e dot dot dot

home << Policy << auto malware purveyor serving up ransomware via bogus icann blacklist removal emails

Sat, 31 Dec 2016

Malware Purveyor Serving Up Ransomware Via Bogus ICANN Blacklist Removal Emails
Furnished content.

Fun stuff ahead for some website owners, thanks to a breakdown in the registration process. A Swiss security researcher has spotted bogus ICANN blacklist removal emails being sent to site owners containing a Word document that acts as a trigger for ransomware.

Fake @ICANN Domain Abuse Notices being spammend out to domain owners, distributing malware (Dridex?) - icann-monitor[dot]org pic.twitter.com/G0F4dzc1xP— abuse.ch (@abuse_ch) December 29, 2016

Fake @ICANN Domain Abuse Notices being spammend out to domain owners, distributing malware (Dridex?) - icann-monitor[dot]org

These fake @ICANN abuse notices distribute Cerber Ransomware (hXXp://csenet.org/view/file5.exe) calling out to ffoqr3ug7m726zou.1nuljt\.top— abuse.ch (@abuse_ch) December 29, 2016

These fake @ICANN abuse notices distribute Cerber Ransomware (hXXp://csenet.org/view/file5.exe) calling out to ffoqr3ug7m726zou.1nuljt\.top

The email appears to orginate from somewhere legitimate, as seen in this screenshot:

But the quasi-legit URL (icann-monitor.org) was only very recently registered through eNom, which apparently had no problem with some internet rando snagging a URL closely associated with the international group that governs domain names.

Domain Name: ICANN-MONITOR.ORG
Domain ID: D402200000001096932-LROR
WHOIS Server:
Referral URL: http://www.enom.com
Updated Date: 2016-12-29T15:25:14Z
Creation Date: 2016-12-28T20:19:57Z
Registry Expiry Date: 2017-12-28T20:19:57Z
Sponsoring Registrar: eNom, Inc.
Sponsoring Registrar IANA ID: 48
[...]
Tech Email: legal@whoisguard.com
Name Server: DNS1.REGISTRAR-SERVERS.COM
Name Server: DNS2.REGISTRAR-SERVERS.COM

Ironically, the emails containing this malware inform recipients that their domain is "being used for spamming and spreading malware." The spam email invites site owners to download a malware-laced "report" for further instructions on how to remove their site from the blacklist, warning them they only have 24 hours to ~~fall victim to ransomware~~ respond.The researcher is now "counting the hours (days?)" until either eNom or ICANN act in response to this spoofing/ransomware attack. Don't hold your breath. ICANN has yet to say anything publicly about this and, as of this point, eNom has yet to deactivate the account. For now, the fake ICANN still lives and breathes and poses a threat to recipients of this official-looking email.

Permalink | Comments | Email This Story

Read more here

edit: Policy/auto___malware_purveyor_serving_up_ransomware_via_bogus_icann_blacklist_removal_emails.wikieditish...

Password:

Title:

Body:

Furnished content.

Fun stuff ahead for some website owners, thanks to a breakdown in the registration process. <a href="https://www.abuse.ch/" target="_blank">A Swiss security researcher</a> has spotted bogus ICANN blacklist removal emails <a href="https://twitter.com/abuse_ch/status/814484091013885952" target="_blank">being sent to site owners</a> containing a Word document that acts as a trigger for ransomware.<div class="centered"><blockquote class="twitter-tweet" data-lang="en"><p lang="en" dir="ltr">Fake <a href="https://twitter.com/ICANN">@ICANN</a> Domain Abuse Notices being spammend out to domain owners, distributing malware (Dridex?) - icann-monitor[dot]org <a href="https://t.co/G0F4dzc1xP">pic.twitter.com/G0F4dzc1xP</a>— abuse.ch (@abuse_ch) <a href="https://twitter.com/abuse_ch/status/814484091013885952">December 29, 2016</a></blockquote><script async src="//platform.twitter.com/widgets.js" charset="utf-8"></script></div><blockquote><em>Fake @ICANN Domain Abuse Notices being spammend out to domain owners, distributing malware (Dridex?) - icann-monitor[dot]org</em></blockquote><div class="centered"><blockquote class="twitter-tweet" data-lang="en"><p lang="en" dir="ltr">These fake <a href="https://twitter.com/ICANN">@ICANN</a> abuse notices distribute Cerber Ransomware (hXXp://csenet.org/view/file5.exe) calling out to ffoqr3ug7m726zou.1nuljt\.top— abuse.ch (@abuse_ch) <a href="https://twitter.com/abuse_ch/status/814496250099798016">December 29, 2016</a></blockquote><script async src="//platform.twitter.com/widgets.js" charset="utf-8"></script></div><blockquote><em>These fake @ICANN abuse notices distribute Cerber Ransomware (hXXp://csenet.org/view/file5.exe) calling out to ffoqr3ug7m726zou.1nuljt\.top</em></blockquote>The email appears to orginate from somewhere legitimate, as seen in this screenshot:<div class="centered"><img alt="" src="https://i.imgur.com/ZFq7mLu.jpg" style="width: 500px; height: 227px;" /></div>But the quasi-legit URL (icann-monitor.org) was only <a href="http://pastebin.com/raw/JFgWUSsJ" target="_blank">very recently registered through eNom</a>, which apparently had no problem with some internet rando snagging a URL closely associated with the <a href="https://www.techdirt.com/articles/20160610/07561834679/yes-getting-us-government-out-managing-internet-domain-governance-is-good-thing.shtml" target="_blank">international group</a> that governs domain names.<blockquote><em>Domain Name: ICANN-MONITOR.ORG<br /> Domain ID: D402200000001096932-LROR<br /> WHOIS Server:<br /> Referral URL: http://www.enom.com<br /> Updated Date: 2016-12-29T15:25:14Z<br /> Creation Date: 2016-12-28T20:19:57Z<br /> Registry Expiry Date: 2017-12-28T20:19:57Z<br /> Sponsoring Registrar: eNom, Inc.<br /> Sponsoring Registrar IANA ID: 48<br /> [...]<br /> Tech Email: legal@whoisguard.com<br /> Name Server: DNS1.REGISTRAR-SERVERS.COM<br /> Name Server: DNS2.REGISTRAR-SERVERS.COM</em></blockquote>Ironically, the emails containing this malware inform recipients that their domain is "being used for spamming and spreading malware." The spam email invites site owners to download a malware-laced "report" for further instructions on how to remove their site from the blacklist, warning them they only have 24 hours to <s>fall victim to ransomware</s> respond.The researcher is now <a href="https://twitter.com/abuse_ch/status/814499719154167809" target="_blank">"counting the hours (days?)"</a> until either eNom or ICANN act in response to this spoofing/ransomware attack. Don't hold your breath. ICANN has yet to say anything publicly about this and, as of this point, eNom has yet to deactivate the account. For now, the fake ICANN still lives and breathes and poses a threat to recipients of this official-looking email.<br /><br /><a href="https://www.techdirt.com/articles/20161229/11425236368/malware-purveyor-serving-up-ransomware-via-bogus-icann-blacklist-removal-emails.shtml">Permalink</a> | <a href="https://www.techdirt.com/articles/20161229/11425236368/malware-purveyor-serving-up-ransomware-via-bogus-icann-blacklist-removal-emails.shtml#comments">Comments</a> | <a href="https://www.techdirt.com/articles/20161229/11425236368/malware-purveyor-serving-up-ransomware-via-bogus-icann-blacklist-removal-emails.shtml?op=sharethis">Email This Story</a><br />

Read more <a class="sw_sl" href="https://www.techdirt.com/articles/20161229/11425236368/malware-purveyor-serving-up-ransomware-via-bogus-icann-blacklist-removal-emails.shtml" target="_blank">here</a>

Technorati tag?:

Delete this item?:

Treat as new?:

home << Policy << auto malware purveyor serving up ransomware via bogus icann blacklist removal emails