Friday, January 28, 2011

FBI Impersonation Spam Serves Trojan.Ransom

For the past month,  a compromised web site has been sending emails purporting to be from the "Federal Bureau of Investigation".   The email encourages the victim to download a file which installs Trojan.Ransom.

The spear phishing email originates from an evidently compromised domain  The email that I received bears the subject line "Email Correspondence", and was 111 kb in size.  The email account which was used to send the email is

A check of the site reveals that it has been in existence since 1999: a
ICANN Registrar:INTERNETWIRE COMMUNICATIONS GMBHCreated:1999-08-24Expires:2011-08-24Updated:2010-12-07
created:         1999-08-24
updated:         2010-12-07

owner-id:        RM624348
owner-name:      Robert Caspar Mueller
owner-address:   Frankfurter Tor 7
owner-pcode:     10243
owner-city:      Berlin
owner-country:   DE
owner-phone:     +49 305 4714361

This spear phishing campaign appears to be relatively unknown.  I checked the domain at Google Safe Browsing and Norton Safe Web, neither of which had checked the site.  McAfee Site Advisor gives the site a safe rating.

For over a year, members of the Russian Business Network have sought to impersonate F.B.I. leaders and web sites.

If you receive this email do not open it.

James McQuaid