Last Updated: 2008-04-14 18:13:43 UTC - "We've gotten a few reports that some CEOs have received what purports to be a federal subpoena via e-mail ordering their testimony in a case. It then asks them to click a link and download the case history and associated information. One problem, it's total bogus. It's a "click-the-link-for-malware" typical spammer stunt. So, first and foremost, don't click on such links. An interesting component of this scam was that it did properly identify the CEO and send it to his e-mail directly. It's very highly targeted that way. Second, the United States Federal Courts do not "serve" formal process over email. While there is an Electronic Case Management System, initial contact for a subpoena, lawsuit or other process is done the old fashioned way... someone serving you the old fashioned way. Presumably, if you did already get served you would have a lawyer handling the case for you. In that instance, the *lawyer*, not you, would be getting electronic notices from the court **after service has been handled**.
FOR LAWYERS ONLY: ...You've gotten thousands of these, if you see something radically different, I would log in directly into the CM/ECF system and check the docket record directly. Don't click on the links if you are suspicious. I'm sure a call to the Clerk of the Court would also help you get information. Odds are the Clerk has heard of these kind of e-mails circulating...
FOR EVERYONE ELSE: ...if you are not a lawyer (or not representing yourself pro se and have ECF access) you will -never- get an e-mail from the court.
TECHNICAL DETAILS: The malicious code that gets downloaded is a CAB with acrobat.exe inside... The malware then creates a Browser Helper Object (BHO) at WINDIR%\system32\acrobat.dll and opens a hidden IE window to communciate to the command and control server. The BHO will also steal any installed certificates installed on the system. The C&C server is hard-coded to an ISP in Singapore at this time...
UPDATE 13:04 CDT: ...VirusTotal results... guess coverage isn't that good (12/32). If you have someone infected, backup data and reinstall, targetted phishes like this ought to concern us more than general ones, and the only way to be safe is to "burn it down" and start over if an infection happens.
UPDATE 13:14 CDT: ...another malware variant - same thing, but VirusTotal only has 3/32."
Edited by AplusWebMaster, 15 April 2008 - 11:36 AM.