Malware Purveyor Serving Up Ransomware Via Bogus ICANN Blacklist Removal Emails
from the for-best-results,-enable-macros dept
Fun stuff ahead for some website owners, thanks to a breakdown in the registration process. A Swiss security researcher has spotted bogus ICANN blacklist removal emails being sent to site owners containing a Word document that acts as a trigger for ransomware.
Fake @ICANN Domain Abuse Notices being spammend out to domain owners, distributing malware (Dridex?) - icann-monitor[dot]org pic.twitter.com/G0F4dzc1xP
— abuse.ch (@abuse_ch) December 29, 2016
Fake @ICANN Domain Abuse Notices being spammend out to domain owners, distributing malware (Dridex?) - icann-monitor[dot]org
These fake @ICANN abuse notices distribute Cerber Ransomware (hXXp://csenet.org/view/file5.exe) calling out to ffoqr3ug7m726zou.1nuljt\.top
— abuse.ch (@abuse_ch) December 29, 2016
These fake @ICANN abuse notices distribute Cerber Ransomware (hXXp://csenet.org/view/file5.exe) calling out to ffoqr3ug7m726zou.1nuljt\.top
The email appears to orginate from somewhere legitimate, as seen in this screenshot:
But the quasi-legit URL (icann-monitor.org) was only very recently registered through eNom, which apparently had no problem with some internet rando snagging a URL closely associated with the international group that governs domain names.
Domain Name: ICANN-MONITOR.ORG
Domain ID: D402200000001096932-LROR
WHOIS Server:
Referral URL: http://www.enom.com
Updated Date: 2016-12-29T15:25:14Z
Creation Date: 2016-12-28T20:19:57Z
Registry Expiry Date: 2017-12-28T20:19:57Z
Sponsoring Registrar: eNom, Inc.
Sponsoring Registrar IANA ID: 48
[...]
Tech Email: legal@whoisguard.com
Name Server: DNS1.REGISTRAR-SERVERS.COM
Name Server: DNS2.REGISTRAR-SERVERS.COM
Ironically, the emails containing this malware inform recipients that their domain is "being used for spamming and spreading malware." The spam email invites site owners to download a malware-laced "report" for further instructions on how to remove their site from the blacklist, warning them they only have 24 hours to fall victim to ransomware respond.
The researcher is now "counting the hours (days?)" until either eNom or ICANN act in response to this spoofing/ransomware attack. Don't hold your breath. ICANN has yet to say anything publicly about this and, as of this point, eNom has yet to deactivate the account. For now, the fake ICANN still lives and breathes and poses a threat to recipients of this official-looking email.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: blacklist, malware, ransomware
Companies: icann
Reader Comments
Subscribe: RSS
View by: Time | Thread
MSFT Word?
How anyone at a top tier can use a MSFT product/OS/system is still a little mind boggling. The internet runs on Linux, they would do well to emulate that.
[ link to this | view in chronology ]
MSFT Word?
Linux is a kernel, not an operating system.
Linux kernel based operating systems are not ready for production with the plethora of shortcomings like no real memory manager (it uses a pretend memory manager that doles out memory like congress does money), shitty filesystems that suffer from bit-rot just like Windows NTFS as well as the never-ending problem with them going read-only in the middle of operations. Add in problems with OoM-Kill causing them to hang entirely and systemd offering all kinds of hooks for malware to attach and you've got a mish-mash hodge-podge of garbage that isn't any better than anything Microsoft offers.
Now, if you'd said, Solaris, HPUX, AIX, I wouldn't have argued. Let's face it, Linux kernel based operating systems are just toys at the current time.
[ link to this | view in chronology ]
Re: MSFT Word?
Sorry but the Internet runs on GNU/Linux not UNIX™. Very few people use UNIX and those include AT&T in their old DMS switching systems and some government operations. Everyone else uses some open-source variant based on either BSD Unix or Linux.
> Linux is a kernel, not an operating system.
Most people who say "I use Linux" refer to the modern-day meaning which is the "GNU/Linux ecosystem." If you want to be a stickler and insist that Linux only refers to the kernel you might want to start capitalizing "Internet" since lower-case Internet means some random internetwork.
> Linux kernel based operating systems are not ready for production...
This, and the rest of your rant is factually wrong, technically incorrect, demonstrates a lack of understanding of how operating systems work, conflates file systems with operating systems, and in general represents a decent view of the state of the art of Linux in 1991.
> Now, if you'd said, Solaris, HPUX, AIX, I wouldn't have argued.
Yes, you're definitely stuck in 1991. Thanks for informing the world that if everyone said the thing you think you wouldn't argue. Fortunately the world is not hear to hear you argue nor prevent your arguments.
Argue away. You're still wrong and 15 years behind the times*.
Happy New Year.
Ehud
* In 2017 you'll be 16 years behind the times. Start counting down till midnight tomorrow.
[ link to this | view in chronology ]
Re: Re: MSFT Word?
[ link to this | view in chronology ]
Re: MSFT Word?
IIRC, there is a website that reports the platform/os of websites it finds .. what was that site again ... hmmm if I could only go there and look
[ link to this | view in chronology ]
Re: MSFT Word?
Google doesn't agree.
https://en.wikipedia.org/wiki/Google_Data_Centers#Production_hardware
"Linux is also the leading operating system on servers and other big iron systems such as mainframe computers and on 99.6% (including top 385) of the fastest (TOP500) supercomputers"
https://en.wikipedia.org/wiki/Linux
Sounds like Ehud is right, you haven't updated your information about Linux in a long time.
[ link to this | view in chronology ]
Re: MSFT Word?
It has been solved already ages ago:
http://www.hpl.hp.com/techreports/2004/HPL-2004-221.html
Too bad it didn't get sold, HP labs then offered it for free to Microsoft to include it in the next version of Windows. But apparently that never happened.
We have a new chance: genode.org
[ link to this | view in chronology ]
Freedom of expression - until you don't like it
Yes, that's exactly how the freedom to express oneself by registering a domain name works. Can you just imagine the horror if registrars refused to register names that "appear" to be "associated" with other entities.
It would make registrars worse than the USPTO.
I'm surprised, Tim, that you would say this, implying therein that censorship of domain name selection is a goal to which registrars should strive.
Happy New Year. (Feel free to register that as a domain name, if you like. Oh shoot, never mind, it's taken. https://uniregistry.com/market/domain/happynewyear.com)
Ehud
[ link to this | view in chronology ]
Re: Freedom of expression - until you don't like it
[ link to this | view in chronology ]
Re: Re: Freedom of expression - until you don't like it
I am a consultant on security, have an RFC on domain names, and don't wish ill on people who fight for free expression nor do so anonymously.
happy new year.
Ehud
[ link to this | view in chronology ]
Re: Re: Re: Freedom of expression - until you don't like it
So if someone for instance registered networksocery-notice.com and started sending all likely contacts notices of a malware infection as in the above article with a ransomware link to respond or for more information, you would still be perfectly ok with the idea?
[ link to this | view in chronology ]
Re: Re: Re: Re: Freedom of expression - until you don't like it
I'm perfectly ok with people registering whatever domain names they like. This is still a country where we value freedom of expression. The ends do not justify the means, and we do not support censorship.
Now go troll elsewhere. I'm off to enjoy the NY weekend. I don't have time to answer rhetorical questions posted by people too cowardly to sign their name, too cowardly to allow speech they don't like, and I'm sure the next "analogy" will have something worse than confused business associates, like, say the poor children we should be thinking of.
Hide under your bridge; happy new year. Be literate.
E
[ link to this | view in chronology ]
Re: Re: Re: Re: Freedom of expression - until you don't like it
[ link to this | view in chronology ]
Re: Re: Freedom of expression - until you don't like it
All sorts of names may be registered and there is nothing to stop that. Even domain squatting. You can try to go through ICANN or sue over trademark or just try to buy the domain from the holder. But there isn't something that is going to stop one from registering almost any sort of name, whether used for nefarious purposes or not.
[ link to this | view in chronology ]
Why Would Someone Do This?
Don't tarnish the good reputation of Ransomeware by emulating run-of-the-mill shell registrar extortion.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Who falls for this?
Not-so-old people are not that much better. I've been called by my own mother, who gets a lot of spill-over techy knowledge from when I speak to my father, still almost fell for that "Microsoft Bob" voice that hijacks your browser and pretends to be a BSOD.
Not to mention the oodles and oodles of emails like this I get for video game services. Blizzard game services seem to get targetted the most, and I like keeping a copy of some of them (wish I kept more) so I can go back and laugh. But I know that even some close friends of mine will fall for it.
Now, imagine any of the above people that were "suggested" by me to buy their own domain name for private use. They don't host a website, simply use the domain for email purposes. And they get one of these scary emails. Most people vulnerable to the scam would use Windows and Microsoft office products. They'll certainly find "simple, easy steps" an easy thing to do, I won't bother my hard working son/grandson/husband with a quick call - oh crap - now I'm either out lots of data or hundreds of bucks.
[ link to this | view in chronology ]
Re: Who falls for this?
Oh, do share - we could all use a laugh.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
And why should ICANN act? Is it going to give itself some special privileges to boot off any domain that uses the name "icann"? Then what? Other entities start demanding their own special privileges too?
Frankly, the only thing that is remotely noteworthy on this is that the domain is impersonating ICANN. There are thousands of other spoofed entities and fake domains for phishing, but they don't get special treatment or mentions.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I do hope it's already happening in silence.
[ link to this | view in chronology ]