Malware Purveyor Serving Up Ransomware Via Bogus ICANN Blacklist Removal Emails

from the for-best-results,-enable-macros dept

Fun stuff ahead for some website owners, thanks to a breakdown in the registration process. A Swiss security researcher has spotted bogus ICANN blacklist removal emails being sent to site owners containing a Word document that acts as a trigger for ransomware.

Fake @ICANN Domain Abuse Notices being spammend out to domain owners, distributing malware (Dridex?) - icann-monitor[dot]org

These fake @ICANN abuse notices distribute Cerber Ransomware (hXXp://csenet.org/view/file5.exe) calling out to ffoqr3ug7m726zou.1nuljt\.top

The email appears to orginate from somewhere legitimate, as seen in this screenshot:

But the quasi-legit URL (icann-monitor.org) was only very recently registered through eNom, which apparently had no problem with some internet rando snagging a URL closely associated with the international group that governs domain names.

Domain Name: ICANN-MONITOR.ORG
Domain ID: D402200000001096932-LROR
WHOIS Server:
Referral URL: http://www.enom.com
Updated Date: 2016-12-29T15:25:14Z
Creation Date: 2016-12-28T20:19:57Z
Registry Expiry Date: 2017-12-28T20:19:57Z
Sponsoring Registrar: eNom, Inc.
Sponsoring Registrar IANA ID: 48
[...]
Tech Email: legal@whoisguard.com
Name Server: DNS1.REGISTRAR-SERVERS.COM
Name Server: DNS2.REGISTRAR-SERVERS.COM

Ironically, the emails containing this malware inform recipients that their domain is "being used for spamming and spreading malware." The spam email invites site owners to download a malware-laced "report" for further instructions on how to remove their site from the blacklist, warning them they only have 24 hours to fall victim to ransomware respond.

The researcher is now "counting the hours (days?)" until either eNom or ICANN act in response to this spoofing/ransomware attack. Don't hold your breath. ICANN has yet to say anything publicly about this and, as of this point, eNom has yet to deactivate the account. For now, the fake ICANN still lives and breathes and poses a threat to recipients of this official-looking email.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: blacklist, malware, ransomware
Companies: icann


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    David (profile), 30 Dec 2016 @ 3:37pm

    MSFT Word?

    Sorry, cannot open document.

    How anyone at a top tier can use a MSFT product/OS/system is still a little mind boggling. The internet runs on Linux, they would do well to emulate that.

    link to this | view in chronology ]

    • identicon
      Skullduggery, 30 Dec 2016 @ 6:34pm

      MSFT Word?

      Sorry, but the internet runs on UNIX, not "Linux".

      Linux is a kernel, not an operating system.
      Linux kernel based operating systems are not ready for production with the plethora of shortcomings like no real memory manager (it uses a pretend memory manager that doles out memory like congress does money), shitty filesystems that suffer from bit-rot just like Windows NTFS as well as the never-ending problem with them going read-only in the middle of operations. Add in problems with OoM-Kill causing them to hang entirely and systemd offering all kinds of hooks for malware to attach and you've got a mish-mash hodge-podge of garbage that isn't any better than anything Microsoft offers.

      Now, if you'd said, Solaris, HPUX, AIX, I wouldn't have argued. Let's face it, Linux kernel based operating systems are just toys at the current time.

      link to this | view in chronology ]

      • icon
        Ehud Gavron (profile), 30 Dec 2016 @ 7:17pm

        Re: MSFT Word?

        > Sorry, but the internet runs on UNIX, not "Linux".

        Sorry but the Internet runs on GNU/Linux not UNIX™. Very few people use UNIX and those include AT&T in their old DMS switching systems and some government operations. Everyone else uses some open-source variant based on either BSD Unix or Linux.

        > Linux is a kernel, not an operating system.
        Most people who say "I use Linux" refer to the modern-day meaning which is the "GNU/Linux ecosystem." If you want to be a stickler and insist that Linux only refers to the kernel you might want to start capitalizing "Internet" since lower-case Internet means some random internetwork.

        > Linux kernel based operating systems are not ready for production...
        This, and the rest of your rant is factually wrong, technically incorrect, demonstrates a lack of understanding of how operating systems work, conflates file systems with operating systems, and in general represents a decent view of the state of the art of Linux in 1991.

        > Now, if you'd said, Solaris, HPUX, AIX, I wouldn't have argued.
        Yes, you're definitely stuck in 1991. Thanks for informing the world that if everyone said the thing you think you wouldn't argue. Fortunately the world is not hear to hear you argue nor prevent your arguments.

        Argue away. You're still wrong and 15 years behind the times*.

        Happy New Year.

        Ehud
        * In 2017 you'll be 16 years behind the times. Start counting down till midnight tomorrow.

        link to this | view in chronology ]

      • identicon
        Anonymous Coward, 31 Dec 2016 @ 6:04am

        Re: MSFT Word?

        Interesting .. you claim to have vast knowledge, and yet seem to not be using it. Why is that?

        IIRC, there is a website that reports the platform/os of websites it finds .. what was that site again ... hmmm if I could only go there and look

        link to this | view in chronology ]

      • icon
        nasch (profile), 31 Dec 2016 @ 9:32am

        Re: MSFT Word?

        Linux kernel based operating systems are not ready for production

        Google doesn't agree.

        https://en.wikipedia.org/wiki/Google_Data_Centers#Production_hardware

        "Linux is also the leading operating system on servers and other big iron systems such as mainframe computers and on 99.6% (including top 385) of the fastest (TOP500) supercomputers"

        https://en.wikipedia.org/wiki/Linux

        Sounds like Ehud is right, you haven't updated your information about Linux in a long time.

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 1 Jan 2017 @ 5:04am

      Re: MSFT Word?

      It has been solved already ages ago:

      http://www.hpl.hp.com/techreports/2004/HPL-2004-221.html

      Polaris is a package for Windows XP that demonstrates that we can do better at dealing with viruses than has been done so far. Polaris allows users to configure most applications so that they launch with only the rights they need to do the job the user wants done. This simple step, enforcing the Principle of Least Authority (POLA), gives so much protection from viruses that there is no need to pop up security dialog boxes or ask users to accept digital certificates. Further, there is little danger in launching email attachments, using macros in documents, or allowing scripting while browsing the web. Polaris demonstrates that we can build systems that are more secure, more functional, and easier to use.

      Too bad it didn't get sold, HP labs then offered it for free to Microsoft to include it in the next version of Windows. But apparently that never happened.

      We have a new chance: genode.org

      link to this | view in chronology ]

  • icon
    Ehud Gavron (profile), 30 Dec 2016 @ 3:40pm

    Freedom of expression - until you don't like it

    "...which apparently had no problem with some internet rando snagging a URL closely associated with the international group that governs domain names. "

    Yes, that's exactly how the freedom to express oneself by registering a domain name works. Can you just imagine the horror if registrars refused to register names that "appear" to be "associated" with other entities.

    It would make registrars worse than the USPTO.

    I'm surprised, Tim, that you would say this, implying therein that censorship of domain name selection is a goal to which registrars should strive.

    Happy New Year. (Feel free to register that as a domain name, if you like. Oh shoot, never mind, it's taken. https://uniregistry.com/market/domain/happynewyear.com)

    Ehud

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 30 Dec 2016 @ 5:26pm

      Re: Freedom of expression - until you don't like it

      I assume you are being deliberately obtuse and ignoring the obvious security problems with allowing domains like this to be purchased by any random person. If I am wrong however, you deserve the life of ruined computers and hacked passwords that clicking on legitimate looking emails will give you.

      link to this | view in chronology ]

      • icon
        Ehud Gavron (profile), 30 Dec 2016 @ 5:43pm

        Re: Re: Freedom of expression - until you don't like it

        First, you assume incorrectly. Second there are no "security problems" in allowing people to register domain. Finally, thanks for wishing me a life of misery for expressing the idea that anyone should be able to register any domain name or speak their minds or publish their words.

        I am a consultant on security, have an RFC on domain names, and don't wish ill on people who fight for free expression nor do so anonymously.

        happy new year.

        Ehud

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 30 Dec 2016 @ 8:54pm

          Re: Re: Re: Freedom of expression - until you don't like it

          So if someone went around and purchased very similar domain names to all of your business domains and then goes on to spearfish your likely contacts and associates with those domains, you are still perfectly fine with that happening?
          So if someone for instance registered networksocery-notice.com and started sending all likely contacts notices of a malware infection as in the above article with a ransomware link to respond or for more information, you would still be perfectly ok with the idea?

          link to this | view in chronology ]

          • icon
            Ehud Gavron (profile), 30 Dec 2016 @ 9:26pm

            Re: Re: Re: Re: Freedom of expression - until you don't like it

            You're hilarious. My "likely contacts and associates" aren't stupid.

            I'm perfectly ok with people registering whatever domain names they like. This is still a country where we value freedom of expression. The ends do not justify the means, and we do not support censorship.

            Now go troll elsewhere. I'm off to enjoy the NY weekend. I don't have time to answer rhetorical questions posted by people too cowardly to sign their name, too cowardly to allow speech they don't like, and I'm sure the next "analogy" will have something worse than confused business associates, like, say the poor children we should be thinking of.

            Hide under your bridge; happy new year. Be literate.

            E

            link to this | view in chronology ]

          • identicon
            Anonymous Coward, 31 Dec 2016 @ 6:07am

            Re: Re: Re: Re: Freedom of expression - until you don't like it

            So - what if the sky started falling and .. and .. and

            link to this | view in chronology ]

      • icon
        orbitalinsertion (profile), 31 Dec 2016 @ 12:41am

        Re: Re: Freedom of expression - until you don't like it

        Like if ICANN-MONITOR.ORG were, say, some group against the USG officially cutting ties with ICANN or some watchdog group?

        All sorts of names may be registered and there is nothing to stop that. Even domain squatting. You can try to go through ICANN or sue over trademark or just try to buy the domain from the holder. But there isn't something that is going to stop one from registering almost any sort of name, whether used for nefarious purposes or not.

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 30 Dec 2016 @ 4:39pm

    Why Would Someone Do This?

    It's easier and (surprisingly) legal to tell a registrant their domain is due for renewal, ask for a check and an EPP code, then transfer the domain to your totally legit company.

    Don't tarnish the good reputation of Ransomeware by emulating run-of-the-mill shell registrar extortion.

    link to this | view in chronology ]

  • icon
    kenichi tanaka (profile), 30 Dec 2016 @ 7:20pm

    Who would be dumb enough to fall for these scams? My webhost provider sends me email messages via a support ticket when my domain renewal is up. Neither ICANN nor ENOM ever sends me any messages regarding my domain. I've had to contact ENOM because my previous webhost refused to unlock my domain name so I could transfer and that's the only contact I've had with ENOM.

    link to this | view in chronology ]

    • icon
      Nick (profile), 31 Dec 2016 @ 4:51am

      Who falls for this?

      If there's one thing I've learned as the official "internet guy" in my extended family, is that a LOT of people are using many many internet features that they do not really understand. Old people in particular are very trusting when it comes to scary-looking emails and website popups.

      Not-so-old people are not that much better. I've been called by my own mother, who gets a lot of spill-over techy knowledge from when I speak to my father, still almost fell for that "Microsoft Bob" voice that hijacks your browser and pretends to be a BSOD.

      Not to mention the oodles and oodles of emails like this I get for video game services. Blizzard game services seem to get targetted the most, and I like keeping a copy of some of them (wish I kept more) so I can go back and laugh. But I know that even some close friends of mine will fall for it.

      Now, imagine any of the above people that were "suggested" by me to buy their own domain name for private use. They don't host a website, simply use the domain for email purposes. And they get one of these scary emails. Most people vulnerable to the scam would use Windows and Microsoft office products. They'll certainly find "simple, easy steps" an easy thing to do, I won't bother my hard working son/grandson/husband with a quick call - oh crap - now I'm either out lots of data or hundreds of bucks.

      link to this | view in chronology ]

      • icon
        nasch (profile), 31 Dec 2016 @ 9:35am

        Re: Who falls for this?

        Blizzard game services seem to get targetted the most, and I like keeping a copy of some of them (wish I kept more) so I can go back and laugh.

        Oh, do share - we could all use a laugh.

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 31 Dec 2016 @ 3:07am

    I would comment something substantial but I'm not wearing my geek glasses and I don't have my calculator on me like all you fucking nerds. Oh, and I'm not a virgin. Faggots

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 31 Dec 2016 @ 3:59am

    Why should either entity act? TechDirt has had stories in the past about domain registars booting off domains because some random entity had a tantrum. You praise some registars for requiring a court order to deregister domains, but you expect eNom to deregister this domain because some random people are complaining?

    And why should ICANN act? Is it going to give itself some special privileges to boot off any domain that uses the name "icann"? Then what? Other entities start demanding their own special privileges too?

    Frankly, the only thing that is remotely noteworthy on this is that the domain is impersonating ICANN. There are thousands of other spoofed entities and fake domains for phishing, but they don't get special treatment or mentions.

    link to this | view in chronology ]

  • identicon
    ICANNotbelieveit'snotbutter, 31 Dec 2016 @ 6:55pm

    Alice: Well, I can't believe the stuff that is not I Can't Believe It's Not Butter is not I Can't Believe It's Not Butter. And I can't believe that both I Can't Believe It's Not Butter and the stuff that I can't believe is not I Can't Believe It's Not Butter are both, in fact, not butter. And I believe... they both might be butter... in a cunning disguise. And, in fact, there's a lot more butter around than we all thought there was.

    link to this | view in chronology ]

  • icon
    Ninja (profile), 2 Jan 2017 @ 6:36am

    Even if the fake icann site still lives, why wait for ICANN or eNom to take action? Why not the authorities simply don't track the thing and nab the criminals behind it?

    I do hope it's already happening in silence.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.