BKA Wiesbaden - Abteilung Cybercrime (Not sure if this is a phishing E-mail or real...)

Hi All:

I received an E-mail with an attachment claiming something
on my network is infected and that I should look at the
attachment to find out what.

Normally I think everything with an attachment is phishing
to get me to run malware but:

#1: The sites linked to in it seem to be legit German
government websites based on Wikipedia entries that
haven't changed in several years.
(Looked at archive.org)
#2: The attachment is a .txt file which I've normally
assumed to be safe.
#3: None of the usual dead giveaways that most phishing
E-mails have.

If it is a phishing E-mail it has got to be the cleverest
one I've ever seen, though someone would try to be cleaver
considering the target would be holders of IP blocks.

I right clicked and checked properties to make sure the
attached ip_addresses.txt file really is a text file and
not some fancy trickery with reverse direction characters
( As seen on Hackers Are Trying Something New (Again) - Watch Out! - YouTube )

I tried poking around to see if there was some vulnerability
in notepad (or some versions of it) that I didn't know about
and only found a vulnerability in the text editor on Macs
but nothing with Windows Notepad.

The other thing I felt was a bit off is that the originating
mail server is in Deutsche Telekom AG space and not IP Space
registered to the German government. I'm thinking someone
could rent some IP space from Deutsche Telekom AG with a
connection to them in a data center and get the DNS delegated
to them so they could set the reverse DNS to whatever they want.
A lot of effort to try to look legit by coming out of Germany
and having a government domain in the reverse DNS to look like
a plausible legit outsourcing but again Network operators are
the target audience so the normal tricks that work on the
general public won't work with this group so I can see someone
going that far.

I'll attach the E-mail below with all headers. Has anyone
else gotten these? Is there some security risk opening it
in Windows Notepad that I don't know about or is it actually
safe to open this?

Return-Path: <abuse@cyber.bka.de>
Delivered-To: [REDACTED]
Received: from ezp08-pco.easydns.vpn ([10.5.10.148])
by ezb03-pco.easydns.vpn with LMTP
id oCfeBO/yEmTokhgAzaFxkQ
(envelope-from <abuse@cyber.bka.de>)
for <[REDACTED]>; Thu, 16 Mar 2023 10:43:59 +0000
Received: from smtp.easymail.ca ([127.0.0.1])
by ezp08-pco.easydns.vpn with LMTP
id WCB5BO/yEmSHdgEABcrfzg
(envelope-from <abuse@cyber.bka.de>); Thu, 16 Mar 2023 10:43:59 +0000
Received: from localhost (localhost [127.0.0.1])
by smtp.easymail.ca (Postfix) with ESMTP id 0DC85557DF
for <arin@ve4.ca>; Thu, 16 Mar 2023 10:43:59 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at ezp08-pco.easydns.vpn
X-Spam-Flag: NO
X-Spam-Score: 0.075
X-Spam-Level:
X-Spam-Status: No, score=0.075 required=4 tests=[BAYES_00=-1.9,
DEAR_SOMETHING=1.973, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from smtp.easymail.ca ([127.0.0.1])
by localhost (ezp08-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id d0XbPteZN-Io for <arin@ve4.ca>;
Thu, 16 Mar 2023 10:43:55 +0000 (UTC)
Received: from mail.cyber.bka.de (mail.cyber.bka.de [80.146.190.22])
by smtp.easymail.ca (Postfix) with ESMTPS id 0BC0C557DC
for <arin@ve4.ca>; Thu, 16 Mar 2023 10:43:54 +0000 (UTC)

It appears legit.

BKA.DE is the German Bundeskriminalamt (Federal Police)

And the PTR records, SPF etc check out for the domain.

Might as well check the IP in question for malware if they’ve provided date / timestamps and such

–srs

It appears legit.

BKA.DE is the German Bundeskriminalamt (Federal Police)

And the PTR records, SPF etc check out for the domain.

Might as well check the IP in question for malware if they’ve provided date / timestamps and such

–srs

Looks like scam to me, we are based in Germany and from time to time we are getting requests from BKA, all mails were originated from "*@bka.bund.de", never heard about ths "cyber.bka.de" Domain.
Also I would expect something more like a specific criminal investigation from the BKA instead of the usual "we found suspicious ip addresses" announcement like Shadowserver is offering.

Governmental services within DTAG (AS3320) ip space is pretty common in Germany.

HTH,
Stefan

Hi,

Governmental services within DTAG (AS3320) ip space is pretty common in
Germany.

but FcrDNS matches. Scammers with access to the bka.de DNS?

Regards
Bjoern

Well, I eventually had a friend open the attachment on his Linux machine
and once he confirmed it was safe to open and found there was nothing
in it other than the list of IP addresses, user names and time stamps but
there were a whole bunch of addresses listed I opened the attachment in
Notepad.

All 43 IP addresses listed turned out to not be ones that are not and have
not been in use the entire time I've had the IP block.

So it's still mysterious why someone would have sent this as it appears to
not be malware but it's entirely junk information, so no reason to explain
why either the German Police or a scammer would have sent it.

Maybe the German Police used to have a server at that address for some
purpose and neglected to turn off the forward DNS when it was
decommissioned and Deutsche Telekom AG didn't remove the old
reverse DNS when they re-assigned the space to a new customer and
that new customer stood up a mail server to sent these. Though for
what purpose I'm unsure.

It's as odd as the (automatically generated) abuse E-mail I recently got
from a Spanish ISP (Comvive Servidores SL) claiming to have received
a network attack from an address that is also not in use. (Which was
one of the ones listed in this E-mail.)

Thanks to everyone that did reply with their input.

* nanog@ve4.ca (Glen A. Pearce) [Mon 24 Apr 2023, 17:42 CEST]:

Well, I eventually had a friend open the attachment on his Linux machine

Not necessarily a safe idea:
   https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/
(scroll down to "Operation DreamJob with a Linux payload", sadly no anchors)

  -- Niels.

The key security concern here is "don't inspect/interpret bytes in an attachment with an application of the attacker's choosing". cat, or even emacs, seem pretty safe.

For me, that's easiest to do with Linux or MacOS (terminal). But sure, if "open on a Linux machine" still means "point and click", then you're absolutely correct.

Jim Shankland

Thanks for the heads up on that. My situation (in this one case) was a little different
from the example in the article you sent as I had already verified it was a text file
(and not another type masquerading as a text file with funny characters). I was just
concerned because I was wondering if someone had found a way to compromise
Windows Notepad (or at least some versions of it because Microsoft likes to keep
changing things). I still kinda wonder now if there is some vulnerability in Microsoft
Notepad somewhere because of a "feature" someone decided to add along the way
that nobody needed and almost nobody known about....

The link you included might still save someone a lot of headaches one day.

I checked with my friend, what he did was use Linux on a virtual machine with a static
hard drive then started "Nano" at the command line and used that to open the file I
sent him. He's a lot more expert than me so I tend to trust that he knows what he's
doing even if he doesn't fill me in on all the details. I guess in this case he figured he
didn't need to fill me in on them until I asked. Though I did pass on the article you
sent in case it's relevant to something he encounters in the future.