Malware Purveyor Serving Up Ransomware Via Bogus ICANN Blacklist Removal Emails

Tim Cushing

from Techdirt on 2016-12-30 23:20 (#27492)

Fun stuff ahead for some website owners, thanks to a breakdown in the registration process. A Swiss security researcher has spotted bogus ICANN blacklist removal emails being sent to site owners containing a Word document that acts as a trigger for ransomware.

Fake @ICANN Domain Abuse Notices being spammend out to domain owners, distributing malware (Dridex?) - icann-monitor[dot]org pic.twitter.com/G0F4dzc1xP
- abuse.ch (@abuse_ch) December 29, 2016

Fake @ICANN Domain Abuse Notices being spammend out to domain owners, distributing malware (Dridex?) - icann-monitor[dot]org

These fake @ICANN abuse notices distribute Cerber Ransomware (hXXp://csenet.org/view/file5.exe) calling out to ffoqr3ug7m726zou.1nuljt\.top
- abuse.ch (@abuse_ch) December 29, 2016

These fake @ICANN abuse notices distribute Cerber Ransomware (hXXp://csenet.org/view/file5.exe) calling out to ffoqr3ug7m726zou.1nuljt\.top

The email appears to orginate from somewhere legitimate, as seen in this screenshot:

But the quasi-legit URL (icann-monitor.org) was only very recently registered through eNom, which apparently had no problem with some internet rando snagging a URL closely associated with the international group that governs domain names.

Domain Name: ICANN-MONITOR.ORG
Domain ID: D402200000001096932-LROR
WHOIS Server:
Referral URL: http://www.enom.com
Updated Date: 2016-12-29T15:25:14Z
Creation Date: 2016-12-28T20:19:57Z
Registry Expiry Date: 2017-12-28T20:19:57Z
Sponsoring Registrar: eNom, Inc.
Sponsoring Registrar IANA ID: 48
[...]
Tech Email: legal@whoisguard.com
Name Server: DNS1.REGISTRAR-SERVERS.COM
Name Server: DNS2.REGISTRAR-SERVERS.COM

Ironically, the emails containing this malware inform recipients that their domain is "being used for spamming and spreading malware." The spam email invites site owners to download a malware-laced "report" for further instructions on how to remove their site from the blacklist, warning them they only have 24 hours to ~~fall victim to ransomware~~ respond.

The researcher is now "counting the hours (days?)" until either eNom or ICANN act in response to this spoofing/ransomware attack. Don't hold your breath. ICANN has yet to say anything publicly about this and, as of this point, eNom has yet to deactivate the account. For now, the fake ICANN still lives and breathes and poses a threat to recipients of this official-looking email.

Permalink | Comments | Email This Story

Source	RSS or Atom Feed
Feed Location	https://www.techdirt.com/techdirt_rss.xml
Feed Title	Techdirt
Feed Link	https://www.techdirt.com/