South Carolina Information Sharing and Analysis Center
SC INFORMATION SHARING AND ANALYSIS CENTER BULLETIN
DATE ISSUED: 11/21/2012
SUBJECT: Recent Phishing Against state.gov Email Addresses
Two states have reported to the MS-ISAC about phishing attacks against state.gov email addresses that occurred on November 19, 2012. These attacks involve phishing emails originating various external sources, some of which are spoofed as firstname.lastname@example.org. A unique characteristic of these emails is that it contains links which appear to be valid government websites. However, with HTML coding, the link is masking the actual malicious domain.
Note: One local government has indicated that they received the same phishing email. Please note that links in the email are masking a different malicious domain.
The email will contain the following:
Subject: To All Employee's - Important Address UPDATE
To All Employee's:
The end of the year is approaching and we want to ensure every employee receives their W-1 to the correct address. Verify that the address is correct –
If changes need to be made, contact HR at
When the link is clicked, users are redirected to the following URL:
The links in the local government phishing email are masking a different malicious domain. The URL is hxxp://www[.]behringerr[.]de/bohemian/index.html.
Please note, the link in the email does not suggest that the agency website is compromised. The link is using HTML code to mask the above URL.
This page hosts three scripts at the following domains that have the logic to identify vulnerabilities within the target system:
Then users are redirected to the following URL:
- This URL will then redirect the user to the URL below and payload is downloaded:
Open source research suggests that this file is a Zeus Trojan. Based on additional analysis performed by the MS-ISAC CERT, this is GameOver Zeus and the following IPs and domains were flagged and should also be blocked:
We recommend the following actions be taken:
· Search all available logs and identify any traffic destined to the above indicators
· Search email inbox for message with the reported subject line, and delete those messages
· Since most of these emails are originating from spoofed email accounts, educate your users on checking the senders of the e-mails and verify the legitimacy of the sender.
· Block traffic to all of the above domains and IP addresses at your network perimeter devices.
· Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
· Remind users to be cautious when clicking on links in emails coming from trusted sources.
Please feel free to contact the SC ISAC if you have any questions or need any additional information.
The SC ISAC will provide amplifying information as it becomes available.
SC-ISAC Contact Information
SC ISAC Security Line: 803-896-1650
24-hour hotline: +1 803-896-0001
Fax: +1 803-896-0375
DSIT Budget and Control Board
4430 Broad River Road
Columbia S.C. 29210
SC-ISAC is available via hotline 08:00-17:00 EST (GMT-5)/ EDT (GMT-4)
Monday through Friday
We strongly urge you to encrypt sensitive information sent by email. Our
public PGP key is available from:
Any material furnished by SC-ISAC is furnished on an "as is" basis.
SC-ISAC makes no warranties of any kind, either expressed or implied as to
any matter including, but not limited to, warranty of fitness for a particular
purpose or merchantability, exclusivity or results obtained from use of the
material. SC-ISAC does not make any warranty of any kind with respect to
freedom from patent, trademark, or copyright infringement.