Here’s something we really don’t see every day….
We recently received an email claiming to be from the U.S Department of Justice Victim Notification System (VNS)
Subject: US Department of Justice Victim Notification System
From: Courtney Walker <email@example.com>
To: Business Representative <address>
Our typical “common sense” check for email Phishing Fraud starts with the obvious:
- Overly serious/threatening Subject line…. check!
- Human sender doesn’t match email address…. check!
- Impersonal and generic salutation… check!
The email itself open with:
DO NOT REPLY TO THIS EMAIL.
U.S. Department of Justice
Federal Bureau of Investigation
FBI – New York
26 Federal Plaza, 23rd Floor
New York, NY 10278
Phone: (212) 384-2564
Fax: (212) 384-4104
Our Phishng radar continues to alert with the inclusion of the standard warning against replying and excessively quoting of business addresses and phone numbers, complete with excessive indentation as though this was a typewritten official document.
Plus they’ve also included the FBI (as so many fraudulent emails do) for good measure.
So far we’re 100% on track with with every other Nigerian fraud in circulation during the last 5 years.
Now on to the body of this obvious fraud:
Dear Business Representative:
We are contacting you because you have been identified by the FBI as a possible victim of a crime. This case continues to remain under investigation. A criminal investigation can be a lengthy undertaking, and, for several reasons, we cannot provide you with additional information about its progress at this time. A victim of a federal crime is entitled to receive certain services, such as information regarding available emergency medical and social services; available public and private programs for counseling, treatment, and other support; and notice of certain events in the progress of the case. For further details, please refer to Title 42 United States Code Section 10607 and/or the brochure posted on www.notify.usdoj.gov.
Attached you will find additional information related to this case and details for how to access the specific address associated to your company which were affected.
Could these semi-professional Internet con artists be any more obvious?
The randomly generated fake case number, the “Dear Business Representative:” used TWICE in three lines, the vague threat that we’ve been a victim of something or another, and of course the reference to an attachment that wasn’t present…. seriously?
How on earth does anybody ever fall for such obvious forgeries?
As if that wasn’t enough the email was “signed” by a name not included in the Email From or any of the other email headers at all, closing the message with:
With more red flags waving than a military parade in Tiananmen Square, just imagine our surprise when we started researching this obvious fraud only to find:
- The links contained in the email were all to legitimate USDOJ sites
- The phone number listed is a legitimate FBI number
- We find independent references to an actual “Agent Laura Riso” whom apparently handled aspects of the Maddoff case
- The message headers indicated it was received from a DOJ server, using an IP address registered to the USDOJ.
At this point, we’ve learned a few disturbing things.
It’s now obvious that real people do fall for some of the foolishly and pathetically written frauds out there (Phishing, 411, etc) because the US Department of Justice communications read almost the same in tone and tenor as do emails from Nigerian con artists.
For years we’ve made fun of Internet cons and their “obviously” bogus attempts to sound official and important within their emails.
Turns out we were out of line. These con artists actually seem to do a pretty good job of impersonating government bureaucrats after all.
Trust us when we say that you simply cannot fathom how much this shocks us. In truth, we would not have believed this this email was legitimate had we not received and researched these messages ourselves.
Brushing this realization aside, we now had to conclude that we were dealing with a legitimate email from the DOJ/FBI that seems to allege a very serious security issue at hand.
Unfortunately, at this point, all we know is something vague about being a possible victim of a crime. That, and a promise that we can view more details by logging into an online system, but only after first waiting the allotted “4-8 hours” after receiving the notification.
And, of course, we’ve been instructed not to reply to the email.
Another point of difference…. con artists are actually easier to both understand and to reach.
While researching this first email, we receive a 2nd email from the USDOJ VNS. This time it’s even more vague, and the phone number/fax number portion of the header is blank.
Given the situations we decided to call the number in the first email rather then wait 4-8 hours to discover what all of this is really about.
That call leads to an automated voice message stating, paraphrased, that the case is legitimate but the emails were sent erroneously and that we should wait for a 3rd email that will contain the correct information and details about the case.
Let us now take a moment to a assure you that we are NOT making this up.
At this point we have to feel kind of sorry for Agent Riso, she’s apparently being inundated with calls about a case that she has no involvement in because someone sent out the wrong form letter (twice).
Three hours and twenty minutes after receiving the first email, we receive the fabled third email that is supposed to explain everything.
You previously received a notification that you were identified as a potential victim of a federal crime. Attached is additional information related to the case. You will be receiving a hard-copy version of this notification and a personalized “Notice of Infected Computers” attachment containing a unique passphrase to access the IP addresses affected within your network.
Please note that it may take four to eight hours for you to gain access to the Victim Notification System while our system is updated with additional information.
Whoa. Infected computers? This could be bad!
We immediately launched an ‘all hands on deck’ security audit of all machines in our data center.
We found nothing.
Packet inspection and traffic analysis showed nothing unusual.
The purported attachment in the above email? Non-existent.
We were forced to wait 4-8 hours so we could log-in for updated information from the DOJ. The only thing we find there is a link to a DOJ article about protecting yourself from online scams, and a note that more information will be added ‘soon’.
Finally 24 hours after the 3rd email, we receive a 4th email update, the only new piece of information was a link to the FBI’s blog, http://www.fbi.gov/news/stories/2011/november/malware_110911
Well at least we have something to work with now. Through our own research we discovered that we were alerted because the FBI has taken over this criminal computer network and they’re going through the logs and notifying the owners of every IP that has had contact with servers in the rogue network.
Here’s what happened in our case. This rogue computer network, like all organized crime, was running more than one illegal activity. It appears they were also sending out UCE/Scam/Phishing emails. Since we do DNS lookups on just about every email that enters our system we had made requests to the rogue network for records that they were authoritative on. These requests were most likely for Reverse-DNS. In fact we reviewed our blacklist and there are a number of IP’s from the rogue networks in our blacklist.
In addition the DNSChanger malware is a Windows program, and we have exactly ZERO servers running Windows anything.
Add that to the fact that we disallow direct connections to external DNS servers in our firewall, and it becomes pretty clear that we in fact never had an infection of any sort and have been wasting our time reading semi-coherent emails and researching implausible threat warnings form the DOJ and FBI combined.
Now we’re understanding of the fact that the FBI investigators would have had no good way to differentiate our legitimate, non-malware caused, DNS lookups, from an infected machine’s DNS lookups. However, had the DOJVNS taken the time to do things right the first time, with some actual details, and pertinent information, it would have saved us (and probably many other parties) significant amounts of time, effort, and stress.
Given that the linked story mentioned above is from November 2011, you would think that they would have enough time to get things right the first time.
On the plus side, the experience provides us first-hand evidence (and lots of it) as to how well the US Government deals with technology threats, including their timeliness, attention to detail, and ability to communicate.
Let’s just say that this scares us a little bit on the one hand while terrifying us on the other.
OnlyMyEmail is an award winning hosted spam filtering service and business email hosting provider. Our enterprise cloud computing anti-spam solution, the MX-Defender, has the highest capture rate of any spam filter ever tested in the VBSpam Challenge, blocking a record setting 99.9993% of all malicious and junk email.
Our Personal spam filtering system is also a Software as a Service (SaaS) solution and has won both the PC World "World Class Award" and also the PC Magazine "Editor's Choice Award."
OME-Kids is a webmail solution that protects children from spam and other harmful emails. OME-Kids offers unique Parental Controls that allow you to choose the level of security and oversight that's right for your child.