Malware Purveyor Serving Up Ransomware Via Bogus ICANN Blacklist Removal Emails
from the for-best-results,-enable-macros dept
Fun stuff ahead for some website owners, thanks to a breakdown in the registration process. A Swiss security researcher has spotted bogus ICANN blacklist removal emails being sent to site owners containing a Word document that acts as a trigger for ransomware.
Fake @ICANN Domain Abuse Notices being spammend out to domain owners, distributing malware (Dridex?) – icann-monitor[dot]org pic.twitter.com/G0F4dzc1xP
— abuse.ch (@abuse_ch) December 29, 2016
Fake @ICANN Domain Abuse Notices being spammend out to domain owners, distributing malware (Dridex?) – icann-monitor[dot]org
These fake @ICANN abuse notices distribute Cerber Ransomware (hXXp://csenet.org/view/file5.exe) calling out to ffoqr3ug7m726zou.1nuljt.top
— abuse.ch (@abuse_ch) December 29, 2016
These fake @ICANN abuse notices distribute Cerber Ransomware (hXXp://csenet.org/view/file5.exe) calling out to ffoqr3ug7m726zou.1nuljt.top
The email appears to orginate from somewhere legitimate, as seen in this screenshot:
But the quasi-legit URL (icann-monitor.org) was only very recently registered through eNom, which apparently had no problem with some internet rando snagging a URL closely associated with the international group that governs domain names.
Domain Name: ICANN-MONITOR.ORG
Domain ID: D402200000001096932-LROR
WHOIS Server:
Referral URL: http://www.enom.com
Updated Date: 2016-12-29T15:25:14Z
Creation Date: 2016-12-28T20:19:57Z
Registry Expiry Date: 2017-12-28T20:19:57Z
Sponsoring Registrar: eNom, Inc.
Sponsoring Registrar IANA ID: 48
[…]
Tech Email: legal@whoisguard.com
Name Server: DNS1.REGISTRAR-SERVERS.COM
Name Server: DNS2.REGISTRAR-SERVERS.COM
Ironically, the emails containing this malware inform recipients that their domain is “being used for spamming and spreading malware.” The spam email invites site owners to download a malware-laced “report” for further instructions on how to remove their site from the blacklist, warning them they only have 24 hours to fall victim to ransomware respond.
The researcher is now “counting the hours (days?)” until either eNom or ICANN act in response to this spoofing/ransomware attack. Don’t hold your breath. ICANN has yet to say anything publicly about this and, as of this point, eNom has yet to deactivate the account. For now, the fake ICANN still lives and breathes and poses a threat to recipients of this official-looking email.
Filed Under: blacklist, malware, ransomware
Companies: icann
Comments on “Malware Purveyor Serving Up Ransomware Via Bogus ICANN Blacklist Removal Emails”
MSFT Word?
Sorry, cannot open document.
How anyone at a top tier can use a MSFT product/OS/system is still a little mind boggling. The internet runs on Linux, they would do well to emulate that.
Re: MSFT Word?
Sorry, but the internet runs on UNIX, not “Linux”.
Linux is a kernel, not an operating system.
Linux kernel based operating systems are not ready for production with the plethora of shortcomings like no real memory manager (it uses a pretend memory manager that doles out memory like congress does money), shitty filesystems that suffer from bit-rot just like Windows NTFS as well as the never-ending problem with them going read-only in the middle of operations. Add in problems with OoM-Kill causing them to hang entirely and systemd offering all kinds of hooks for malware to attach and you’ve got a mish-mash hodge-podge of garbage that isn’t any better than anything Microsoft offers.
Now, if you’d said, Solaris, HPUX, AIX, I wouldn’t have argued. Let’s face it, Linux kernel based operating systems are just toys at the current time.
Re: Re: MSFT Word?
Re: Re: Re: MSFT Word?
Re: Re: MSFT Word?
Interesting .. you claim to have vast knowledge, and yet seem to not be using it. Why is that?
IIRC, there is a website that reports the platform/os of websites it finds .. what was that site again … hmmm if I could only go there and look
Re: Re: MSFT Word?
Google doesn’t agree.
https://en.wikipedia.org/wiki/Google_Data_Centers#Production_hardware
"Linux is also the leading operating system on servers and other big iron systems such as mainframe computers and on 99.6% (including top 385) of the fastest (TOP500) supercomputers"
https://en.wikipedia.org/wiki/Linux
Sounds like Ehud is right, you haven’t updated your information about Linux in a long time.
Re: MSFT Word?
It has been solved already ages ago:
http://www.hpl.hp.com/techreports/2004/HPL-2004-221.html
Too bad it didn’t get sold, HP labs then offered it for free to Microsoft to include it in the next version of Windows. But apparently that never happened.
We have a new chance: genode.org
Freedom of expression - until you don't like it
“…which apparently had no problem with some internet rando snagging a URL closely associated with the international group that governs domain names. “
Yes, that’s exactly how the freedom to express oneself by registering a domain name works. Can you just imagine the horror if registrars refused to register names that “appear” to be “associated” with other entities.
It would make registrars worse than the USPTO.
I’m surprised, Tim, that you would say this, implying therein that censorship of domain name selection is a goal to which registrars should strive.
Happy New Year. (Feel free to register that as a domain name, if you like. Oh shoot, never mind, it’s taken. https://uniregistry.com/market/domain/happynewyear.com)
Ehud
Re: Freedom of expression - until you don't like it
I assume you are being deliberately obtuse and ignoring the obvious security problems with allowing domains like this to be purchased by any random person. If I am wrong however, you deserve the life of ruined computers and hacked passwords that clicking on legitimate looking emails will give you.
Re: Re: Freedom of expression - until you don't like it
First, you assume incorrectly. Second there are no “security problems” in allowing people to register domain. Finally, thanks for wishing me a life of misery for expressing the idea that anyone should be able to register any domain name or speak their minds or publish their words.
I am a consultant on security, have an RFC on domain names, and don’t wish ill on people who fight for free expression nor do so anonymously.
happy new year.
Ehud
Re: Re: Re: Freedom of expression - until you don't like it
So if someone went around and purchased very similar domain names to all of your business domains and then goes on to spearfish your likely contacts and associates with those domains, you are still perfectly fine with that happening?
So if someone for instance registered networksocery-notice.com and started sending all likely contacts notices of a malware infection as in the above article with a ransomware link to respond or for more information, you would still be perfectly ok with the idea?
Re: Re: Re:2 Freedom of expression - until you don't like it
You’re hilarious. My “likely contacts and associates” aren’t stupid.
I’m perfectly ok with people registering whatever domain names they like. This is still a country where we value freedom of expression. The ends do not justify the means, and we do not support censorship.
Now go troll elsewhere. I’m off to enjoy the NY weekend. I don’t have time to answer rhetorical questions posted by people too cowardly to sign their name, too cowardly to allow speech they don’t like, and I’m sure the next “analogy” will have something worse than confused business associates, like, say the poor children we should be thinking of.
Hide under your bridge; happy new year. Be literate.
E
Re: Re: Re:2 Freedom of expression - until you don't like it
So – what if the sky started falling and .. and .. and
Re: Re: Freedom of expression - until you don't like it
Like if ICANN-MONITOR.ORG were, say, some group against the USG officially cutting ties with ICANN or some watchdog group?
All sorts of names may be registered and there is nothing to stop that. Even domain squatting. You can try to go through ICANN or sue over trademark or just try to buy the domain from the holder. But there isn’t something that is going to stop one from registering almost any sort of name, whether used for nefarious purposes or not.
Why Would Someone Do This?
It’s easier and (surprisingly) legal to tell a registrant their domain is due for renewal, ask for a check and an EPP code, then transfer the domain to your totally legit company.
Don’t tarnish the good reputation of Ransomeware by emulating run-of-the-mill shell registrar extortion.
Who would be dumb enough to fall for these scams? My webhost provider sends me email messages via a support ticket when my domain renewal is up. Neither ICANN nor ENOM ever sends me any messages regarding my domain. I’ve had to contact ENOM because my previous webhost refused to unlock my domain name so I could transfer and that’s the only contact I’ve had with ENOM.
Re: Who falls for this?
If there’s one thing I’ve learned as the official “internet guy” in my extended family, is that a LOT of people are using many many internet features that they do not really understand. Old people in particular are very trusting when it comes to scary-looking emails and website popups.
Not-so-old people are not that much better. I’ve been called by my own mother, who gets a lot of spill-over techy knowledge from when I speak to my father, still almost fell for that “Microsoft Bob” voice that hijacks your browser and pretends to be a BSOD.
Not to mention the oodles and oodles of emails like this I get for video game services. Blizzard game services seem to get targetted the most, and I like keeping a copy of some of them (wish I kept more) so I can go back and laugh. But I know that even some close friends of mine will fall for it.
Now, imagine any of the above people that were “suggested” by me to buy their own domain name for private use. They don’t host a website, simply use the domain for email purposes. And they get one of these scary emails. Most people vulnerable to the scam would use Windows and Microsoft office products. They’ll certainly find “simple, easy steps” an easy thing to do, I won’t bother my hard working son/grandson/husband with a quick call – oh crap – now I’m either out lots of data or hundreds of bucks.
Re: Re: Who falls for this?
Oh, do share – we could all use a laugh.
I would comment something substantial but I’m not wearing my geek glasses and I don’t have my calculator on me like all you fucking nerds. Oh, and I’m not a virgin. Faggots
Re: Re:
Said the guy who takes his hand on a date first.
Why should either entity act? TechDirt has had stories in the past about domain registars booting off domains because some random entity had a tantrum. You praise some registars for requiring a court order to deregister domains, but you expect eNom to deregister this domain because some random people are complaining?
And why should ICANN act? Is it going to give itself some special privileges to boot off any domain that uses the name “icann”? Then what? Other entities start demanding their own special privileges too?
Frankly, the only thing that is remotely noteworthy on this is that the domain is impersonating ICANN. There are thousands of other spoofed entities and fake domains for phishing, but they don’t get special treatment or mentions.
Alice: Well, I can’t believe the stuff that is not I Can’t Believe It’s Not Butter is not I Can’t Believe It’s Not Butter. And I can’t believe that both I Can’t Believe It’s Not Butter and the stuff that I can’t believe is not I Can’t Believe It’s Not Butter are both, in fact, not butter. And I believe… they both might be butter… in a cunning disguise. And, in fact, there’s a lot more butter around than we all thought there was.
Even if the fake icann site still lives, why wait for ICANN or eNom to take action? Why not the authorities simply don’t track the thing and nab the criminals behind it?
I do hope it’s already happening in silence.