Hello, welcome to the Friday, December 9th, 2016 edition of the Sands and at Storm Center's

Stormcast. My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

I wrote up a little bit an older event today. December 1st, I received an email that was made

to look like an abuse notice, like I did something wrong with one of my domains,

and it came from an entity that called itself domain cops.

Now, they actually registered domaincops.net,

and the email came from a legitimate mail server

that was associated with that domain, in that the email was signed with

D-Kim. The interesting part was that the links in the email didn't go to a legitimate abuse report,

but instead straight to malware. Now, sad for them even thought they had actually a pretty nice

setup here with the domain name and everything, but the exploit was pretty straightforward.

It was an old, a few years old RTF, rich text format exploit that exploits older versions of Microsoft VIRT.

So nothing really too dangerous. Also, the email itself kind of, when you see it, I posted a screenshot of the email, looks

not all that great, for example.

They list a phone number that looks, to me at least, obviously fake.

But in general, in particular, the help desk individuals and the like in your

organizations that may be receiving notices like that, they of course have to be aware that they

should expect malicious attachments once in a while as well. I have seen others use attachments

and use links like that in order to substantiate an abuse report.

Trying to avoid this myself, but sometimes there's just too much data.

So you post an excerpt of the data in the email itself, but then link to the rest of the data

via a URL.

...