Link to CCU Home Page
Link to Quick Links
Link to Search Link to CCU Home Page
Information Technology Services
spacer image
 
Coastal Network Status - Issue Detail
Security
Alert

Recent Phishing Against state.gov Email Addresses
Posted: November 26, 2012, 9:01 am
Last Updated: December 23, 2012, 11:20 am

South Carolina Information Sharing and Analysis Center

 

SC INFORMATION SHARING AND ANALYSIS CENTER BULLETIN

 

DATE ISSUED:        11/21/2012

                                               

SUBJECT:     Recent Phishing Against state.gov Email Addresses

 

 

Two states have reported to the MS-ISAC about phishing attacks against state.gov email addresses that occurred on November 19, 2012. These attacks involve phishing emails originating various external sources, some of which are spoofed as administrator@youragency.state.gov.  A unique characteristic of these emails is that it contains links which appear to be valid government websites.  However, with HTML coding, the link is masking the actual malicious domain.

 

Note:  One local government has indicated that they received the same phishing email.  Please note that links in the email are masking a different malicious domain.

 

The email will contain the following:

 

Subject: To All Employee's -  Important Address UPDATE

Message Body:

To All Employee's:

The end of the year is approaching and we want to ensure every employee receives their W-1 to the correct address. Verify that the address is correct –

hxxps://local.youragency.state.gov/details.aspx?id=3D199353=9665

If changes need to be made, contact HR at

hxxps://hr.youragency.state.gov/update.aspx?id=3D1993539665.

 

Administrator, http://youragency.state.gov

 

When the link is clicked, users are redirected to the following URL:

 

  • hxxp://mardamusic[.]com/gelt/index.htm  

 

The links in the local government phishing email are masking a different malicious domain.  The URL is hxxp://www[.]behringerr[.]de/bohemian/index.html.

 

Please note, the link in the email does not suggest that the agency website is compromised.  The link is using HTML code to mask the above URL.

 

This page hosts three scripts at the following domains that have the logic to identify vulnerabilities within the target system:

 

  • Tilo-shculze[.]de
  • Nazorra[.[com[.]br
  • Spiritwatergardens[.]com

 

Then users are redirected to the following URL:

 

  • hxxp://5.chinottoneri[.]com/links/landing-philosophy_dry-suspende.php

 

  • This URL will then redirect the user to the URL below and payload is downloaded:

 

  • hxxp://q.e-tecinnovation[.]co[.]uk/adobe/update_flash_player.exe

 

Open source research suggests that this file is a Zeus Trojan. Based on additional analysis performed by the MS-ISAC CERT, this is GameOver Zeus and the following IPs and domains were flagged and should also be blocked:

 

  • aqcayhmzrsybqpvnzgenvlbeubu[dot]info[dot]
  • yprktcfinzcavwiryhdytvwpz[dot]info[dot]
  • dpfukjfhqkreqsgyruckfucgetc[dot]info[dot]
  • badybayxdlnmzhofdymnbmup[dot]info[dot]
  • yxdlobfurwbusconmjugdmstwv[dot]org[dot]
  • cqmfljcyxpvxqklrvohbuqcirnz[dot]com[dot]
  • yxdlobfurwbusconmjugdmstwv[dot]org[dot]
  • cqmfljcyxpvxqklrvohbuqcirnz[dot]com[dot]
  • mardamusic[dot]com
  • Tilo-shculze[dot]de
  • Nazorra[dot]com[dot]br
  • Spiritwatergardens[dot]com
  • 5[.]chinottoneri[dot]com
  • q[.]e-tecinnovation[dot]co[dot]uk
  • 92[.]43[.]122[.]34
  • 195[.]22[.]26[.]231
  • 208[.]94[.]246[.]218
  • www[dot]behringerr[dot]de

 

RECOMMENDATIONS:

We recommend the following actions be taken:

·          Search all available logs and identify any traffic destined to the above indicators

·          Search email inbox for message with the reported subject line, and delete those messages

·          Since most of these emails are originating from spoofed email accounts, educate your users on checking the senders of the e-mails and verify the legitimacy of the sender.

·          Block traffic to all of the above domains and IP addresses at your network perimeter devices.

·          Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

·          Remind users to be cautious when clicking on links in emails coming from trusted sources.

 

 

Please feel free to contact the SC ISAC if you have any questions or need any additional information.

 

The SC ISAC will provide amplifying information as it becomes available.

 

SC-ISAC Contact Information

 

Email: SC-ISAC@cio.sc.gov

SC ISAC Security Line: 803-896-1650

24-hour hotline: +1 803-896-0001

Fax: +1 803-896-0375

Postal address:

 

SC-ISAC

DSIT Budget and Control Board

4430 Broad River Road

Columbia S.C. 29210

SC-ISAC is available via hotline 08:00-17:00 EST (GMT-5)/ EDT (GMT-4)

Monday through Friday

 

Using Encryption

 

We strongly urge you to encrypt sensitive information sent by email. Our

public PGP key is available from:

 

https://sc-isac.sc.gov/public.key

 

NO WARRANTY

 

Any material furnished by SC-ISAC is furnished on an "as is" basis.

 

SC-ISAC makes no warranties of any kind, either expressed or implied as to

any matter including, but not limited to, warranty of fitness for a particular

purpose or merchantability, exclusivity or results obtained from use of the

material. SC-ISAC does not make any warranty of any kind with respect to

freedom from patent, trademark, or copyright infringement.

 

Link to CCU Home Page
University Policies | Site Policies | Contact Us
© 2014 Coastal Carolina University | P.O. Box 261954, Conway, SC 29528-6054 | +1 843-347-3161