ESET detects a New Phishing Campaign

In recent cases where we have seen identity theft by a police force. Such as the Civil Guard, criminals have referred to paying alleged traffic fines to get users to download a phishing malicious file. However, in an email sent recently we have verified how the name and image of the Civil Guard. That is being used to inform us of an alleged court summons.
If we review the body of the message, we see how the Civil Guard logos are mentioned and attached. But the Swiss Police, Interpol, and the French gendarmerie are also mentioned. As if that were not enough, in the body of the message. It indicated that this “invitation” is made by the Director-General of the Civil Guard herself. To indicate that we are the subject of several legal proceedings in force. Which include issues related to child pornography or pederasty.

Checking the senders and the citation

As this email is written, it is likely that not a few users are suspicious of its veracity. If we continue reviewing some points such as the sender of the email. We can see that several things do not seem to make sense. For example, in the header of the message appears an email address. Supposedly associated with the French Ministry of Defence, something not very logical within a judicial summons sent by the Civil Guard.
Regarding the attached file, one would expect that. After observing dozens of phishing malicious email campaigns over the last few months. It would contain some kind of malicious phishing code with which criminals would try to infect the victim’s system. However, the attached file is a document in PDF format that contains the alleged court summons.
In this document, we can see how, once again. The General Director of the worthy person addresses the user and indicates that he has been accused of crimes related to the dissemination of child pornography on the Internet. In addition, a contact address is provided to which the allegation. Which are considered appropriate can be sent within 48 hours. Once this period has elapsed, the alleged report will be sent to a court for review.
This is where the purpose of this email is found. That would be none other than to get the recipient of this message to contact the criminal. So that they can extort an amount from them in exchange for not continuing with the false Judicial procurement. This reminds us in part of the techniques that other criminals began to use more than a decade ago with the so-called “Police Virus”. Although at that time the device’s screen lock was used to force the victim to carry out the virus.


To confirm this theory, we decided to send an email in response to this court summons and as expected, a few minutes later, we received an automatic response with the possible existing solutions.
In that response email, we can see how two options are offered. The first is the judicial procedure, due to poor wording of the message. It is indicated that the director of the Swiss police will be arrested.
However, we see how another possibility is offered, which is to pay a fine of €7,978, write a handwritten letter with our data and signature, indicate that we want to pay this fine, and then take a photo of it and send it to you. All this procedure, together with the writing errors, make us believe that we are facing another case of what is known as Nigerian scams, although this time it would be a mission pointed only at Spanish clients.

Checking email addresses

One of the points that have intrigued us most about this phishing campaign is related to the email addresses provided. On the one hand, we have the one that is indicated to us as a contact method to present allegations to the supposed judicial procedure. That uses the name and surnames of the general director of the Civil Guard and a domain. Which is registered to a journalism company for more than 25 years old.
Regarding the domain of the French Ministry of Defence. From which the message is supposedly sent. Although it is logical to initially think that the criminals behind this email are spoofing to impersonate their identity, at the time of writing this article the website said the ministry is undergoing maintenance, so we should not rule out any possibility.
In any case, we will continue to analyze this email to try to confirm its purpose and thus confirm if it is a new extortion email campaign using the name and image of the Civil Guard or if there is some other purpose.


The criminals behind this campaign may think that the impersonation of official bodies together with the threat of legal action is a good bait to get new victims. Luckily, we can avoid falling into their trap by reviewing some points like the ones we have analyzed in this article and having a security solution that can alert us to these phishing cases.

Leave a Comment