Email Scam Alert!
Email Scam Alert!
If you received an email with “Florida Bar Association Past Due Invoice” in the subject line, do not click on it, do not click on its links, and delete it immediately.
A number of malicious emails have been distributed throughout The Florida Bar and to external users, said Brandon Gonzalez, the Bar’s IT operations manager. It is addressed to “Dear Attorney” and is purportedly from Bar President Ramón Abadin about taking care of “membership dues that are past due.”
But it is totally bogus and could take over your computer and destroy your files unless you pay a “ransom.”
A member of The Florida Bar forwarded the malicious email to an employee in Membership Records, asking questions because it looked like it legitimately came from the Bar.
The employee clicked on the link and realized it was no good, and forwarded it to Gonzalez, who dug into the email and discovered it was coming from a few domains from a host in Houston, Texas.
“From what we have been able to determine so far, it is the payload and the email included what’s called Ransomeware. CrypoLocker is probably something people are more familiar with,” Gonzalez explained.
“Ransomware essentially installs itself on your computer and starts encrypting your files, and then it notifies you after it’s encrypted your files and says, ‘Hey, we’ve got your system. Please pay us X number of dollars, and we’ll give you the key to unlock all of your files.’ That’s the end game for them.”
Gonzalez said he’s dealt with CryptoLocker in the past and put in measures to try to prevent repercussions. This malicious email started to make changes to the Bar employee’s local file system, but Gonzalez said he was able to catch it in time and pull it off the network and gave her a new PC to use.
Asked what Florida Bar members should do if they mistakenly click on this email, Gonzalez said: “It’s tough to say, and the reason why is that there are a lot of variants of this CryptoLocker. Some are well known and some are new. They change and there are several iterations. Due to that, they can all have different behaviors. They can install themselves in different areas of the system.”
Without actually looking at it on someone’s computer and “analyzing the behavior of that particular flavor,” Gonzalez said, “it’s difficult to make any assumptions for them.”
But Gonzalez “definitely advises them to seek some type of IT support. Hopefully, they have backups of their files, if it has encrypted them and if it has changed the files themselves. The best way to do it is to wipe that system clean and reload those files.”
How can you tell if this malicious email has taken over your files?
“A lot of times you don’t know until it’s gone through,” Gonzalez said. “You can have file name changes, so if you go into your C Drive and try to open up one of your files, it can be renamed something differently. You start seeing a lot of different files renamed unexpectedly. That’s a sign right there.”
Often with phishing attempts, he said, a word in the subject line is misspelled or there are other oddities.
“This one is pretty good, as far as how it’s formatted. It almost looks legitimate,” Gonzalez said.
One hint that something is amiss is that the subject line says: “Florida Bar Association Past Due Invoice.” At The Florida Bar, “association” is not in the proper name and uses the term “fees” instead of “dues.”
How many Florida Bar members received the malicious email is impossible to determine, Gonzalez said.
The Florida Bar does not email invoices to members for payment and uses its website — www.floridabar.org — for all online credit card payment processes.
