Wednesday, 29 January 2014

"Urgent eviction notification No2621" spam

This particularly cruel spam is a variation of the Court Notice spam that has been around for a few weeks. Thankfully it is very poorly worded which should alert at least some potential victims that it is a fake.

Date:      Tue, 28 Jan 2014 17:40:16 -0400 [16:40:16 EST]
From:      Eviction Notification [support.7@riduscourt.com]
Subject:      Urgent eviction notification No2621

 Eviction Notification,
   Please be advised that you are obliged to
   vacate the living space you occupy until March 28, 2014, 11 a.m.
   If you do not vacate it in the specified terms,
   the court will have to assign the forcible eviction for April 26,
   2014, 11 a.m.
   If nobody is home we will not be responsible for safe keeping of your
   belongings.
   Besides, if you fail to comply with the requirements of the court
   bailiff
   you will be fined for up to 200 minimum wage amounts
   with a subsequent doubling of the penalty amount
   and can be made criminally or administratively liable.
   The details of the circumstances that caused the judicial decision
   of eviction are attached herewith.
   Court bailiff,
   GOODWIN Bass
Attached is an archive file Copy_Of_The_Court_Statement_N1801.zip which in turn contains a malicious file Copy_of_the_court_statement_us_28_01_2014.exe.

For some reason the ZIP file that I have is corrupt and will not open, but I suspect that other versions may be valid. If anyone has a reliable analysis of this file it might be worth leaving a note in the Comments... thanks!

Update (30/1/14): here is a second version doing the rounds:

Date:      Wed, 29 Jan 2014 18:11:43 -0500 [01/29/14 18:11:43 EST]
From:      Notice To Quit [service_notice@mnduscourt.com]
Subject:      Notice to quit No5759

 Notice to quit,
   Hereby you are informed you have to quit the premises you hold until
   March, 21, 2014.
   If you stay in the currently occupied premises for a longer period of
   time,
   you will be assigned by court for forced eviction scheduled for April
   5, 2014.
   If court executives do not find you at home on the specified date,
   the court will disclaim any responsibility for safe keeping
   of your property left in the premises.
   Whether you fail to fulfill the requirements of the court
   you might be held liable to a fine equal to 100 minimum wage amounts.
   Attention.
   The adjudication details can be found attached to this notice.
   Bailiff of the court,
   RUSSELL ORTIZ 

In the case there is a ZIP file Details_For_Arrears_Document_29-01-2014_Copy_N5146.zip which contains a malicious executable Details_For_Arrears_Document_29-01-2014.exe which has an icon that makes it look like a Word document. The VirusTotal detection for this is 17/49. ThreatExpert reports a connection to 77.72.26.97 (Tesene SRL, Italy).

Update (31/1/14): Another couple of variations with a slightly different payload:

Date:      Fri, 31 Jan 2014 00:30:51 -0400 [01/30/14 23:30:51 EST]
From:      Eviction Notice [support.5@perkinscoie.com]
Subject:      Eviction notification No8423

 Eviction notice,

   Hereby you are notified that you have to move to another
   location from the currently occupied premises within
   the next three weeks.

   Please find the lawsuit details attached to this letter.

   If you do not move within this period of time,
   we will have no other alternative than to have you
   physically removed from the property per order of the Judge.

   If we can be of any assistance to you during your relocation,
   please feel free to contact us any time.

   Court representative,
   Emma Mason

---

Date:      Thu, 30 Jan 2014 14:23:27 -0500 [01/30/14 14:23:27 EST]
From:      Eviction Notice [support.7@perkinscoie.com]
Subject:      Notice to quit No8116

 Eviction notice,
   Hereby you are notified that you have to move to another
   location from the currently occupied premises within
   the next three weeks.
   Please find the lawsuit details attached to this letter.
   If you do not move within this period of time,
   we will have no other alternative than to have you
   physically removed from the property per order of the Judge.
   If we can be of any assistance to you during your relocation,
   please feel free to contact us any time.
   Court representative,
   Mary Tailor
The attachments on these two samples were Lawsuit_Details _Attache_ID88-175.zip and Lawsuit_Details _Attache_ID91-380.zip in turn containing a malicious executable Lawsuit_Details _Court_Representative.exe which has a VirusTotal detection rate of 16/50.  The ThreatExpert analysis shows an outbound connection to 41.86.112.12 (Mweb Connect, South Africa) also other analysis tools don't spot this [1] [2] [3].

Update (4/2/14): the spam run is ongoing with a couple of news ones spotted..

Date:      Mon, 03 Feb 2014 22:57:06 -0400 [02/03/14 21:57:06 EST]
From:      Eviction Notification [notice_support.7@littler.com]
Subject:      Evition notice No3998

 Eviction notification,
   You are hereby given notice that you are in breach
   of your tenancy of the premises you currently occupy.
   To remedy the breach you have to quit
   the premises within the following four weeks.
   If you fail to comply you will be physically removed
   and fined for up to 100 minimum monthly wages.
   Detailed information is attached herewith.
   Court secretary,
   RUSSO Anthony

-----------------------

Date:      Tue, 04 Feb 2014 10:29:55 -0500 [10:29:55 EST]
From:      Notice to quit [notice_service@kirkland.com]
Subject:      Notice to exit the premises No8527

 Notice to quit,
   We regret to inform you that in the period until 04/02/14
   you will have to relocate from the currently occupied premises.
   If the property is not timely vacated we will have to apply sanctions
   against you.
   Case details are attached to the present notice.
   Court secretary,
   JENSEN TATE 
Two sample attachment names are Lawsuit_Details _Copy_ID131-06.zip and Lawsuit_Details _Copy_SN_98-273.zip only one of which seems unzippable to Lawsuit_Details _Court Secretary_02-03-2014.exe which has a VirusTotal detection rate of 28/51. Most automated analysis tools are pretty inconclusive about what it does [1] [2] [3], but ThreatExpert reports an attempted connection to a server at 77.72.26.97 (Tesene, Italy) which has been used before in this attack.



9 comments:

Kathy Redlin said...

I received this email today and did not open the file because I believed it to be a virus of some kind

AmenitGlobal said...

I got the spam too. This was the subject line:
Notice to quit No9593

the email address was:
support.1@‏riduscourt.com

Couldn't open the zip file so cant help with the contents. Thanks for the post.


toodles said...

I received this one too and fortunately it was sent to my spam folder. If I get any more I forward to the fbi.gov cybercrime people with full headers. Thanks for posting this topic.

tmare said...

Just checked my spam folder and I have at least three of these notices. The file doesn't open. It has to be a virus because seriously, are people just vacating their homes based on an e-mail? What are they getting from this?

Conrad Longmore said...

@tmare, the attachment is a virus.. it's just using shock tactics to try to get people to open it.

Kyle Perry said...

i got one yesterday and it may be valid i can be reached at walkintruth@live.com

dallas said...

I got one as well...

From: Eviction Notice
Sent: Thu, Feb 6, 2014 1:32 pm
Subject: Notice to exit the premises No6043

Eviction notice,

We hereby give you a notice that due to multiple violations
your tenancy of the premises you occupy
will be terminated on March 09, 2014.

Detailed description of the violations and
adjudication are attached herewith.

Unless you vacate the property until March 27, 2014,
the Court will provide an order to evict you and require
you to pay all the costs incurred in bringing this action.

Court bailiff,
FORD Mckay

Jilli said...

@Dallas, My Mom has had two ebiction notices exactly like yours in the last week, both from help123@brawford.com. I'm not sure where you are based but we are in south africa. It looks like these PIGS are world wide.

Michael T said...

I've received several of these beginning January 10th for which I have setup (my two @sbcglobal.net accounts) to redirect them to my Spam folder.

The IP address indicates a Time Warner server is being used. However, I am not 100% certain this is valid -- although it could be.

I have sent a spam report w/the full header to the Time Warner email addy at abuse@rr.com and get a reply that they will investigate.

What is especially curious is the spammer is possibly spoofing the city and state of their ISP based on their IP address -- e.g., Milwaukee, WI (1/10), Brooklyn, NY (2/22), Rochester, NY (3/3) and Rialto, CA (3/5).

This is a first for me that a spammer (who may be offshore) has found a way to spoof his IP address to indicate an American city. Hmmm.