November 21 - Fake Linkedin Invitations
November 16 - “The Most Se*y Staff in Thales”
I’m just posting this to show the sometimes unintentionally hilarious and weird world I live in. In the early 1990:s, Taiwan bought some LaFayette fighters from France. The whole thing turned into a scandal involving bribery and death - see this BBC article for more. The Taiwan government received some of the bribery money back from France in 2007, but they are still trying to recoup some of it. The French company involved in the scandal was Thomson-CSF, which now is called Thales.
That’s the background of why this otherwise rather pedestrian “using unclothed women as a lure to get people to open malicious files” email still feels related to some of the other stuff we see, particularly as the originating IP (220.127.116.11) is from Hinet (Taiwan’s largest ISP) and the same IP address as in an August 16 entry.
(* instead of x avoid the inevitable crap visits you get when using that word online…)
November 8 - Fake Colleague Email
My colleague got an email “from” me, asking her to click on a link to a zip file, supposedly containing information about how the “Best Chef from Northwest U.S” was “creating new tastes” in Taiwan. The subject is actually the title of an article from a Taiwan newspaper a few days before. The linked file was hosted on the hacked web server of some poor guy’s personal website (I’ve written to him telling him he may want to lock his site down and remove any files he doesn’t recognize.) The zip file contains a .exe file, and has a 6/43 (14.0%) detection rate - rather poor - at VirusTotal.
Subject: Best Chef from Northwest U.S. creates new tastes
Originating IP: 18.104.22.168
X-Mailer: Auto Mailer (www.automsw.com) ID: 284535 [I’m including this because I think it’s the first one I’ve seen an email with this particular mailer.]
November 4 - Fake Conference Information
Another day, another malware email. This one is also “Received: from deepin-f12c1fc0” just like yesterday, but with a better lure, I think. The email says “Please refer to,Have a nice weekend!” in an attempt to get me to open the poisoned “Conference information for next week.pdf” attachment. The VirusTotal scan shows a decent 12/43 (27.9%) detection rate. Just like for yesterday, the message is set to be of “High Importance.” But hey, that’s nice that they wished me a good weekend!
Subject: Conference information for next week
Originating IP: 22.214.171.124
November 3 - Fake “Statement” campaign
For the last week+, I have been getting these pdf “statement” emails - sometimes several a day. It’s starting to get ridiculous. All of us have been receiving them, including our general office email box. Until today, though, they have all been from senders using Chinese characters in the “from” and subject fields, and in the email text if there is any. Nobody here would get any legitimate emails in Chinese, so all of us just automatically ignore and delete them. (We get lots of rants about China/Taiwan issues from random people, so we get a few of them a week.) It’s also the first one flagged as “High Importance.” The “reply to” email is also completely different from the sender.
The attachments have all been named very similar to this one, with a date and the word “statement.” That they misspelled “statement” is new, I believe, although I may be mistaken. The date in the name of the file is usually the day you get the email or the next/previous day. The attachments are all .pfd files. This particular one had a 9/43 (20.9%) rate of detection at VirusTotal. Interestingly, the email was “Received: from deepin-f12c1fc0 (60-249-181-163.HINET-IP.hinet.net [126.96.36.199])” which was also used in a recent Chinese-language email about Gaddafi’s death posted by Contagio.
Originating IP: 188.8.131.52
October 26 - Fake “Halloween Briefing Points” from the Navy Safety Center
I found this very amusing. It is a lazy spearphish type email using the upcoming Halloween holiday as a lure. At first I wondered if it used to be different types of briefing points originally, and the text was just changed? There is an extra space in the text before “Halloween,” which is why it seemed like it was edited. But then I went to the website of the Navy Safety Center, and they actually have Halloween Briefing Points in a PDF and a PP presentation on Halloween hazards! Not sure why, but there you are. (Screenshot for posterity).
Again this came from an unknown to me sender. We were not the only ones who got this, anyway, as TrendMicro posted about the same email. (Although when I originally submitted it to VT, they did not have a detection for it, although it had a decent 37.2% detection rate.)
The email header showed the originating IP as being a restaurant in Philadelphia, which I thought was interesting. Doubt the restaurant was open at the time, given that it was sent at 4:40am…
Subject: Fwd: Halloween Briefing Points
Originating IP: 184.108.40.206
October 25 - Excel File from “IBM111”
Another random Excel file. No idea who the sender is supposed to be. It uses a relevant subject line, although the excel file name isn’t anything except a date and a number. The file has an 8/42 (19%) detection rate at VirusTotal, a little higher today than when I originally submitted it. Might not have bothered posting this, except for the fact that it came from that IBM111 server that we just saw in a similar instance and that Contagio also mentioned earlier this month.
Sending IP: 220.127.116.11
October 20 - Fake Taipei Event Registration
This was pretty well done. It’s an invitation to attend and to register for an event in Taipei, jointly held by three of the most prominent foreign trade associations in Taiwan. The event itself is real. The supposed sender is the real event coordinator, and someone with whose name I’m familiar - we work extensively with her organization. The email was sent to three people - me, my boss, and a former colleague - it was the inclusion of that colleague (with a long-retired email address) that tipped me off right away.
The email used the information straight from the website of the real event, but the “sender” uses a well-named yahoo.com email address instead of the person’s real email - another indicator. The email had two attachments - one called “Registration Form.doc" and one called "AmCham BCCT ECCT Joint Luncheon.pdf.” The PDF document had an 11/42 (26.2%) detection rate at VirusTotal, while the Word document was 8/42 (19.0%). (From what I can gather from the detections, the Word file is set to utilize the CVE-2010-3333 “RTF Stack Buffer Overflow” vulnerability in Office.)
Email Subject: AmCham / BCCT / ECCT Joint Luncheon
Attachment MD5 (Word): c4b130ab3dd60b94e0e3a9edb589b735
Attachment MD5 (PDF): b2157f975ae5fbc26a2d97b2af94dc08
Received from: 18.104.22.168
October 12 - Malicious Excel File from Fake Air Force Sender
This is pretty sloppy. Who, in this day and age, would just open a mystery Excel spreadsheet sent in a blank email from some random Wright-Patterson Air Force Base email? But it’s definitely from one of the same groups that have been sending us better targeted stuff for a while - I think I’ve seen that “IBM111” computer before. The attached .xls file has only a 14% detection rate (6/43) on VirusTotal.
Email Subject: 20111012
Originating IP: 22.214.171.124
September 30 - Fake Internship Application
It had to happen eventually. Luckily, my colleague is a star who is diligent about scanning all the internship applications she gets, and who is also savvy enough to see the warning signs of a disconnect between sender email/sender name and the signed name at the bottom of the email. We have a very active internship program, and she is listed as the contact on our website, so she gets quite a few applications each week. We both knew that it was only a matter of time before this became a vector, hence the diligent scanning.
So this is a fake internship application with two malicious attached Word .doc files, one named “Resume” and one named “Semester desired.” It’s actually two copies of the same file, which had already been uploaded by someone else at VirusTotal. The scanning showed detection at 8/42, or 19%.
Subject: Winter/Spring Internship
Attachment MD5: 24fd4fb44d08c1a8d02dfd72155305d0
Received from: 126.96.36.199