by Shawn Anderson – Security Researcher
Have you ever driven down the road with a police vehicle right behind you? Do your nerves heighten and your stomach drop? This happens to a lot of people, and when the flashing lights turn on there is one thing to do. Pull over, right? The pure adrenaline rush from thinking, “What did I do wrong?” masks the paranoia of whether or not the person is really a police officer.
What would happen if you received an email from the police department stating that you were in violation of the law? Would your stomach drop and your nerves kick in as though the police vehicle just turned on its lights behind you? Would you stop to think whether the email is legit or not? Unfortunately, impersonating the police can be very effective for spammers who are trying to persuade recipients to click on a link or open an attachment. Forcing the recipients to consider their possible guilt can distract them from questioning the legitimacy of the email itself.
At Barracuda Networks, we are witnessing a large spam outbreak with malicious attachments that impersonates (spoofs) the New York State police. The email states that the recipient was in violation of the law, and contains a description of the traffic violation. It also claims to contain the actual ticket as an attachment with instructions to open it, print it and send it to ‘Town Court' in some small town somewhere in New York state
The attachment is actually malware, a variant of Trojan.Downloader. If run, it downloads Trojan.Fakealert which further compromises the computer.
Emails like these teach a very important lesson. Many malicious spam messages go to great lengths to appear to be sent from some official government agency or other large organization. Unfortunately the contents of email messages are very easy to fake. The sad truth is that you should never assume that an email message is legitimate. Instead, if an email raises concerns you should verify the contents by phone or postal mail, and never run emailed attachments like the one in the message above.
Tips for configuring your spam firewall to block this attack:
Currently, the malicious spam is spoofing the “From” address domain of “nyc.gov”. Since “nyc.gov” has a Hardfail SPF record set up in its DNS txt record, most conventional filters will block these spoofed messages. Enabling SPF on your spam filter will help block these spoofed emails.
It is common, however, that these types of malicious outbreaks will rotate their sender domains, and it is likely that they’ll spoof other state domains. SPF records are not always set up or set up properly in DNS for domains that are commonly spoofed, so relying solely on the SPF filter is not recommended. Other content scanning techniques are required to block these attacks as they rotate sender domains. Customers using the Barracuda Spam & Virus Firewall should make sure their Energize Updates are up to date and that they are on the latest version to help block these types of malicious emails.