FBI E-Mail Scam Spreads Virus

E-mails appearing to originate from the bureau are spreading a virus via the accompanying attachment.

The FBI warned late Tuesday that e-mails appearing to originate from the bureau were spreading a virus via the accompanying attachment.

The e-mail informs recipients that they have visited illegal Web sites and asks them to answer a set of attached questions. Opening the attachment will infect computers with the Sober-K worm, a variant that first appeared Monday morning.

"If the public receives an e-mail that purports to come from the FBI, please know that the FBI does not conduct business in this way," said Paul Bresson, a spokesman at FBI headquarters in Washington.

"We would not notify a person that they were a target or a potential target of investigation."

According to senior analyst Gregg Mastoras of U.K.-based security firm Sophos, Sober-K is rapidly spreading across the Internet under a number of different subject lines, including one about Paris Hilton pornography and another from the FBI.

"Its a classic worm, disguising itself and using some sort of teaser to get you to open it," Mastoras said. "I wouldnt be surprised if Sober-K ended up at the top of our security lists before its all said and done."

All of the major security vendors now have virus definitions for the Sober-K worm in place, but the infection will continue spreading because users dont typically update their virus software often enough.

The hoax e-mail sent to eWEEK.com reads: "We have logged your IP address on more than 40 illegal Web sites. Important: Please answer our questions! The list of questions are attached."

Besides the poor grammar, the message includes the FBI headquarters address and the bureaus main number.

Though the e-mails seem to come from the fbi.gov domain, the FBI actually shut down that mail system earlier this month due to a security breach. The system at one time was used to communicate with the public, but it doesnt appear that the two incidents are related.

"Were taking this very seriously and are investigating where this originated and who may be responsible," Bresson said. "At this point, theres no indication of a connection."

A cyber squad from one of the FBIs field offices is heading up an investigation of the recent e-mail schemes, but Bresson wouldnt specify which office.

Sophos Mastoras also said its highly unlikely that the e-mails originate within the FBI: "I would assume theyre faking the e-mail header, the subject, everything. Its just another way to entrap you and get you to open the file."

He added that the fact that it pretends to come from the FBI such as this are common for virus writers because they continue to work well.

Its not the first time the FBI has been used as a stage for duping the public, either. In September 2003, attackers created a site that looked like the official FBI domain and asked visitors to submit debit card information to prevent fraud.

Though the bureau has had a rough start to the year in regards to IT development and security, likely scrapping its $170 million information-sharing system, the FBI said computer security remains an increasingly important focus.

"The cyber division within the FBI is an extremely high priority, right behind counter-terror and counter-intelligence, and we will see that grow over the years," Bresson said.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.