Some fake Bundeskriminalamt and Bundespolizei sites

Here are some more fake sites pretending to be the Bundeskriminalamt and Bundespolizei (agencies of the German Federal Police) which are probably worth blocking, following on from these.

193.105.240.204 [Sia Vps Hosting, Latvia]
bundespolizei-de.net
bundespolizei-de.org
bundespolizei-online.com
dpolg-bundespolizei.org
inter-bundeskriminalamt.org

77.87.229.14 [Invalid pointer to bundespolizei.de]
inter-bundeskriminalamt.eu
dpolg-bundespolizei.org [also on 193.105.240.204]
inter-bundeskriminalamt.org [also on 193.105.240.204]

211.154.153.49 [China Motion Network Communication]
agentbundeskriminalamt.net
bundeskriminalamtde.net
onlinebundeskriminalamt.net
torrentbundeskriminalamt.net

Note that 77.87.229.14 is actually the real IP for bundespolizei.de, but the scammers are pointing their DNS records to it, presumably to cause confusion.

You can safely block access to 193.105.240.0/24 (Sia VPS) without much fear of losing anything important. The Chinese netblock is more mixed, but blocking at least 211.154.153.49 might be a good idea if you are in Germany.

bundespol.com is not the Bundespolizei

Another fake Bundespolizei today, bundespol.com is registered through  a Chinese registrar and then is anonymised through a Chinese WHOIS privacy service

The site doesn't resolve yet, but it is almost identical to bundespol.net which is fingered in this attack. In that case, the fake Bundespolizei site was hosted on 188.229.97.2 which is Netserv Consult SRL in Romania (incidentally, blocking 188.229.0.0/17 will probably do you no harm).

There's a whole bunch of fake Bundespolizei at the moment, but I'm guessing that this particular bunch of scammers may well try the same thing in other countries very soon.

bundespolizei-online.com is not the Bundespolizei

bundespolizei-online.com is a fake domain pretending to be the Bundespolizei (German Federal Police). It appears to be part of a malware scam that has been around for a while, where the victim is told that they have done something illegal and need to pay a fine to the police.

The text of the message might vary, but the last scam domain  was used in conjunction with a message that read:

Es ist ungesetzliche Tätigkeit enthüllt
Achtung!!!
Ein Vorgang illegaler Aktivitäten wurde erkannt.
Das Betriebssystem wurde im Zusammenhang mit Verstoßen gegen die Gesetze der Bundesrepublik Deutschland gesperrt! Es wurde folgender Verstoß festgestelltt: Ihre IP Adresse lautet "x.x.x.x" mit dieser IP wurden Seiten mit pornografischen Inhalten,Kinderpornographie, Sodomie und Gewalt gegen Kinder aufgerufen Auf Ihrem Computer wurden ebenfalls Videodateien mit pornografischen Inhalten, Elementen von Gewalt und Kinderpornografie festgestellt! Es wurden auch Emails in Form von Spam, mit terroristischen Hintergründen, verschickt. Diese Sperre des Computers dient dazu, Ihre illegalen Aktivitäten zu unterbinden.
Ihre IP: x.x.x.x
Location: XXXXX
ISP: XXXXX
Um die Sperre des Computers aufzuheben, sind Sie dazu verflichtet eine Strafe von 100 Euro zu zahlen. Sie haben zwei Möglichkeiten die Zahlung von 100 Euro zu leisten.

    1) Die Zahlung per Ukash begleichen:
    Dazu geben Sie bitte den erworbenen Code in das Zahlungsfeld ein und drücken Sie anschliessend auf OK (haben Sie mehrere Codes,so geben Sie Diese einfach nacheinander ein und drücken Sie anschliessend auf OK) Sollte das System Fehler melden,so müssen Sie den Code per Email (einzahlung@dpolg-bundespolizei.org) versenden.
    2) Die Zahlung per Paysafecard begleichen:
    Dazu geben Sie bitte den erworbenen Code (gegebenfalls inkl. Passwort) in das Zahlungsfeld ein und drücken Sie anschliessend auf OK (haben Sie mehrere Codes,so geben Sie Diese einfach nacheinander ein und drücken Sie anschliessend auf OK) Sollte das System Fehler melden,so müssen Sie den Code per Email(einzahlung@dpolg-bundespolizei.org) versenden.

This roughly translates as:

It is illegal activity revealed
Attention!
An operation of illegal activity has been detected.
The operating system was blocked in connection with Violating the laws of the Federal Republic of Germany! It was festgestelltt following violation: Your IP address is "xxxx" with the IP were pages containing pornography, child pornography, bestiality and violence invoked against children on the computer were also video files containing pornography, found elements of violence and child pornography! There were also emails sent in the form of spam, with terrorist backgrounds. This serves to lock the computer to stop your illegal activities.
Your IP: x.x.x.x
Location: XXXXX
ISP: XXXXX
To unlock the computer, you have to pay a penalty verflichtet of 100 €. You have two ways to make the payment of 100 €.

     1 pay) Payment via Ukash:
     You enter the acquired code into the payment box and then press OK (you have multiple codes, enter this simply a sequence, then press OK) If the system is wrong, you have the code by email (einzahlung@dpolg-bundespolizei.org) ship.
     2) The payment by paysafecard to pay:
     You enter the acquired code (if necessary including password) into the payment box and then press OK (you have multiple codes, enter this simply a sequence, then press OK) If the system is wrong, so you must send the code by email (einzahlung@dpolg-bundespolizei.org).

A €100 fine for terrorist likes and download child pornography? Obviously this is nonsense, but the victim might well try to pay to get rid of the trojan.

The bundespolizei-online.com is quite interesting to look at. First, there is the WHOIS record:

    Steffen Schüssler
    Email: t-mart-admin@teiekom.de
    Organization: Hostmaster T-Systems
    Address: Vahrenwalder Strasse 240-247
    City: Hannover
    State: Hannover
    ZIP: 30159
    Country: DE
    Phone: +49.43171633486
    Fax: +49.43171633486

It looks legitimate enough. T-Systems is the hosting division of Deutsche Telekom, and the email address looks legitimate at first glance.. but wait, it says teiekom.de and not telekom.de which can't be right.

The domain is registered through the Russian registrar Regtime Ltd. The site bundespolizei-online.com is hosted on 193.105.240.204 in Latvia. Latvia is pretty much a hotbed of crime, and the AS12578 block has a pretty bad reputation, and the whole 193.105.240.0/24 range looks quite toxic. As is common with malicious sites such as this, all the mail is handled by Google.

So.. if you see a message soliciting an email reply to bundespolizei-online.com or running on the same website then it is malware, and you should try to disinfect your machine using up-to-date antivirus software, or you could try following the instructions here.

dpolg-bundespolizei.org is not DPolG or the Bundespolizei

DPolG is a staff a association of the German Federal Police (Bundespolizei). So you might expect that dpolg-bundespolizei.org is something to do with the DPolG.. especially when the www.dpolg-bundespolizei.org resolves to 77.87.229.14, which is the same IP address as bundespolizei.de which is the German Federal Police.

But something is very wrong with this domain.Let's start with the WHOIS details:

Domain ID:D163178250-LROR
Domain Name:DPOLG-BUNDESPOLIZEI.ORG
Created On:30-Aug-2011 11:02:35 UTC
Last Updated On:30-Aug-2011 11:02:35 UTC
Expiration Date:30-Aug-2012 11:02:35 UTC
Sponsoring Registrar:Regtime Ltd. (R1602-LROR)
Status:TRANSFER PROHIBITED
Status:ADDPERIOD
Registrant ID:CO1014850-RT
Registrant Name:ALex Potolot
Registrant Organization:ALex Potolot
Registrant Street1:49-12 Shepherd Street
Registrant Street2:
Registrant Street3:
Registrant City:London
Registrant State/Province:London
Registrant Postal Code:W12 7HF
Registrant Country:GB
Registrant Phone:+44.2073290240
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:apotolot@yahoo.com

It's kind of odd that a German police domain should be registered to a person in the UK using a free email address. But what is odder is that the address does not exist. Although there is a Shepherd Street in London, the postcode is not W12 7HF, that's the postcode for Stanlake Road in Hammersmith. Shepherd Street's postcode begins W1J 7Jx in any case, and there's no number 49 on that road (it is approximately the location of the Park Lane Mews Hotel).

Let's check the nameservers:

Name Server:NS1.NAMESELF.COM
Name Server:NS2.NAMESELF.COM

Nameself.com is DNS service for Russian registrar WebNames.ru. (aka Regtime Ltd) who are also the domain registrar. Why would the German police use a Russian registrar?

The next clue is in the MX handlers - these are the servers that handle mail for dpolg-bundespolizei.org:

  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 20 ALT1.ASPMX.L.GOOGLE.COM
  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 20 ALT2.ASPMX.L.GOOGLE.COM
  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 30 ASPMX2.GOOGLEMAIL.COM
  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 30 ASPMX3.GOOGLEMAIL.COM
  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 30 ASPMX4.GOOGLEMAIL.COM
  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 30 ASPMX5.GOOGLEMAIL.COM
  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 10 ASPMX.L.GOOGLE.COM

So, the domain is using Google for mail handling. DPolG use their own mailservers, not Google.

Something is definitely amiss here, and it wouldn't be the first time that the Bundespolizei name was used for malicious purposes as there has been a recent rash of malware using it. On balance, a domain with a fake UK address registered via a Russian registrar and using Google for mail handling is unlikely to be legitimate. Avoid.