FBI Impersonation Spam Serves Trojan.Ransom

For the past month,  a compromised web site has been sending emails purporting to be from the "Federal Bureau of Investigation".   The email encourages the victim to download a file which installs Trojan.Ransom.


The spear phishing email originates from an evidently compromised domain robertmueller.com.  The email that I received bears the subject line "Email Correspondence", and was 111 kb in size.  The email account which was used to send the email is infors@robertmueller.com.


A check of the site reveals that it has been in existence since 1999:

robertmueller.com a 85.13.128.201 dd1932.kasserver.com

robertmueller.net

ICANN Registrar:INTERNETWIRE COMMUNICATIONS GMBHCreated:1999-08-24Expires:2011-08-24Updated:2010-12-07

domain:          robertmueller.com

nserver:         ns5.kasserver.com

nserver:         ns6.kasserver.com

created:         1999-08-24

updated:         2010-12-07

owner-id:        RM624348

owner-org:       

owner-name:      Robert Caspar Mueller

owner-address:   Frankfurter Tor 7

owner-pcode:     10243

owner-city:      Berlin

owner-country:   DE

owner-phone:     +49 305 4714361

owner-email:     mail@robertmueller.com

This spear phishing campaign appears to be relatively unknown.  I checked the domain at Google Safe Browsing and Norton Safe Web, neither of which had checked the site.  McAfee Site Advisor gives the site a safe rating.


For over a year, members of the Russian Business Network have sought to impersonate F.B.I. leaders and web sites.


If you receive this email do not open it.


James McQuaid
1-28-2011