BKA Wiesbaden - Abteilung Cybercrime (Not sure if this is a phishing E-mail or real...)

• Previous message (by thread): BKA Wiesbaden - Abteilung Cybercrime (Not sure if this is a phishing E-mail or real...)
• Next message (by thread): BKA Wiesbaden - Abteilung Cybercrime (Not sure if this is a phishing E-mail or real...)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Any security “authority” that sends a warning email that requires opening _any_ attachment doesn’t deserve to be taken seriously. This include the MPAA et al. Also, if they don’t send it to your registered abuse email, into the trash it should go without a glance.

 -mel beckman

On Apr 3, 2023, at 4:37 AM, Suresh Ramasubramanian <ops.lists at gmail.com> wrote:


It appears legit.

BKA.DE is the German Bundeskriminalamt (Federal Police)

And the PTR records, SPF etc check out for the domain.

Might as well check the IP in question for malware if they’ve provided date / timestamps and such

--srs

From: NANOG <nanog-bounces+ops.lists=gmail.com at nanog.org> on behalf of Glen A. Pearce <nanog at ve4.ca>
Date: Monday, 3 April 2023 at 12:29 PM
To: nanog at nanog.org <nanog at nanog.org>
Subject: BKA Wiesbaden - Abteilung Cybercrime (Not sure if this is a phishing E-mail or real...)
Hi All:

I received an E-mail with an attachment claiming something
on my network is infected and that I should look at the
attachment to find out what.

Normally I think everything with an attachment is phishing
to get me to run malware but:

#1: The sites linked to in it seem to be legit German
     government websites based on Wikipedia entries that
     haven't changed in several years.
     (Looked at archive.org)
#2: The attachment is a .txt file which I've normally
     assumed to be safe.
#3: None of the usual dead giveaways that most phishing
     E-mails have.

If it is a phishing E-mail it has got to be the cleverest
one I've ever seen, though someone would try to be cleaver
considering the target would be holders of IP blocks.

I right clicked and checked properties to make sure the
attached ip_addresses.txt file really is a text file and
not some fancy trickery with reverse direction characters
( As seen on https://www.youtube.com/watch?v=ieQUy8YTbFU )

I tried poking around to see if there was some vulnerability
in notepad (or some versions of it) that I didn't know about
and only found a vulnerability in the text editor on Macs
but nothing with Windows Notepad.

The other thing I felt was a bit off is that the originating
mail server is in Deutsche Telekom AG space and not IP Space
registered to the German government.  I'm thinking someone
could rent some IP space from Deutsche Telekom AG with a
connection to them in a data center and get the DNS delegated
to them so they could set the reverse DNS to whatever they want.
A lot of effort to try to look legit by coming out of Germany
and having a government domain in the reverse DNS to look like
a plausible legit outsourcing but again Network operators are
the target audience so the normal tricks that work on the
general public won't work with this group so I can see someone
going that far.

I'll attach the E-mail below with all headers.  Has anyone
else gotten these?  Is there some security risk opening it
in Windows Notepad that I don't know about or is it actually
safe to open this?


Return-Path: <abuse at cyber.bka.de>
Delivered-To: [REDACTED]
Received: from ezp08-pco.easydns.vpn ([10.5.10.148])
     by ezb03-pco.easydns.vpn with LMTP
     id oCfeBO/yEmTokhgAzaFxkQ
     (envelope-from <abuse at cyber.bka.de>)
     for <[REDACTED]>; Thu, 16 Mar 2023 10:43:59 +0000
Received: from smtp.easymail.ca ([127.0.0.1])
     by ezp08-pco.easydns.vpn with LMTP
     id WCB5BO/yEmSHdgEABcrfzg
     (envelope-from <abuse at cyber.bka.de>); Thu, 16 Mar 2023 10:43:59 +0000
Received: from localhost (localhost [127.0.0.1])
     by smtp.easymail.ca (Postfix) with ESMTP id 0DC85557DF
     for <arin at ve4.ca>; Thu, 16 Mar 2023 10:43:59 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at ezp08-pco.easydns.vpn
X-Spam-Flag: NO
X-Spam-Score: 0.075
X-Spam-Level:
X-Spam-Status: No, score=0.075 required=4 tests=[BAYES_00=-1.9,
     DEAR_SOMETHING=1.973, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001,
     SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from smtp.easymail.ca ([127.0.0.1])
     by localhost (ezp08-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port
10024)
     with ESMTP id d0XbPteZN-Io for <arin at ve4.ca>;
     Thu, 16 Mar 2023 10:43:55 +0000 (UTC)
Received: from mail.cyber.bka.de (mail.cyber.bka.de [80.146.190.22])
     by smtp.easymail.ca (Postfix) with ESMTPS id 0BC0C557DC
     for <arin at ve4.ca>; Thu, 16 Mar 2023 10:43:54 +0000 (UTC)
Date: Thu, 16 Mar 2023 10:43:53 +0000
To: arin at ve4.ca
From: BKA Wiesbaden - Abteilung Cybercrime <abuse at cyber.bka.de>
Reply-To: BKA Wiesbaden - Abteilung Cybercrime <abuse at cyber.bka.de>
Subject: Information regarding possible infection with malware
Message-ID:
<M47LJRZpjy1zymUJDKsNtrYm3RimkafZfZTqeZpauZA at emailapi.apps.cc.bka>
MIME-Version: 1.0
Content-Type: multipart/mixed;
  boundary="b1_M47LJRZpjy1zymUJDKsNtrYm3RimkafZfZTqeZpauZA"
Content-Transfer-Encoding: 8bit

Dear Sir or Madam,

As part of criminal proceedings, the German Federal Criminal Police
Office (Bundeskriminalamt) has been
informed about public IP addresses and timestamps which indicate a
potential infection by the malicious
software "Bumblebee" of one or more systems behind the respective public
IP address.

Within this letter, the BKA is providing you with the data of the
respective IP addresses which have been
assigned to you as the appropriate provider. You are asked to take
appropriate measures to inform your
customers about the potential infection.

The following information will be provided:

1. Public IP address
2. Last known timestamp of contact by the public IP address
3. Possible system name or username on the potentially infected system

The following information may be sent to your customers in addition to
the message of concern.

What should you do now?

1. Don’t panic!
2. Check your systems/networks for possible infections. If other
institutions have already made you aware
of infected systems recently, follow the action guidelines which you may
have received from them.
3. For further information on cleaning up infections, please visit the
English website of the Federal Office
for Information Security (BSI):

https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Informationen-und-Empfehlungen/Cyber-Sicherheitsempfehlungen/Infizierte-Systeme-bereinigen/infizierte-systeme-bereinigen_node.html

Yours sincerely,

Bundeskriminalamt Wiesbaden

--
Glen A. Pearce
gap at ve4.ca
Network Manager, Webmaster, Bookkeeper, Fashion Model and Shipping Clerk.
Very Eager 4 Tees
http://www.ve4.ca
ARIN Handle VET-17
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20230403/1a91bb76/attachment.html>

• Previous message (by thread): BKA Wiesbaden - Abteilung Cybercrime (Not sure if this is a phishing E-mail or real...)
• Next message (by thread): BKA Wiesbaden - Abteilung Cybercrime (Not sure if this is a phishing E-mail or real...)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]