I received an email pretending to be from my hoster Strato (known as Cronon AG) telling me that my domain I have for my IT Consulting business has been suspended because of complains they received.
This kind of email is called “Spear Phishing”: it targets only certain users that have a proven connection to the attacked brand or company. In this case, I am clearly a customer of Cronon AG because the WHO IS information shows this. (see below)
Dear Sorin Mustaca,
The Domain Name mustaca.com have been suspended for violation of the Cronon AG Abuse Policy.
Multiple warnings were sent by Cronon AG Spam and Abuse Department to give you an opportunity to address the complaints we have received.
We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.
We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.
Click here and download a copy of complaints we have received.
Please contact us for additional information regarding this notification.
Spam and Abuse Department
The email appears to come from them, but observe the “.KD” in the FROM email address. Suspicious!
This is how the email header looks like:
Just have a look at those areas I marked with red. Absolutely nothing to do with the Cronon AG!
This shows that the email is a fake.
Then, observe that they have obtained my name, email address and my domain. Very convincing!
But, all this information is available in the WHOIS information for my domain and is publicly available:
The link points to a malicious file that gets dropped!
The URL is so created that it gives the impression that it retrieves something dedicated to my account. Observe the “mustaca.com” appended to the URL.
In order not to link here a malware file, I removed the host.
The malware is recognized by Avira as ‘TR/Crypt.Xpack.312513 [trojan]’.
Good job, Avira!
I have informed the company owning the website which hosts the malware.
Let’s see if they answer or at least remove the malware!
PS: I also informed Strato that their customers are being targeted.stAll these and many more topics are in the free eBook "Improve your security" available here: www.improve-your-security.org.