Malware spam attempt coming in through contact form claiming DDOS and threatening legal action and linking to Google Drive

Here’s the message a client of ours received, “Subject: example.org has been hacked and is now participating in the DDoS attack on our company’s servers. You need to take action immediately!”

It is spam, it is an attempt to infect your computer with malware. Do NOT click the link to the google drive, and please no one else did or does!

https://www.bleepingcomputer.com/news/security/fake-dmca-and-ddos-complaints-lead-to-bazaloader-malware/

Your Name
Jon

Your Email
JonSood@mailchimp.com

Your Telephone
7189643812

City
New York. 60893

County
Lassen County

Subject
Example.org has been hacked and is now participating in the DDoS attack on our company's servers. You need to take action immediately!

Message
Hello,

This message was written to you in order to notify, that we are currently experiencing serious network problems and we have detected a DDoS attack on our servers coming from the your website or a website that your company hosts (example.org). As a consequence, we are suffering financial and reputational losses.

We have strong evidence and belief that your site was hacked and your website files were modified, with the help of which the DDoS attack is currently taking place. It is strictly advised for you as a website proprietor or as a person associated with this website take immediate action to fix this issue.

To fix this issue, you should immediately clean your website from malicious files that are used to carry out the DDoS attack.

I have shared the log file with the recorded evidence that the attack is coming from crla.org and also detailed guidelines on how to safely deal with, find and clean up all malicious files manually in order to eradicate the threat to our network.

Click on the link below to download DDoS Attack evidence and follow the instructions to fix the issue:

https://drive.google.com/uc?export=download [link truncated so no one clicks it but it's another indication of how careless google is that this attack has been happening for months and Google still allows themselves to be a vector]

Please be aware that failure to comply with the instructions above or/and if DDoS attacks associated with example.org will not stop within the next 24 hour period upon receipt of this message, we will be entitled to seek legal actions to resolve this issue.

If you will experience any difficulties trying to solve the issue, please reply immediately with your personal reference case number (included in the log report and instructions mentioned above) and I will do my best to help you resolve this problem asap.


Jon Sood
mailchimp.com IT security team

Agaric investigated this fraudulent, malicious ‘DDOS’ letter.

Our client’s intuition that this was “spammy” was correct, fortunately. Not just spam but a scam. Companies like Mailchimp that have just been bought for $14 billion by Intuit do not (yet, thankfully) have employees with no public profile filling out webforms to make legal threats. (And if they did would know about / contact the hosting company, not an individual site on the server.)