Date: Tue, 28 Jan 2014 17:40:16 -0400 [16:40:16 EST]Attached is an archive file Copy_Of_The_Court_Statement_N1801.zip which in turn contains a malicious file Copy_of_the_court_statement_us_28_01_2014.exe.
From: Eviction Notification [support.7@riduscourt.com]
Subject: Urgent eviction notification No2621
Eviction Notification,
Please be advised that you are obliged to
vacate the living space you occupy until March 28, 2014, 11 a.m.
If you do not vacate it in the specified terms,
the court will have to assign the forcible eviction for April 26,
2014, 11 a.m.
If nobody is home we will not be responsible for safe keeping of your
belongings.
Besides, if you fail to comply with the requirements of the court
bailiff
you will be fined for up to 200 minimum wage amounts
with a subsequent doubling of the penalty amount
and can be made criminally or administratively liable.
The details of the circumstances that caused the judicial decision
of eviction are attached herewith.
Court bailiff,
GOODWIN Bass
For some reason the ZIP file that I have is corrupt and will not open, but I suspect that other versions may be valid. If anyone has a reliable analysis of this file it might be worth leaving a note in the Comments... thanks!
Update (30/1/14): here is a second version doing the rounds:
Date: Wed, 29 Jan 2014 18:11:43 -0500 [01/29/14 18:11:43 EST]
From: Notice To Quit [service_notice@mnduscourt.com]
Subject: Notice to quit No5759
Notice to quit,
Hereby you are informed you have to quit the premises you hold until
March, 21, 2014.
If you stay in the currently occupied premises for a longer period of
time,
you will be assigned by court for forced eviction scheduled for April
5, 2014.
If court executives do not find you at home on the specified date,
the court will disclaim any responsibility for safe keeping
of your property left in the premises.
Whether you fail to fulfill the requirements of the court
you might be held liable to a fine equal to 100 minimum wage amounts.
Attention.
The adjudication details can be found attached to this notice.
Bailiff of the court,
RUSSELL ORTIZ
In the case there is a ZIP file Details_For_Arrears_Document_29-01-2014_Copy_N5146.zip which contains a malicious executable Details_For_Arrears_Document_29-01-2014.exe which has an icon that makes it look like a Word document. The VirusTotal detection for this is 17/49. ThreatExpert reports a connection to 77.72.26.97 (Tesene SRL, Italy).
Update (31/1/14): Another couple of variations with a slightly different payload:
Date: Fri, 31 Jan 2014 00:30:51 -0400 [01/30/14 23:30:51 EST]The attachments on these two samples were Lawsuit_Details _Attache_ID88-175.zip and Lawsuit_Details _Attache_ID91-380.zip in turn containing a malicious executable Lawsuit_Details _Court_Representative.exe which has a VirusTotal detection rate of 16/50. The ThreatExpert analysis shows an outbound connection to 41.86.112.12 (Mweb Connect, South Africa) also other analysis tools don't spot this [1] [2] [3].
From: Eviction Notice [support.5@perkinscoie.com]
Subject: Eviction notification No8423
Eviction notice,
Hereby you are notified that you have to move to another
location from the currently occupied premises within
the next three weeks.
Please find the lawsuit details attached to this letter.
If you do not move within this period of time,
we will have no other alternative than to have you
physically removed from the property per order of the Judge.
If we can be of any assistance to you during your relocation,
please feel free to contact us any time.
Court representative,
Emma Mason
---
Date: Thu, 30 Jan 2014 14:23:27 -0500 [01/30/14 14:23:27 EST]
From: Eviction Notice [support.7@perkinscoie.com]
Subject: Notice to quit No8116
Eviction notice,
Hereby you are notified that you have to move to another
location from the currently occupied premises within
the next three weeks.
Please find the lawsuit details attached to this letter.
If you do not move within this period of time,
we will have no other alternative than to have you
physically removed from the property per order of the Judge.
If we can be of any assistance to you during your relocation,
please feel free to contact us any time.
Court representative,
Mary Tailor
Update (4/2/14): the spam run is ongoing with a couple of news ones spotted..
Date: Mon, 03 Feb 2014 22:57:06 -0400 [02/03/14 21:57:06 EST]Two sample attachment names are Lawsuit_Details _Copy_ID131-06.zip and Lawsuit_Details _Copy_SN_98-273.zip only one of which seems unzippable to Lawsuit_Details _Court Secretary_02-03-2014.exe which has a VirusTotal detection rate of 28/51. Most automated analysis tools are pretty inconclusive about what it does [1] [2] [3], but ThreatExpert reports an attempted connection to a server at 77.72.26.97 (Tesene, Italy) which has been used before in this attack.
From: Eviction Notification [notice_support.7@littler.com]
Subject: Evition notice No3998
Eviction notification,
You are hereby given notice that you are in breach
of your tenancy of the premises you currently occupy.
To remedy the breach you have to quit
the premises within the following four weeks.
If you fail to comply you will be physically removed
and fined for up to 100 minimum monthly wages.
Detailed information is attached herewith.
Court secretary,
RUSSO Anthony
-----------------------
Date: Tue, 04 Feb 2014 10:29:55 -0500 [10:29:55 EST]
From: Notice to quit [notice_service@kirkland.com]
Subject: Notice to exit the premises No8527
Notice to quit,
We regret to inform you that in the period until 04/02/14
you will have to relocate from the currently occupied premises.
If the property is not timely vacated we will have to apply sanctions
against you.
Case details are attached to the present notice.
Court secretary,
JENSEN TATE
9 comments:
I received this email today and did not open the file because I believed it to be a virus of some kind
I got the spam too. This was the subject line:
Notice to quit No9593
the email address was:
support.1@riduscourt.com
Couldn't open the zip file so cant help with the contents. Thanks for the post.
I received this one too and fortunately it was sent to my spam folder. If I get any more I forward to the fbi.gov cybercrime people with full headers. Thanks for posting this topic.
Just checked my spam folder and I have at least three of these notices. The file doesn't open. It has to be a virus because seriously, are people just vacating their homes based on an e-mail? What are they getting from this?
@tmare, the attachment is a virus.. it's just using shock tactics to try to get people to open it.
i got one yesterday and it may be valid i can be reached at walkintruth@live.com
I got one as well...
From: Eviction Notice
Sent: Thu, Feb 6, 2014 1:32 pm
Subject: Notice to exit the premises No6043
Eviction notice,
We hereby give you a notice that due to multiple violations
your tenancy of the premises you occupy
will be terminated on March 09, 2014.
Detailed description of the violations and
adjudication are attached herewith.
Unless you vacate the property until March 27, 2014,
the Court will provide an order to evict you and require
you to pay all the costs incurred in bringing this action.
Court bailiff,
FORD Mckay
@Dallas, My Mom has had two ebiction notices exactly like yours in the last week, both from help123@brawford.com. I'm not sure where you are based but we are in south africa. It looks like these PIGS are world wide.
I've received several of these beginning January 10th for which I have setup (my two @sbcglobal.net accounts) to redirect them to my Spam folder.
The IP address indicates a Time Warner server is being used. However, I am not 100% certain this is valid -- although it could be.
I have sent a spam report w/the full header to the Time Warner email addy at abuse@rr.com and get a reply that they will investigate.
What is especially curious is the spammer is possibly spoofing the city and state of their ISP based on their IP address -- e.g., Milwaukee, WI (1/10), Brooklyn, NY (2/22), Rochester, NY (3/3) and Rialto, CA (3/5).
This is a first for me that a spammer (who may be offshore) has found a way to spoof his IP address to indicate an American city. Hmmm.
Post a Comment