Forbidden Web

Jan 10, 2012

Phishing Campaign Using Spoofed US-CERT E-mail Addresses
US-CERT has received reports of a phishing email campaign that uses spoofed US-CERT email addresses. This campaign appears to be targeting a large number of private sector organizations as well as federal, state, and local governments. US-CERT began receiving reports of this campaign on January 10, 2012.

The subject of the phishing email is: "Phishing incident report call number: PH000000XXXXXXX" containing an attachment titled "US-CERT Operation Center Report XXXXXXX.zip", with the "X" possibly indicting a random value or string. The zip attachment contains an executable file with the name "US-CERT Operation CENTER Reports.eml.exe". Reports indicate that SOC@US-CERT.GOV is the primary email address being spoofed but other invalid email addresses are being used.

US-CERT advises that users do not open the email or any of the attachments and promptly delete the email from their inboxes.

US-CERT encourages users to do the following to reduce the risks associated with this and other phishing campaigns.

Do not open the attachments in email messages from unknown sources.
Install anti-virus software and keep virus signatures files up to date.
Refer to Recognizing and Avoiding Email Scams (pdf) documents for more information on avoiding email scans.
Refer to the Avoiding Social Engineering and Phishing Attacks document for information on social engineering attacks.

US-CERT will provide additional information as it becomes available.