Most of us are familiar with the dreaded Crypto-Locker ransomware outbreak that started a couple of years ago and continues with variations today. From the email warning quoted below, it appears that a new ransomware outbreak is targeting lawyers and law firms. This is especially dangerous because the email appears to come from an official state bar or lawyer regulatory organization. Be aware!
Subject: MS-ISAC CYBER ALERT - Malicious Email Campaign Targeting Attorneys Spoofs Emails From Statewide Legal Organizations - TLP: WHITE
MS-ISAC CYBER ALERT
TO: All MS-ISAC Members, Fusion Centers, and IIC partners
DATE ISSUED: June 16, 2016
SUBJECT: Malicious Email Campaign Targeting Attorneys Spoofs Emails From Statewide Legal Organizations - TLP: WHITE
In June 2016 MS-ISAC became aware of a malicious email campaign targeting attorneys, which spoofs emails from statewide legal organizations, such as the Bar Association and the Board of Bar Examiners. The subject and body of the emails include claims that “a complaint was filed against your law practice” or that “records indicate your membership dues are past due.” Recipients are asked to respond to the claims by clicking a link which leads to a malicious download, potentially ransomware.
The emails are well written and appear to originate from the appropriate authority, such as an Association official, likely increasing their effectiveness. Reporting from various states indicates a likelihood that this campaign is personalized to individuals practicing in a particular state and may be progressing on a state-by-state basis. The following states have been referenced in public reporting on this campaign: Alabama, California, Florida, Georgia, and Nevada. This targeting may include attorneys working for state, local, tribal, and territorial (SLTT) governments.
MS-ISAC recommends the following actions:
•Share this information with potentially impacted organizations your area of responsibility, including Departments of Law/Justice, related law enforcement agencies, and agency-specific offices of counsel.
•Train government legal professionals in identifying spear phishing emails which may include spoofed email addresses, unusual requests, and questionable and/or masked links. This particular series of emails includes what appears to be a link to the state bar association, but when the user hovers over the link it shows that the link is really to a different website. Copying and pasting the link, instead of clicking on it, would defeat this social engineering attempt.
•Perform regular backups of all systems to limit the impact of data loss from ransomware infections. Backups should be stored offline.
•Additional recommendations for protecting against and responding to phishing campaigns are available at https://msisac.cisecurity.org/whitepaper/documents/MS-ISAC%20Security%20Primer%20-%20Phishing.pdf.
•Additional recommendations for protecting against and responding to ransomware infections are available at https://msisac.cisecurity.org/whitepaper/documents/CIS%20Primer%20-%20Ransomware.pdf.
•Report any suspicious emails to the Internet Crime Complaint Center (IC3, www.ic3.gov), as well as to the legal organization which is spoofed in the addressed email.
Center for Internet Security (CIS)
Integrated Intelligence Center (IIC)
Multi-State Information Sharing and Analysis Center (MS-ISAC)