22
May 19

Legal Threats Make Powerful Phishing Lures

Some of the most convincing email phishing and malware attacks come disguised as nastygrams from a law firm. Such scams typically notify the recipient that he/she is being sued, and instruct them to review the attached file and respond within a few days — or else. Here’s a look at a recent spam campaign that peppered more than 100,000 business email addresses with fake legal threats harboring malware.

On or around May 12, at least two antivirus firms began detecting booby-trapped Microsoft Word files that were sent along with some variation of the following message:

{Pullman & Assoc. | Wiseman & Assoc.| Steinburg & Assoc. | Swartz & Assoc. | Quartermain & Assoc.} <legal@wpslaw.com>

Hi,

The following {e-mail | mail} is to advise you that you are being charged by the city.

Our {legal team | legal council | legal departement} has prepared a document explaining the {litigation | legal dispute | legal contset}.

Please download and read the attached encrypted document carefully.

You have 7 days to reply to this e-mail or we will be forced to step forward with this action.

Note: The password for the document is 123456

The template above was part of a phishing kit being traded on the underground, and the user of this kit decides which of the options in brackets actually get used in the phishing message.

Yes, the spelling/grammar is poor and awkward (e.g., the salutation), but so is the overall antivirus detection rate of the attached malicious Word document. This phishing kit included five booby-trapped Microsoft Word documents to choose from, and none of those files are detected as malicious by more than three of the five dozen or so antivirus products that scanned the Word docs on May 22 — 10 days after they were spammed out.

According to both Fortinet and Sophos, the attached Word documents include a trojan that is typically used to drop additional malware on the victim’s computer. Previous detections of this trojan have been associated with ransomware, but the attackers in this case can use the trojan to install malware of their choice.

Also part of the phishing kit was a text document containing some 100,000 business email addresses — most of them ending in Canadian (.ca) domains — although there were also some targets at companies in the northeastern United States. If only a tiny fraction of the recipients of this scam were unwary enough to open the attachment, it would still be a nice payday for the phishers.

The law firm domain spoofed in this scam — wpslaw.com — now redirects to the Web site for RWC LLC, a legitimate firm based in Connecticut. A woman who answered the phone at RWC said someone had recently called to complain about a phishing scam, but beyond that the firm didn’t have any knowledge of the matter.

As phishing kits go, this one is pretty basic and not terribly customized or convincing. But I could see a kit that tried only slightly harder to get the grammar right and more formally address the recipient doing quite well: Legitimate-looking legal threats have a way of making some people act before they think.

Don’t be like those people. Never open attachments in emails you were not expecting. When in doubt, toss it out. If you’re worried it may be legitimate, research the purported sender(s) and reach out to them over the phone if need be. And resist the urge to respond to these spammers; doing so may only serve to encourage further “mailious” correspondence.

KrebsOnSecurity would like to thank Hold Security for a heads up on this phishing kit.

65 comments

  1. This is good. Unless I am mistaken, REAL legal “Service” must be done thru a processing Agent, registered Mail, or Court approved “Public” channel (newspaper).

    One can not be legally “served” via EMAIL.

    • Yes, but average Joe may not know that. That’s why it’s called social engineering.

    • I think you have to be served in person. I have been subpoenaed that way. I haven’t been sued. And as they say, IANAL.

      I would like to understand the nature those newspaper legal notices.

      • This is entirely dependent on the state. Many states allow legal service by certified mail. And I’m fairly certain all states and the federal system allow service by public notice (courthouse, newspaper, etc) as a last resort if you cannot locate someone by other means.

    • I didn’t see anything in the notice about the recipient being “served.” This is not a lot different than the legitimate notice I received yesterday by regular mail from Epiq Bankruptcy Solutions, LLC about the Ditech bankruptcy.

    • My 2 cents:

      I’m pretty sure you have to be served and email won’t work.

      They won’t start a legal notice with “Hi” and w/o a name.

      They don’t tell you what “charge” and what “city”

      You would normally have more than 7 days to respond.

      “Action” is not very threatening. I would think a legit firm would spell out how they intend to punish you.

    • Depends on the country you’re in. The country I’m in now will accept email, SMS and whatsapp as avenues through which to serve legal notices.

      • Wow. That sucks.

      • That is bad. Here in California you can be serve by an email but never by SMS or apps. You could however be serve via email ONLY if you request or granted an extension by the judge which basically mean it got to be your last resort to request email serve but the email must be sent from a certified process serving company.

    • > Unless I am mistaken, REAL legal “Service”

      If you think the contents of the letter were “service” you’re mistaken right there.

      Service of Process is the formal notification that a case has been filed before a court, administrative body, or arbitrator.

      That doesn’t mean that an email, phone call, or postal letter can’t carry legal weight.

      It may meet legal requirements on timelines to notify another party of challenge, or trigger evidence preservation rules that kick when litigation is threatened or reasonably foreseeable even if such case has not been filed.

      You’ll also find many jurisdictions that when physical service of process is thwarted, service by electronic means, especially social media that can be shown to be a currently active account and that the message bearing the notice was opened, is given greater weight than service by publication.

  2. I bet you’re right, Dean. Email doesn’t have the paper trails beloved by lawyers.

    Thanks for the heads-up, Brian.

  3. @Dean Marino

    Being the person who handles most legal requests for my company I can tell you that many firms (and the feds) will often reach out by phone or email first prior to sending official notice. This scenario scares me as it would not be completely out of left field to get an email from a firm or other legal entity with an attachment. Its especially scary as often times they don’t know who to send it to so it will end up with people more prone to fall for it before it makes it to my desk/inbox.

    • Agree Sean, what you describe is a potential real world happening – at least in many “users” minds. Everyone who ever uses a computer, communicates by email, surfs the web, does work on a computer should have at least the most rudimentary security awareness education. IN the example from Brian the wording was poor as he identified. We have seen well crafted emails with good grammar becoming common now, seriously scary.

      • The whole point of this phishing effort is to catch someone was not aware of the local legal processes. If you have not been involved in any court cases you may not be aware of how the process works. Yes there are many red flags to someone who knows what to look for but not everyone does.

        Phishing relies on 2 problems; 1 people will make mistakes, 2 people are not expert in all areas. I work on the assumption that I could be fooled by an email that looks legitimate and it only takes 1 time to be fooled to get a nasty.

    • Glad you mentioned telephones as we have been inundated with landline phone calls (voicemail – I never answer the phone anymore) from alleged legal firms threatening legal action should we not respond. Some have even stated they are representing ‘the authorities’ and that an unnamed law enforcement organization would take action if we don’t respond. These are not run of the mill debt collectors – some allege to be acting on behalf of a court. Wonder if the same miscreants are now hitting both email and phone.

  4. Not to go too far off topic, but my latest phishing mail has been about my email account is over its limit. Since I run my own email server, I know the message is nonsense. But the fun part is I have been getting these in English, Spanish, French, and Chinese. Google translate had no issue with any of these, so I suspect they have seen the message countless times. I assume they are looking for anything to use in credential stuffing.

  5. I would like to learn which AV software caught the malware. . .

    • That information is in the story.

      • No its not.

        “and none of those files are detected as malicious by more than three of the five dozen or so antivirus products that scanned the Word docs on May 22”

        The article mentions Fortinet and Sofos and that 3 of 5 dozen didnt catch the malicious documents, what are the other 2 dozen that did?

        • Perhaps I could have worded that more artfully, but the story says only 3 out of the 5 dozen AVs caught it (Fortinet and Sophos). I forget what the other one was right now but I’d never heard of it before.

          • I had the same confusion as Mr. Anon.

            The way you worded it, I parsed it as the companies’ analysis teams as opposed to their automated software.

            Also, “three of five dozen” can be ambiguously parsed, w/ the alternate parsing being “three dozen of five dozen”.

            Something like “Of the five dozen … only three applications (…,…,…) caught …” would have been easier for us to read.

  6. DelilahTheSober

    After some 20+ years of owning computers and even being a sysop back in the old BBS dial up days, I once clicked on a PDF file sent to me by some malicious person. The email basically stated “Your IP address has been compromised by a hacker” using big techie words that I understood. “Open this document to learn how to fix the problem.”

    I downloaded a virus that immediately wiped out my hard drive as soon as I opened the PDF document. Do you know how stupid I felt? I recall telling my husband that I deserved to have my license to own a computer revoked or suspended.

    • bah ha ha ha ha

      bah ha ha ha ha!!!

    • hey, sometimes it’s hard to learn a lesson unless you learn a lesson the hard way!

    • Back in ye olden days, a certain software company produced many popular games. Their beta releases often ended up being traded around and used in place of the final (paid) releases. The software company got fed up with this and created a payload in their subsequent game betas which would scan the hard drive for 2 or more of the previous games beta releases and, if found, trigger the payload. Since PCs in those days had full control over the hard drive, the payload caused the head to basically seek in as far as it could go then seek beyond the last track, causing the head to bang against the limiter. Over. And over. As fast as it could seek. Over. And over. If the computer user had functioning ears and could put two and two together, little damage was done since they flipped the power off after a couple seconds. If you were like a certain ex-coworker of mine with rudimentary computer skills, you would let it sit doing that. Overnight. And wake up to a failed hard drive. All your pirated software lost forever. Its been years and I still remember the look on his face.

  7. The Sunshine State ( One Eye Willie)

    I received this fun one today !

    ​I ​ma​de​ a​ v​id​eo​ s​ho​wi​ng​ b​ot​h ​yo​u ​(t​hr​ou​gh​ y​ou​r ​we​bc​am​) ​an​d ​th​e ​vi​de​o ​yo​u ​we​re​ w​at​ch​in​g ​(o​n ​th​e ​sc​re​en​) ​wh​il​e ​sa​ti​sf​yi​ng​ y​ou​rs​el​f. W​it​h ​on​e ​cl​ic​k,​ I​ c​an​ s​en​d ​th​is​ v​id​eo​ t​o ​al​l ​yo​ur​ c​on​ta​ct​s ​(e​ma​il​, ​so​ci​al​ n​et​wo​rk​, ​an​d ​me​ss​en​ge​rs​ y​ou​ u​se​).​

    ​Yo​u ​ca​n ​pr​ev​en​t ​me​ f​ro​m ​do​in​g ​th​is​.​To​ s​to​p ​me​, ​tr​an​sf​er​ $950​ t​o ​my​ b​it​co​in​ a​dd​re​ss​. ​If​ y​ou​ d​o ​no​t ​kn​ow​ h​ow​ t​o ​do​ t​hi​s,​ G​oo​gl​e ​- ​”B​uy​ B​it​co​in​”.​

    ​My​ b​it​co​in​ a​dd​re​ss​ (​BT​C ​Wa​ll​et​) ​is 15QRp7C5YNQuEuDxwsRDcnxcXxddZwotqt

    ​Af​te​r ​re​ce​iv​in​g ​th​e ​pa​ym​en​t,​ I​ w​il​l ​de​le​te​ t​he​ v​id​eo​,
    ​an​d ​yo​u ​wi​ll​ n​ev​er​ h​ea​r ​fr​om​ m​e ​ag​ai​n. Y​ou​ h​av​e ​48​ h​ou​rs​ t​o ​pa​y.​ S​in​ce​ I​ a​lr​ea​dy​ h​av​e ​ac​ce​ss​ t​o ​yo​ur​ s​ys​te​m
    I​ n​ow​ k​no​w ​th​at​ y​ou​ h​av​e ​re​ad​ t​hi​s ​em​ai​l,​ s​o ​yo​ur​ c​ou​nt​do​wn​ h​as​ b​eg​un​.

    • DelilahTheSober

      That is just horrible! I can’t help but consider that some people come from cultures/religious backgrounds and societies in which it’s considered disgraceful for a man to even think about playing with their own personal equipment. So there might be a great incentive for some individuals to actually pay this bogus ransomware because they were genuinely terrified of the potential consequences if they refused. Sad.

    • I got an email from a client one day to say that “if you get contacted by anyone showing a video of me, please destroy it as I got hacked and he has video of me doing stuff and I’m not paying this person a cent.” He apparently got one of these emails and fell for it LOL, but refused to pay (lucky!). So he basically admitted to everyone he sent this email to that he watches porn on his laptop LOL!!

      I had a nice chuckle.

    • Practicing spamtrapping is a great way to dispel any faith you might have had in any email scams.

      When you see the exact same email simultaneously in thousands of unrelated email addresses that have either never existed or haven’t existed for real in several years, you know it can’t be true. 😀

    • Last one of those I got had the text part in a jpg that was displayed in-line in the body of the email because spam filtering has started to catch them. Note that the jpg was attached to the email, it didn’t pull it from the internet.

      First time I got one I laughed and laughed because I don’t have a webcam and they made a huge deal about how they controlled the email account I received it on (that’s why the from: was my email address, see!) – if they controlled it, why didn’t they use that account’s server, why did they send it through an open relay in China?

      They have slowed a lot for me, for a while I was getting a couple a week but it was a couple months pause between this last one and the one before it. Poor scammers are resorting to penis pill email tactics, that’s got to hurt their uptick. Plus how many of the people who’ll fall for it can reliably enter that long bitcoin string without being able to copy & paste?

    • I’ve gotten a similar email multiple times to my work email address. If you look closely at the email, it honestly looks like an image that has been pasted into the email. I looked at the headers of the email once and it looked to be coming from Japan.

      It started out saying something about the password had been hacked to my email account. Yet, I know that’s not the case. It scared me for a second, but the more I got it the more I realized it was just a phishing scheme. I submitted the bitcoin addresses as suspicious and moved on.

  8. Nelson Ogbonda

    For Documents Downloads:
    I always advice clients to route their private email to G-Suite etc, it usually scans received documents for malware before you download it. this is similar to what gmail those.

    For Links Clicking:
    Use an up-to-date third-party anti-phishing scanner to scan the link before you visit it directly. This will greatly reduce your exposure to being infected if the link is embedded with a malware.

    • +1

      Great suggestions. Let automation do the screening.

    • Its a double edged sword.
      Google does great security (scanning for malicious attachments and flagging spam).

      But for privacy…. they use same ability/permission to scan you emails, to build a profile of users and sell that information to advertisers.
      The last straw for me was when I saw they built a payment history for me, when I don’t even use Google Wallet, Play Store, or any other Google payment method.
      They were scanning my gmail for receipt emails.
      I left at that point.

  9. The real problem is that attachments can contain malware. Expecting the average person to be aware of all the possible ways that someone can try to deceive them into opening a document is fruitless.

    One solution is for document readers to open documents as text only without opening images or videos or running any macros, and display huge warning signs about the danger of enabling any macros in the attached document.

    That would reduce the hit rate of malicious attachments significantly.

    • I agree with this completely.
      Yes, humans are the weakest link, and always will be.
      But we tend to focus too much on what we cannot fix… meanwhile, the real culprit is the software’s default (allow all) posture… because “convenience”.

      0.01% of users need macros, yet Microsoft Office has been the worst about just allow them.
      Adobe is horrible too.
      Why? Oh why? Is Javascript really needed in a pdf viewer?

      • PDFs support Forms and interactions.

        But really, the problem is that PDFs (and pretty much every other file format in the entire world) are complicated. Even if they didn’t support scripting, getting parsing right is hard.

        For scary, you should read the checkpoint team’s explanation of how they developed Faxsploit [1] — which is built around attacking JPG, which is definitely not supposed to be a thing that supports scripting.

        For perspective, PDF has to support embedded fonts (lots of attacks here, as fonts are incredibly complicated, and parsing them is error prone), images (each of which is a huge mess), compression (also fun for attacking), file metadata (because…), not to mention scripting and forms.

        The approach I prefer for PDFs at this point is to open them in a web browser (Chrome, Firefox, and Edge) [2]. The logic is that my web browser is using its JavaScript engine (the same thing it uses when I browse the rest of the web) to parse the PDFs. If the JS engine is exploitable, I can be attacked in normal browsing — so my attack surface isn’t really increased by using it to browse PDFs.

        [1] https://research.checkpoint.com/sending-fax-back-to-the-dark-ages/
        [2] https://www.makeuseof.com/tag/edge-chrome-adobe-pdf-viewer/

        • Very good points. I have heard of the faxsploit before. Interesting stuff. Thanks for the citations too.

          I guess I prefer simpler code that didn’t need such a vast and complex language like Javascript. Luckily, I can turn off Javascript in Acrobat. You can (and should) do simple things with simple code like HTML5 which can do forms and 99.99% of what a PDF needs.

          Similar to how fonts and character sets make text complex and prone to abuse. It should be a simple matter of only supporting the languages and sets you need, and not go overboard with supporting these edge cases.
          Browsers are only now starting to get wise to punycode trickery in the URL bar… so disabling that support for the vast majority of users who don’t need things like umlauts in their URLs.

  10. Perhaps the antivirus can’t get past the password encryption? One has to enter the password to open it. The file can only be opened locally in MS Word. So sending the encrypted file to VirusTotal would result in failure to see the infection. Only a resident AV would be able to catch the evil macro within the few seconds before the victim clicked on it.

    None of the AVs on VT see any malware from the URL in a scam/spam email received today. The “password” appears to be part of the URL.
    https://www.virustotal.com/#/url/b1b0f14e9e57328c222a5af681d3d9036c8b5d07cc8067fe733c1a9848cb0856/detection

    WARNING: DOWNLOAD AT YOUR OWN RISK
    Viewing the urlscan.io link below is safe, but purposely following the scanned link will present you with the choice of “View File” which would presumably download the file to your local drive.
    Caveat Emptor at that point.

    Here is an safe image of such a file staged on OneDrive received today:

    https://urlscan.io/result/249a9b66-82f2-45f6-9488-12d1aa2c6078/compare

    • “Only a resident AV would be able to catch the evil macro within the few seconds before the victim clicked on it.”

      Perhaps. Yet, another aspect of the detection could be of the sending IP address. Ransomware is often blocked by sending IP address.

      Brian, “…five booby-trapped Microsoft Word documents to choose from, and none of those files are detected as malicious by more than three of the five dozen or so antivirus products that scanned the Word docs on May 22 — 10 days after they were spammed out.”

      The sending IP addresses may (likely) be detected as spam, phishing, other maliciousness, etc. The two mentioned antiviruses that detected the attachment as being trojanized, Fortinet and Sophos (and others), provide rather good service at detecting malicious sending IP addresses too.

      • Sending IP? Not really a good indicator considering the use of popular web mail services.
        It all comes from Gmail or Yahoo anyway.

        • Any spam, etc, is sent from an IP (or IPs) and may be potentially flagged or blocked by IP block lists. Some IP block lists have different makeups as to what they are meant to block besides only spam or phishing.

          As no IPs of the phishing emails were mentioned in the article page, I didn’t run IP blocklist lookups. Wouldn’t surprise me if the two AVs mentioned in the article, Fortinet and Sophos, also have the IPs of the phising block-listed–two of the better IP block lists incorporated into their products.

          • According to the article, the detection was on the attached Word documents. These would not have the IP address of the sender. The email headers would have the IP address of the sender and quite possibly many others depending on how the message was routed and how many spoofed receive lines were added to the headers.

            Only amateurs would be stopped by IP address blocking. The pro spammers and phishers have many ways of seemingly coming from different IP addresses. It’s like burner phones to them. By the time you block the IP they used, somebody else legitimate has it and may or may not be impacted by the block.

            • Right, may try to come around from other IP addresses. As a somewhat similar comparison my experience over a year timeframe with the Fortinet and Sophos IP block lists is that many professional (ROKSO–known professional spam operations) pharma (etc) spammers, the same spam operation coming from IPs all over the world (of course), are very often detected. Without the routing IPs being provided in the article or comments, it is speculative on my part how well the IP blocking method would work against this phishing campaign.

    • Some AV engines do actually try some passwords to decrypt files. “malware”, “infected”, “password”, etc.
      “123456” may be on the list for some AV vendors.

      AV engines that scan emails as they come in, can also try plaintext words found in the body of the message, on any encrypted attachment.

      But yeah, just submitting to VT isn’t going to do it justice.

      I think there are tools by didier stevens that would also use the email body to try and crack the password, then show you the macros and embedded content of attachments, all without actually opening the document.

  11. Besides bad grammar, including the password in the Email is a dead give away.

  12. When in doubt, throw it out.

    I love that, can I steal for new company guidelines on phishing?

  13. Does the Word payload rely on macros being enabled?

    • Probably…

      But Microsoft’s warnings about “edit mode” and “macros” is still pretty weak. So regular users aren’t that afraid and many still enable it.

      • To even print the document,” Edit mode” must be enabled, which runs embedded macros without warning or notification.

        This is phishing largely the fault of Microsoft for not sandboxing macros and warning the user, with huge banners, that a macro is embedded in the document, which is extremely unusual for most users. Word should allow the user “Edit mode” functionality without running the macro.

    • I wouldn’t rely on that. Half the time the exploit is against Word itself.

  14. Are there any instances were the virus payload would launch just by viewing the email? For instance, if the preview pane is enabled. I was just curious about this or if the user has to actually click the attachment. Also, what about if I download the email attachment to send up to VirusTotal.com? Will downloading execute the file?

    • It will always depend on too many variables.

      In this case, if there’s really a password required, just selecting the file won’t do much harm. But the next attack could be against something else.

  15. Red Flags:
    1. “Hi” – What legitimate legal firm would address you with Hi?
    2. “the city” – What city? Of course they are spamming multiple cities.
    3. “Please download…”
    4. “You have 7 days to reply”
    5. It’s Email!!

    Unfortunately some will always be tempted and you know what curiosity did to the cat.

    Always good to have both automated filters and human intelligence filters.

  16. Another red flag:

    A Word document attached. (A real legal document would probably be sent as a secured PDF.)

    • Eh, but it’s “encrypted”, so you know, super safe- amirite?

      This sort of lingo (“encrypted”, “secure”, etc) has been creeping into phishing emails slowly.

      They know people don’t understand what those words mean at anything but a superficial level- just that they’re generally good things.

      Personally I encourage people to look more for the con itself. In this case the objective is panic (which leads in turn to lack of caution), and the threat of imminent legal action is a fairly reliable panic button for most people.

      Western Union last I knew had a whole department dedicated to talking people down from that sort of panic. It should be your first red flag that something isn’t right.

  17. Would this be why I myself (UK) keeps getting calls/voicemails from a supposed US Federal/HMRC agent telling me Im being investigate for fraud? Seems to be a massive rise in these types of targeted attacks recently.

  18. This article doesn’t accurately reflect what title insurance and escrow companies do. For example, until recently there’s no reason they would have SSNs, but FIRPTA changed that. And the only bank account numbers they would likely have would be whatever accounts are used to fund the purchase.

    And not, title insurance is not only required if you don’t have a mortgage. It is only required if you do have a mortgage–title insurance to protect the mortgagee. But owners should typically get title insurance too, but if all that is obtained from a title insurance company is title insurance, and not escrow services, then all the title company may know about the buyer and seller is their names.

  19. Another great warning for all of us.
    Like the “Social Security” office calling to say ‘your number has been suspended’. Too many crooks out there.
    Thanks Brian.