A new Urgent Court Notice or Notice to appear in court has started its spam run with emails spoofed to pretend to come from a law firm. They have now changed and are using Gibson Dunn and Crutcher as the law firm and Los Angeles as the court this time’ These follow on from THIS and THIS
14 Jan 2014: a new version pretending to come from porrick.com ( I cannot find a law firm called porrick) and using San Francisco as the court
15 Jan 2014: another new version pretending to come from gtlaw.com ( Greenberg Traurig) and using New York as the court
22 Jan 2014: another new version pretending to come from reedsmith.com ( ReedSmith ) and using Pittsburgh as the court
23 Jan 2014: Another version pretending to be from skadden.com (Skadden, Arps, Slate, Meagher & Flom LLP & Affiliates) using New York as the court again
28 Jan 2014: Another version pretending to be from scotcourts.gov.uk using London as the court this time and instead of using an international firm of lawyers are pretending that the “summons” comes directly from the courts and are now using a fake PDF as the malware rather than the earlier fake word docs
11 March 2014 After quite a long break these fake urgent court notices have restarted. Once again they are using London as the court and pretending to come from L.McNamara@scotcourts.gov.uk However the ASprox botnet that sends these, tends to tailor the court and the sender to the geographical region that the email recipient is believed to come from. So a UK based email domain will get London as the court and US based will get LA or Chicago or whatever is the current US based one the botnet authors want to use.
29 March 2014: These continue to arrive on a frequent ( almost daily basis ) There are very little changes from previous versions except today’s has a different alleged law company as sender Notice of appearance firstname.lastname@example.org and the court is Des Moines
This follows on from http://myonlinesecurity.co.uk/spoofed-lw-com-notice-of-appearance-in-court-no8780-fake-word-doc-malware/ and http://myonlinesecurity.co.uk/notice-appearance-court-wa6142-fake-word-doc-malware/ It also pretends to be from a large international group of lawyers (gibsondunn.com) with a notice to appear. various slightly different subjects on this email along with different times and dates of the alleged hearing. Also a different court clerk’s name is used, just to vary it a bit.
- Hearing of your case in Court No07713 < numbers vary >
- #Hearing of your case in Court N#7717-846
- Notice to appear in court No02240 < numbers vary >
- Urgent court notice No08976 < numbers vary >
- Notice of appearance in court No08780 <numbers vary>
- Notice of appearance in court N#7751-591
- Notice to appear in court GQ#0781
Hereby you are notified that you have been scheduled to appear for your hearing that will take place in the court of San Francisco in January 25, 2014 at 11:00 am.
Please bring all documents and witnesses relating to this case with you to Court on your hearing date. The copy of the court notice is attached to this letter. Please, read it thoroughly.
Note: If you do not attend the hearing the judge may hear the case in your absence.
Clerk to the Court.
Notice to Appear in Court,
This is to advise that you are required to attend the court of Los Angeles in January 16, 2014 for the hearing of your case.
Please, kindly prepare and bring the documents related to this case to Court on the date mentioned above. Attendance is compulsory.
The copy of the court notice is attached to this letter, please, download and read it thoroughly.
Clerk to the Court.
Of course it isn’t a court notice or summons and the attachment definitely does not contain any information about any court case. It is another one from the current Asprox botnet runs which try to drop Kuluoz, Dofoil, fake anti-virus and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.
Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details.
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.
Attachment zip name: Court_Notice_Los_Angeles_No0852.zip (108 kb)
14 Jan 2014 Court_Notice_Copy_No7055.zip Court_Notice_copy_document_14_01_2014_USA.exe Current Virus total detections: 20/48
15 Jan 2014 Court_Notice_NY_15_01_2014_Copy_116.zip Court_Notice_New_York_15_01_2014_copy.exe Current Virus total detections: 2/48
22 Jan 2014 Court_Notice_No_8437.zip extracts to Court_Notice_copy_document.exe Current Virus total detections: 5/50
23 Jan 2014 Court_Notice_Date_01_23_ID2443.zip extracts to Court_Notice_Date_01_23_Copy_New_York.exe Current Virus total detections: 10/49
28 Jan 2014 Court_Notice_29012014.zip (61kb) extracts to Court_Notice_29012014.exe Current Virus total detections: 4/50
11 March 2014 document.1778-290-15-03.zip (60kb) extracts to document.1778-290-15-03.exe Current Virus total detections: 4/50
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper Microsoft word file or PDF instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected.
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.