More Legal Threat Malware E-Mail

Published: 2010-04-13
Last Updated: 2010-04-13 13:35:41 UTC
by Johannes Ullrich (Version: 1)
10 comment(s)

This is more of a reminder then "breaking news". But it may be worthwhile to include this in an awareness newsletter or similar presentation to keep your staff up to date on current social engineering malware. Our reader Andy sent us this e-mail he received. The domain name in the link has been modified. We of course had similar malware in the past claiming to be court documents or intellectual property violation notices.

Subject: Notice: Contract terms breached.

5 April, 2010

You are hereby put on notice that as of 7/1/2010 you are in breach of our contract dated 3/12/2007.
The nature of said breach is: False Advertising, Breach of Contract, Bad faith Breach of Contract, Fraud and Deceit.
It is our desire to inform you of the foregoing and afford you the opportunity to cure said breach.
You may in any event be held responsible for all damages arising from said breach.

To view a copy of the complaint please visit our company website: http://---URL REMOVED---/
Please use the CASE ID located at the end of the document to find the copy of the complaint.

You have until 10th of May 2010 to cure said breach, after which we will be forced to pursue further legal action.
Jim Karter

CASE ID: 4322524


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

10 comment(s)


We just received the same junk mail this morning, as well as another:

Subject: Complaint regarding Breach of Contract.

Notice is hereby given that we cancel our contract dated 0/1/2007 for the following reason.
That on 8/4/2010, you breached said contract in the
following respect: .
Cancellation of said contract is effected in respect to that certain installment delivered on 2/6/2010, and for any subsequent delivery of goods, contracted for in said contract, inasmuch as your breach impairs the contract as a whole.
We claim damages from you in the amount of $22,981.55

If you would like to view a copy of the full complaint please visit our website and search for your Case ID at the bottom of this letter.

http://---URL REMOVED---/

We had six of these on 4/12 targeting HR and C-level users. The first URL was not blocked by our web filtering system. Following the redirect and obfuscated-script trail, the second two hops were blocked, so no users were affected, though one did click through...
Would anyone be willing to post the URL so that I could block it?
Davef, here you go: (remove all of the spaces)

h t t p : / / w w w . l a w - t o - d a . c o m
Has anyone seen a consistent Sender email address or domain that we could use to update our Spam filters? Thanks in advance
There is another URL as well, http://www. durand blaw. com
(remove spaces)

The sender addresses varied.
No consistency to the senders or source IPs, this was very low volume and very targeted.
A reminder: when you receive malware like this, _PLEASE_ report the domain names to so that others can benefit.

I've had similar emails come through with a URL link via IP not domain name. The URL is
Another run over the past couple of days is using www.t h o m a s - a n d - h a r r i

Diary Archives