name! A simple check for my home page shows that it is still up and running. Obviously, the email was a scam, attempting to panic me into opening the attached file. Not going to happen Boris!
Here, for both your amusement and to warn other domain/website owners about the scam, are the significant details from the normally hidden headers.
Received: from home-d805cd5a06 by smtp.wanadoo.fr; Thu, 22 Sep 2011 08:52:00 +0200
Date: Thu, 22 Sep 2011 08:52:00 +0200
Message-ID: <[email protected]>
Subject: Fw: IMPORTANT: wizcrafts.net has been suspended
From: REMOVED@wizcrafts.net
Reply-To: REMOVED@wizcrafts.net
To: REMOVED@wizcrafts.net
Content-Type: text/plain; charset=iso-8859-2
Here is what I saw when I examined the source code in the message body:
aEBb,
lGBf WLHZmMor Qu EpMu JDnky, kSr XuEPqWXQa?
a ue UBpyIYe opY QOdzUCjY.
jZKlDtiul,
tFJLfI wSMDlTD
------------F0C3F295E295E05
Content-Type: application/zip; name="Domain_Abuse_SBL141309_0920.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Domain_Abuse_SBL141309_0920.zip"
Let's examine these items, on at a time and see what they reveal about this message. You can apply the same techniques should you be a domain owner and receive a similar email scam.
First, let's look at the incoming email headers:
FAIL #1:
Received: from home-d805cd5a06 by smtp.wanadoo.fr; Thu, 22 Sep 2011 08:52:00 +0200
Date: Thu, 22 Sep 2011 08:52:00 +0200
This tells me that the email was not sent by my web hosting company, nor my domain's Registrar, but by a "home" user in France, using Wanadoo.fr as their ISP (+0200 is the timezone for France).. My web host is located in the Mountain time zone in the USA, which is -0700. Furthermore, my Registrar is located in -0800.
Fail #2:
Message-ID: <[email protected]>
The above line confirms that the email was sent from Wanadoo.fr, in France, not Bluehost, in the USA.
FAIL #3:
Subject: Fw: IMPORTANT: wizcrafts.net has been suspended
From: REMOVED@wizcrafts.net
Reply-To: REMOVED@wizcrafts.net
To: REMOVED@wizcrafts.net
The subject tells me that my domain, Wizcrafts.net has been suspended and that the message about it was forwarded from someone else to me. This would never happen in a real suspension notice. The web host or domain Registrar sends such a notice directly to the account owner. They would not forward it.
Next, look at the From, reply-to and To lines. They are all accounts on the very same domain that was supposedly suspended! Big FAIL!
FAIL #4:
Content-Type: text/plain; charset=iso-8859-2
That Character set is assigned for users in Eastern Europe, most notably in Latvia and surrounding Countries. The rest of the message in the body text would need to be read in an email client configured to render Character Code 8859-2, or it would read as gibberish.
So, how did the important suspended domain notice appear when I looked in the Body section?
aEBb,
lGBf WLHZmMor Qu EpMu JDnky, kSr XuEPqWXQa?
a ue UBpyIYe opY QOdzUCjY.
jZKlDtiul,
tFJLfI wSMDlTD
As expected, Gibberish!
So, how was I supposed to be exploited by this email? Why, it has an attachment! If I could have read the gibberish it would have instructed me to open the attached file to learn why my domain was suspended. Doh!
Here's the payload:
Content-Type: application/zip; name="Domain_Abuse_SBL141309_0920.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Domain_Abuse_SBL141309_0920.zip"
Needless to say, I did not open that zipfile. It contains either a botnet installer, Trojan downloader, fake AV, or the Zeus banking Trojan. I don't live in Troy and don't accept unexpected Trojan Horses from Latvians bearing gifts. Neither should you!
If you receive such a fake warning, forward it to SpamCop, then delete it.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.