Friday, January 28, 2011

FBI Impersonation Spam Serves Trojan.Ransom

For the past month,  a compromised web site has been sending emails purporting to be from the "Federal Bureau of Investigation".   The email encourages the victim to download a file which installs Trojan.Ransom.


The spear phishing email originates from an evidently compromised domain robertmueller.com.  The email that I received bears the subject line "Email Correspondence", and was 111 kb in size.  The email account which was used to send the email is infors@robertmueller.com.


A check of the site reveals that it has been in existence since 1999:

robertmueller.com a 85.13.128.201 dd1932.kasserver.com
robertmueller.net
ICANN Registrar:INTERNETWIRE COMMUNICATIONS GMBHCreated:1999-08-24Expires:2011-08-24Updated:2010-12-07
domain:          robertmueller.com
nserver:         ns5.kasserver.com
nserver:         ns6.kasserver.com
created:         1999-08-24
updated:         2010-12-07

owner-id:        RM624348
owner-org:       
owner-name:      Robert Caspar Mueller
owner-address:   Frankfurter Tor 7
owner-pcode:     10243
owner-city:      Berlin
owner-country:   DE
owner-phone:     +49 305 4714361
owner-email:     mail@robertmueller.com

This spear phishing campaign appears to be relatively unknown.  I checked the domain at Google Safe Browsing and Norton Safe Web, neither of which had checked the site.  McAfee Site Advisor gives the site a safe rating.


For over a year, members of the Russian Business Network have sought to impersonate F.B.I. leaders and web sites.


If you receive this email do not open it.


James McQuaid
1-28-2011