In the last few days we and some of our service provider customers have received what claimed to be a warning from the FBI / US Department of Justice. The emails state that the recipient may be the victim of a crime. There’s a link in the message to get more information. At first glance, this sure looked like your usual phishing scam. But, I checked the links in the email, and they direct you to the DOJ website. I dug into it further and confirmed that the IP address the messages came from belonged to a DOJ IP block. So, I decided to call someone at the DOJ to get the full scoop.
I found out that these notices are valid, and are an awareness effort by the DOJ to notify potential victims about the DNSChanger Trojan. Some four million computers were reportedly infected with the nefarious malware. It was first discovered back in 2007 and has since been re-engineered to infect not only Windows systems but MAC and home networking gear as well. This past November the FBI finally cracked down on the hackers when they arrested six Estonian nationals and confiscated their computer gear in Operation Ghost Click. To ease the impact of the infected users, the DOJ implemented a temporary clean DNS system for 120 days to allow infected users to identify and clean their systems. This solution helped some, but it still doesn’t resolve the fact that millions of systems and devices are still infected.
To help raise awareness before they turn down the temporary DNS solution, they started sending out notifications to various parties that might have been infected or who provide service to potential victims. So what can you do to find out if you’re infected? The DOJ has created a website to assist users in understanding the issue, determine if they have been infected and help them fix the problem.
As a precautionary measure it would be wise to verify that all your computer systems and networking gear are not infected, and that all anti-virus and system updates are current.
It’s great that the government is trying to let folks know they may have a security issue. I’m not sure how effective the notifications will be, though. They look pretty “phishy”, and even if someone assumes it’s a valid warning, it’s not real clear what to do about it.
Following is the text from one of the emails received:
DO NOT REPLY TO THIS EMAIL.
U.S. Department of Justice
Federal Bureau of Investigation
FBI – New York
26 Federal Plaza, 23rd Floor
New York, NY 10278
Phone: (212) 384-2564
Fax: (212) 384-4104
January 17, 2012
Dear Business Representative:
We are contacting you because you have been identified by the FBI as a possible victim of a crime. This case continues to remain under investigation. A criminal investigation can be a lengthy undertaking, and, for several reasons, we cannot provide you with additional information about its progress at this time. A victim of a federal crime is entitled to receive certain services, such as information regarding available emergency medical and social services; available public and private programs for counseling, treatment, and other support; and notice of certain events in the progress of the case. For further details, please refer to Title 42 United States Code Section 10607 and/or the brochure posted on www.notify.usdoj.gov.
Attached you will find additional information related to this case and details for how to access the specific address associated to your company which were affected.
Current information regarding the status of your case can be found on the Internet at www.Notify.USDOJ.GOV or by calling the Victim Notification System (VNS) Call Center at 1-866-DOJ-4YOU (1-866-365-4968). You will need to enter your Victim Identification Number (VIN) 3527540 and your Personal Identification Number (PIN) 2670 anytime you contact the Call Center and the first time you log into VNS on the Internet.
You can also use the Call Center and the Internet to correct/update your contact information and/or change your decision regarding participation in the notification system. Please remember however, that the first time you access the VNS Internet site, you will be prompted to enter your last name (or business name) and need to enter it as currently contained in VNS and spelled within this letter. Your participation in this notification system is totally voluntary. You can choose not to participate or reactivate your access at any time.
If you have any concern regarding the validity of this letter or would like to speak with me regarding any questions you may have, please feel free to call me at the number listed above. When you call, so that I can assist you as promptly as possible, please provide me the file number listed at the top of the letter.