back to article That's not an Ofcom email about your radio licence – it's a TROJAN

Fake emails purporting to be from Ofcom Spectrum Licensing have been sent to lots of radio hams. A number of Register readers have been in touch to say that they have received an email supposedly from the address spectrum.licensing@ofcom.org.uk The email reads: The attached licensing document is malware. Ofcom has …

  1. Neil 44

    I got several this morning, and, as I was suspicious of a .docm attachment, submitted the attachment to Virus total for a comparison of which AVs detected anything in the attachment and which didn't.

    Hats off to those that did!!

    Complete scanning result of "OFCOM_REN04_20150715_0976659.docm", processed in VirusTotal at 08/05/2015 09:52:57 (CET)

    [ file data ]

    * name..: OFCOM_REN04_20150715_0976659.docm

    * size..: 49614

    * md5...: da8d771db68ed6e27119ccbc528b2ab4

    * sha1..: f532ba5c4aa6d2877e46d52cc0cc8e9702662d69

    [ scan result ]

    ALYac 1.0.1.4/20150805 found nothing

    AVG 15.0.0.4392/20150805 found nothing

    AVware 1.5.0.21/20150805 found LooksLike.Macro.Malware.g (v)

    Ad-Aware 12.0.163.0/20150805 found nothing

    AegisLab 1.5/20150805 found nothing

    Agnitum 5.5.1.3/20150804 found nothing

    AhnLab-V3 2015.08.05.02/20150805 found nothing

    Alibaba 1.0/20150803 found nothing

    Antiy-AVL 1.0.0.1/20150805 found nothing

    Arcabit 1.0.0.425/20150805 found HEUR.VBA.Trojan

    Avast 8.0.1489.320/20150805 found nothing

    Avira 8.3.1.6/20150805 found nothing

    Baidu-International 3.5.1.41473/20150804 found nothing

    BitDefender 7.2/20150805 found nothing

    Bkav 1.3.0.6979/20150804 found nothing

    ByteHero 1.0.0.1/20150805 found nothing

    CAT-QuickHeal 14.00/20150805 found O97M.Dropper.GO

    ClamAV 0.98.5.0/20150804 found nothing

    Comodo 22933/20150805 found nothing

    Cyren 5.4.16.7/20150805 found nothing

    DrWeb 7.0.13.5270/20150805 found nothing

    ESET-NOD32 12045/20150805 found nothing

    Emsisoft 3.5.0.642/20150805 found nothing

    F-Prot 4.7.1.166/20150805 found nothing

    F-Secure 11.0.19100.45/20150805 found nothing

    Fortinet 5.1.220.0/20150804 found nothing

    GData 25/20150805 found nothing

    Ikarus T3.1.9.5.0/20150805 found nothing

    Jiangmin 16.0.100/20150804 found nothing

    K7AntiVirus 9.207.16786/20150805 found nothing

    K7GW 9.207.16787/20150805 found nothing

    Kaspersky 15.0.1.10/20150805 found nothing

    Kingsoft 2013.4.9.267/20150805 found nothing

    Malwarebytes 2.1.1.1115/20150805 found nothing

    McAfee 6.0.5.614/20150805 found nothing

    McAfee-GW-Edition v2015/20150805 found nothing

    MicroWorld-eScan 12.0.250.0/20150805 found nothing

    Microsoft 1.1.11903.0/20150805 found nothing

    NANO-Antivirus 0.30.24.2668/20150805 found nothing

    Panda 4.6.4.2/20150804 found W97M/Downloader

    Qihoo-360 1.0.0.1015/20150805 found nothing

    Rising 25.0.0.17/20150731 found nothing

    SUPERAntiSpyware 5.6.0.1032/20150805 found nothing

    Sophos 4.98.0/20150805 found Troj/DocDl-WH

    Symantec 20141.2.0.56/20150805 found nothing

    Tencent 1.0.0.1/20150805 found nothing

    TheHacker 6.8.0.5.613/20150805 found nothing

    TotalDefense 37.1.62.1/20150805 found nothing

    TrendMicro 9.740.0.1012/20150805 found nothing

    TrendMicro-HouseCall 9.700.0.1001/20150805 found nothing

    VBA32 3.12.26.4/20150805 found nothing

    VIPRE 42634/20150805 found LooksLike.Macro.Malware.g (v)

    ViRobot 2014.3.20.0/20150805 found nothing

    Zillya 2.0.0.2329/20150805 found nothing

    Zoner 1.0/20150805 found nothing

    nProtect 2015-08-04.01/20150804 found nothing

    1. Conrad Longmore

      If you run the DOC (or DOCM or whatever) through olevba.py (http://www.decalage.info/fr/python/olevba) then it will extract the underlying macro. It will be heavily obfuscated, but the obfuscation itself is a clue that it is bad.

      Alternatively, Payload Security's Hybrid Analysis (hybrid-analysis.com) does a very good job with these malicious documents, and will show what network traffic is going on.

    2. werdsmith Silver badge

      I'm almost disappointed I didn't get this mail today, I've been licensed since 1980.

      I do remember receiving something just like this a few weeks/months back. I didn't open the attachments because I didn't have time and forgot about it.

      1. Chris Evans

        Not HAM targetted

        As we got half a dozen copies here and none of us are HAMs it wasn't very targeted so please don't feel left out.

        1. Anonymous Coward
          Anonymous Coward

          Re: Not HAM targetted

          My copy was sent to a business address that is on someone's list ready to spam, and not to the one given to Ofcom. Just another case of splatter it widely enough!

  2. Mage Silver badge

    Hams

    Very many have email Address publicly available on internet and also aren't they often in the RSGB year book?

    Probably do USA, Canadian, Irish ones in time.

    1. g4ugm

      Tech Savvy!

      If you read the Ham lists and Forums whilst there are many who are Tech Savvy, there are also many who are not especially IT literate, and an equal number who continue to use very old versions of software because they don't want to change.

      I also frequently see folks been told to disable User Account as a way to make old "HAM" software work, and most just do it despite the warnings.

      So I would say they are as good a target as any one.

      You should also note that the same address is used for non-Amateur licences such as the Private Mobile Radio (PMR) sets used by Taxis and some Council Parking Wardens...

  3. Anonymous Coward
    Anonymous Coward

    Not an Ofcom list

    I got this sent to an email address that's never been used to communicate with Ofcom about anything, least of all spectrum licensing. Flagged by SpamAssassin immediately, not least because it came via a blocklisted mail server in Iran!

  4. Tom Wood

    Probably these work the same as bank scams

    They send them to millions of addresses. Some people who have a genuine reason to have contact with Ofcom (or Barclays, HSBC, etc) see the email and think it must be targeted directly at them.

    Admittedly radio hams are towards the more niche end of the spectrum, which reduces the number of targets for the spammer, but also probably increases the likelihood that those in the target audience do fall for the scam.

    Mostly these things are sent by botnets and will be caught by the usual anti-spam DNS blacklists.

    1. Tom Wood

      Re: Probably these work the same as bank scams

      Indeed, looking at my mailserver logs, I received two attempted mails this morning to an address that is no longer used, allegedly from spectrum.licencing@ofcom.org.uk:

      Aug 5 08:52:58 mail postfix/smtpd[8095]: NOQUEUE: reject: RCPT from unknown[14.161.18.210]: 550 5.1.6 <xxx@xxx.co.uk>: Recipient address rejected: Address no longer in use; from=<Spectrum.licensing@ofcom.org.uk> to=<xxx@xxx.co.uk> proto=ESMTP helo=<static.vdc.vn>

      Aug 5 09:06:21 mail postfix/smtpd[8127]: NOQUEUE: reject: RCPT from unknown[202.131.235.74]: 550 5.1.6 <xxx@xxx.co.uk>: Recipient address rejected: Address no longer in use; from=<Spectrum.licensing@ofcom.org.uk> to=<xxx@xxx.co.uk> proto=ESMTP helo=<[202.131.235.74]>

      I have never used this address (or any address for that matter) for anything to do with Ofcom.

      So there is no data leak, this is just general non-targeted spamming.

      1. VinceH

        Re: Probably these work the same as bank scams

        "So there is no data leak, this is just general non-targeted spamming."

        Agreed. I've just glanced in my spam box on the server, and there's one there sent to an address that has absolutely no connection with Ofcom whatsoever - just an address I've used as my primary address for approaching 20 years, and which has long since been harvested by spammers left, right, centre, top and bottom.

        Nothing to see here. Move along.

      2. Chloe Cresswell Silver badge

        Re: Probably these work the same as bank scams

        Definatly untargeted. Had just over a thousand of them to multiple accounts on my server today.

        My test account has defiantly never been into ham radio for a start!

  5. Anonymous Coward
    Anonymous Coward

    "Please do not open this email and delete it."

    Messy wording in the website advice. Should be something like:

    "Please delete this email. Do not open it and DEFINITELY do not open any attachments."

    1. frank ly

      Re: "Please do not open this email and delete it."

      This sort of task is delegated all the way down to the office junior, with verbal instructions at every delegation stage.

  6. Synonymous Howard

    This is DEFINITELY not a targeted attack as I am seeing this particular malspam sent to a variety of email addresses (I use unique addresses for each website/service I sign up to and when spam starts coming through on a new address I blacklist it etc). Spamassassin caught

    11 'ofcom' messages to 4 unique addresses between 0845 and 0930 today but 4 more got through and were junked by the mail client.

    This just looks like yet another phishing template sent out to rather ancient spammer address lists. I have to admit some of the newer templates are looking more plausible and less error prone.

    I mark any file attachments in email as suspect and they typically turn out to be malware.

  7. Chronos

    Lots of attempts in the log

    relay=81.202.228.103.dyn.user.ono.com

    relay=ip-address-pool-xxx.fpt.vn

    relay=[182.48.83.74]

    relay=[59.97.5.152]

    relay=bba416802.alshamil.net.ae

    relay=[213.226.18.242]

    relay=[59.92.110.24]

    relay=[109.99.224.215]

    relay=[113.163.159.63]

    relay=[116.105.72.33]

    relay=[109.166.128.1]

    One of the users targeted has no amateur radio licence. He does, however, have a marine licence for his boat which uses the same OLC system. Looks like something is a bit leaky.

  8. Anonymous Coward
    Anonymous Coward

    I got one at work

    and I have no reason to be on any Ofcom list. I *am* however on several IT-related ones. Maybe one of them is being used to drive this scam ?

    When I was younger, in the days of snail mail, I cycled through various middle names when giving my details. It became trivial (and somewhat depressing) to trace junk mail back to the people who sold the address.

    Maybe we could devise a similar system for email ? Maybe an additional optional field with a small crypto value ? Every time you sign up for something a new value is generated and stored (hell Lastpass could easily do this) for that site.

    Emails without could be held for inspection. Emails with an incorrect value (i.e. guessed) binned. And emails with noted as originating from that site. So you can easily catch where a mailing list came from.

    My brother does something like this now, but it does require running your own mail server.

    1. Tom Wood

      Re: I got one at work

      Indeed, I run my own mail server and use suffix addressing (sometimes called "plus addressing" as that is what is supported by gmail) for this purpose. In gmail you can use myname+anything@gmail.com and it will be delivered to myname@gmail.com. Use a different "anything" for each account and if it leaks you know who has been passing your address, and can block that variant (or just block it if they don't honour unsubscribe, etc).

      Since the plus character is commonly used for this purpose it's actually not that good as a spammer could strip it out and still reach your inbox. If you have your own server you can specify an alternative character to use, I use a dash/minus sign, but you could use a dot, underscore etc. Someone could still guess and remove it and hit your inbox, but in practice I've found that doesn't happen, and if it did I could just dump the inbox and create a new one, and redirect all the existing aliases to it.

      1. Mike007 Bronze badge

        Re: I got one at work

        If you don’t mind spending <£5/year for a "professional email address" then you can have anything@youremail.co.uk instead of needing a "special character".

        As an example a few years back I had to add a rule to auto-delete all email addressed to beatthatquote@mydomain (apparently they have now been acquired by google, who at least dont sell client lists as far as I know).

        be warned, if I ever start receiving spam directed to elreg@mydomain I will know who has been naughty!

  9. 8tpercent

    Yep, lots of these seen this morning...

    http://sanesecurity.blogspot.co.uk/2015/08/important-document-from-ofcom-spectrum.html

    Followed swiftly by a run of emails:

    Booking Confirmation - Accumentia (16/9/15) fake docs with macros...

    Cheers,

    Steve

    Sanesecurity.com

  10. Keith Oborn

    Not targeted at all-

    My wife got one. She's an artist, didn't even know who Ofcom are!

  11. nematoad

    Snap

    Yep, got both the Ofcom one and the Accumentia one. I seem to get a lot of this sort of stuff lately but why I got the Ofcom one is a mystery to me, I am not nor have I ever been a radio ham.

    It makes me really glad I run Linux.

  12. Jess--

    I have dealings with ofcom, the thing that instantly raised suspicion (other than the fact that my server had already flagged it as spam / malware) was that the email did not contain either my name or any registered callsign.

    I have licenses from ofcom for business radio, 3 ham licenses and a Notice of variation for a D-Star repeater. other than the missed details the email looked plausible.

  13. Caustic Soda

    I've just seen this on Twitter from someone with an M3 callsign - didn't realise it was affecting CB radio users too.

  14. Joey M0usepad Silver badge

    hard target?

    "hard to find a worse cohort to attack than the naturally tech-savvy UK radio amateur community"

    They might be tech savvy in a logical thinking, soldering iron weilding type of way , but , and dont all start thorwing stones and downvotes right away , i suspect may not be too up to date on I.T.

    *ducks*

    I mean , has the thrill of talking to people 10,000 miles away not worn thin a bit with the whole world becoming connected ? Personally i try to avoid the flood of information hitting my pc from all over the world?

    Have they not heard of skype? voice and picture anywhere in the world , for free.

    Yes i appreciate HAMs do it without relying on 1000s of routers and cables , and will be laughing when the apocalypse comes , but until then......

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like