Beware of the hoax

I have just had from a client what appears to be the latest scare, which will inevitably result in some kind of infection. This is how it looks, which by the way appears very genuine.

From: Abuse Department [mailto:abuse-uk-irl@ripe.net]

Sent: 24 September 2010 14:32

To: XXXXXXXXXXXXXX

Subject: ISP DISCONNECTION WARNING – ADVISORY ABUSE NOTICE

From: <abuse-uk-irl@ripe.net>

Date: Fri, Sept 24, 2010 at 12:44 PM

Investigation Number: 1171

Subject: ISP DISCONNECTION WARNING – ADVISORY ABUSE NOTICE

For The Attention Of: The Bill payer/Owner of this ISP account.

Our investigations have determined that your Internet Services account has been used to scan, flood or attempt to gain unauthorized access to another computer, (please see the details of the incident(s) attached to this e-mail). This activity is a violation of our Internet Services Acceptable Use Policy and the our Internet Services Account Agreement, under which you have been provided service.

THIS NOTICE IS TO ADVISE YOU THAT FURTHER ABUSE OF YOUR INTERNET SERVICES ACCOUNT MAY RESULT IN A SUSPENSION OR TERMINATION OF YOUR ACCOUNT, WITHOUT FURTHER NOTICE TO YOU. We are empowered to take such action if, in our sole determination, you have violated the terms of our Acceptable Use Policy or our Internet Services Account Agreement.

The alleged incident originated from the local IP address of 192.168.1.100 which, at the time of the incident, was assigned to a device with the unique physical address of 00:13:10:24:45:F8. This address identifies the network adapter or router connected to your ADSL/Broadband modem.

If you are unaware of this type of activity coming from your account, you may wish to inquire with others who may have access to your account and/or change the password to your account to ensure that only authorized users have access to it. IT IS ALSO POSSIBLE THAT YOUR COMPUTER MAY BE INFECTED WITH A VIRUS OR YOUR COMPUTER SYSTEM MAY HAVE SOME OTHER SECURITY PROBLEM SUCH AS AN UNSECURED MAIL OR PROXY SERVER WHICH COULD ACCOUNT FOR THIS ACTIVITY ORIGINATING FROM YOUR SYSTEM.

In the event you are not able to attend to the situation immediately, please disconnect your computer from the ADSL modem to prevent further abuse.

A full description of the incident including realtime IP addresses and web traffic can be found in the attachment.

Any questions of help can be obtained from out staff during office hours 0900-1700 Monday to Friday.

Our complete contact information can also be found in the PDF report.

Kind Regards

The Abuse Team

Attached to the email is a so called ‘report’ which is a ‘RAR’ file. Inside of the ‘RAR’ file is another file which is named ‘Incident-Report-201009241171.pdf.exe’. So far it all looks like an elaborate hoax as the network the client is on is not on the range mentioned in the email and since when is a report sent as an executable file?

Any which way I will be putting it through the lab machine later to see what comes out, either way it will be interesting.

If you do hear of anyone receiving this tell them not to open it.

– Rob

Rob Written by:

Be First to Comment

Leave a Reply