US Federal Court Subpoena Phish: cacd-uscourts.com
This is one of the best phish e-mails I've seen in the past 6 years.
On April 14, 2008, I received an official looking subpoena via email requesting me to appear in San Diego in front of a grand jury. It had my name, phone number, company, and correct email address on it and looked pretty legitimate. Even the URL to find out more looked legitimate at first glance.
The mail was only sent to CEOs. The US District Court in San Diego received over 400 complaints from all over the world. About 10% of all CEOs I'm aware of were sent one. Verisign alone reports that over 1,800 clicked on the email. The email addresses were not harvested from the web; some of the emails they used in fact are not on the web anywhere. So the spammers probably bought a list of CEOs from a database company. So rather than being blasted out en masse, by targeting and personalizing to the CEOs, the scammers get a higher response rate and they get a bigger fish, i.e., someone with major bucks they can steal. It's called "whaling" for that reason.
Unlike for most phish, some pretty savvy CEOs have been taken in by this phish and downloaded the malware. One CEO I know found the message in his spam quarantine and was so convinced it was legitimate he released it!
But don’t be fooled. Its purpose is to download malware onto your computer. Do not click the link. I’ll point how how to spot these frauds and four simple steps you can take to protect your self in the future.
Note: If you are from the FBI, these guys messed up and left their fingerprints on the evidence. Contact me using the help link and I'll tell you where you can find the perpetrators.
I didn’t fall for it, but I imagine most people would have fallen for it.
Secondly, because it was sent from the authorized mail servers of Verizon and didn’t contain any content that looks like a spam, most spam filters have no way to detect a phish like this. In fact, I know of only one spam filter (the one invented by Abaca) that can reliably catch scams like these automatically, without human intervention, as soon as they are launched.
So both machines and humans are easily fooled by this phish, making it extremely dangerous. That's why the complaint rate was so high, even though the distribution was limited.
You are fooled because it looks very legitimate and they use your email, correct name, telephone number, etc. Most people have never received a subpoena from anyone, so when you get this subpoena, you are anxious and worried and want to rush in and know why you have to travel to San Diego to appear.
When you click the link, you are directed to an official looking court site. I browsed to the site using Firefox and it told me that the website required IE. If you browse with IE, it tells you to download the Adobe Acrobat Active X plug in. When you do that, it tells you the case is closed. See details below.
It’s a scam and you just downloaded malware which may crash your computer and do untold amounts of damage to your machine both now and potentially in the future.
But you think nothing of it. Most people never realized they were just scammed! Once you see the case was dismissed, you are relieved and never suspect anything.
So here are the factors that make this one of the best phish we've seen in years:
Here are the things that might have tipped you off if you had you looked closely at this message. Most people would not have known or spotted all of these things. That’s why the scam works so well!
1. Subpoenas are never served via email. It’s not legal to serve a subpoena via email. Subpoenas must be served personally (unless you’ve agreed to be served by fax or email) because otherwise there is no legal guarantee that you received it. For example, the email could have been eaten by my spam filter. So you’ll never get a lawsuit or subpoena via email.
2. All US Federal courts have URLs of the form courtname.uscourts.gov. The website you are directed to go to for more information is cacd-uscourts.com. No federal court would have its own top level domain name like this. All federal courts end with uscourts.gov, not uscourts.com. The proper URL of the Federal court in this case is casd.uscourts.gov for the Southern District of California. Note cacd is for the wrong court (San Diego is in the southern district, not the central district). The hyphen makes it a unique top level domain, rather than a subdomain.
3. The case number isn’t in the right format. I tried searching on the case number using my Pacer account. It couldn’t find the case number. In fact, the case number isn’t even in the right format.
4. The From: address is ridiculous. United States District Court <firstname.lastname@example.org>. Even if were sent something from the court via email, it would not have such a generic return address. It would have a specific court name. And it would be uscourts.gov.
5. The mail path shows it came from a Verizon customer account via the normal mail servers Verizon uses for customer outgoing e-mail. My mail was sent by vms046pub.verizon.net. Others have used other customer mail servers at Verizon.net. All the scams were sent from Verizon mail servers. There were at least 3 different IP addresses that originated the mail (before it hit the Verizon servers). Courts don’t send email through Verizon. They send email directly from their own domain. This email probably got through a lot of spam filters because it came from Verizon’s mail server (and not from the IP address of Verizon’s customer) and because the content does not look like the typical spam. It’s unfortunate that Verizon doesn’t require the From: address to match their customer’s domain name!!
6. Subpoena is misspelled. Real subpoenas don’t have obvious misspellings, especially of subpoena. “subpoenaed” was missing an “e”. It should be “records” not “record.”
7. Typos abound. Organization is spelled with an “s.” There is no space after “matter.” Present is spelled as “oresent .” The citation format of the Federal Rules of Civil Procedure is wrong and it is “Procedure” not “Procedures.” And so on. Official documents rarely if ever have a typo or use improper English.
8. A US Attorney would issue a Federal Subpoena, not a “City Prosecutor.” There is no such thing as a City Prosecutor in California.
9. It doesn’t provide a person’s name on the subpoena. All subpoenas have the name of a real person you can contact, e.g., if for some reason you cannot attend. This email just gives a law firm without a specific person. And the name of the law firm is misspelled.
10. The person requesting appearance doesn’t match the issuing officer’s name. At the bottom it says the request is from the (unnamed) City Prosecutor. But in the middle, it says it was issued by a private law firm. District Attorneys would use their own address, not the misspelled name of a private law firm in Los Angeles.
11. Courts would always identify themselves specifically. A real subpoena would have the specific name of the court. This just has a generic “United States District Court.”
12. US Courts require you to login to view case information. That’s why people like me have Pacer accounts. Yet the link supposedly gets you to the Docket page on this case. Red flags should be going up.
13. The website name and links on the page don’t match. The website is named cacd-uscourts.com. But all of the links to the images are uscourts.gov. See the obvious mismatch?
14. The website CACD-USCOURTS.COM is registered to Michael Rice with an address in London, UK. The webserver is located in China. Hmmm…why would a Federal Court in the US be registered to an individual in the UK?? Gotta ponder that one. Also the registrar for that domain name is web4africa.net which is a service provider in West Africa. Guess the US courts couldn’t find a US-based registrar. Name service is provided by ns1.sxsx.info and ns2.sxsx.info, a domain that runs porn sites and hosts 101 domains. That domain in turn is registered by eNom, a legitimate US provider. Maybe the court got a good deal on the price for name service from the porn site? Probably not. The webserver for cacd-uscourts.com is at 18.104.22.168. It is located in Shandong, China.
15. The domain name was just registered two days ago on April 12, 2008. Hard to believe a federal court in California would just be registered two days on a Saturday, isn’t it?
16. The website asks you to download the Adobe Acrobat ActiveX control. There is no such thing.
17. The ActiveX control they ask you to download is from Antares Advanced Test Technologies. So even if there was an Adobe ActiveX control, you’d download it from Adobe, not some company name you’ve never heard of. Antares is actually a legit company, but that ActiveX control isn't
18. The alternate link to download the Acrobat control is phishy. The click “here” link is linked to http://cacd-uscourts.com/body.php? If that isn’t a red flag, I don’t know what is. First of all, a US Court would never be a download host for Acrobat; that would be a copyright violation. Secondly, the link name would never be called “body.php.”
19. I already have browsed sites with Acrobat documents. So having a US Court site asking me to download a control that I already have makes no sense.
20. The source HTML of the page requesting the download has hardcoded in it to tell you that the case is closed. Had you looked at the source for the HTML, you would have discovered that the case status you are trying to find is hardcoded right on the page. So after you download the virus, the message pops up.
21. The case number is missing when you are told the case is closed. If you didn’t pick up any of the other clues and fell for the scam, you are told the case is closed, but there is no case number mentioned. And you are told that the case was closed 2 days before the subpoena was sent. So why did they send you the subpoena on Monday when the case was closed on Saturday. And why would the case be closed on a date when the court isn’t in session?
There are more problems but you get the idea.
If you try to access the page via Firefox, it says:
When the page is browsed via IE, it displays a message
The information bar tells you the website wants to install: “Adobe Acrobat ActiveX Control” from “Antares Advanced Test Technologies” You should know better. Why would a US Court have you download an Adobe product from an unknown company?
When you do that, it tells you:
Note the missing case number. Also the dates don’t match. And the date they claim it was closed is two days before they sent the subpoena so why would they have sent it to you? And why are they working on a Saturday? And that message was in the same HTML that they already downloaded to you. They just hid it from your sight until you clicked and downloaded the malware.
More info about this scam:
E-mail scam alerts posted to the home page of both central and southern district courts:
Protecting yourself from phish attacks
So how do you protect yourself?