Sponsored by..

Tuesday, 18 December 2007

Highly targeted phish - frauddept@ustreas.gov

This is a highly targeted phish aimed at senior management in a company. The manager (typically a principle officer or other named contact) is named in full, along with the full name of the target company. Attached is a file called complaint.zip with a trojan.

In this case, the email comes from frauddept@ustreas.gov but it could potentially come from any government agency. The bottom line.. exercise caution with unsolicited email attachments.

Dear [Real Name],

A complaint has been filled against the company you are affiliated to [Company Name] in regards to the possibillity of tax avoidance and money laundering schemes.

The complaint was filled by Mr. Benjamin Kent on 12/10/2007 and contains refferences that link your company and another 4 companies in an attemt to gain illegal proffit.

Registration : [Reference] Date: 12/10/2007

A copy of the initial complaint and claims has been attached to this e-mail.Please print and keep this copy for your personal records.

Disputes involving consumer products and/or services may be arbitrated. Unless they directly relate to the contract that is the basis of this dispute, the following claims will be considered for arbitration only if all parties agree in writing that the arbitrator may consider them:

Claims based on product liability;

Claims for personal injuries;

Claims that have been resolved by a previous court action, arbitration, or written agreement between the parties.

The decision as to whether your dispute or any part of it can be arbitrated rests solely with the US Department of Treasury.

The Department of Treasury offers a binding arbitration service for

disputes involving marketplace transactions. Arbitration is a convenient, civilized way to settle disputes quickly and fairly, without the costs associated with other legal options.


Jeremy said...

How do the senders of the phish know the names of the company and the people they're sending it to?

Conrad Longmore said...

The best bet is that they find a bunch a companies, go to their websites or perhaps some a regulatory agency and then look for contact names. There's some actual hard work here, rather than it being automatically scraped. Presumably, the success rate of the approach is good enough to merit it.