February 2012
1 post
November 21 - Fake Linkedin Invitations
It’s been eerily quiet lately, nothing interesting coming in, really. So I thought I would post a few of the fake LinkedIn connection emails from this past fall. Both of these came supposedly “from” government employees - people who show up in my list of secondary contacts.
-
November 2011
4 posts
5 tags
November 16 - "The Most Se*y Staff in Thales"
I’m just posting this to show the sometimes unintentionally hilarious and weird world I live in. In the early 1990:s, Taiwan bought some LaFayette fighters from France. The whole thing turned into a scandal involving bribery and death - see this BBC article for more. The Taiwan government received some of the bribery money back from France in 2007, but they are still trying to recoup some of...
8 tags
November 8 - Fake Colleague Email
My colleague got an email “from” me, asking her to click on a link to a zip file, supposedly containing information about how the “Best Chef from Northwest U.S” was “creating new tastes” in Taiwan. The subject is actually the title of an article from a Taiwan newspaper a few days before. The linked file was hosted on the hacked web server of some poor...
4 tags
November 4 - Fake Conference Information
Another day, another malware email. This one is also “Received: from deepin-f12c1fc0” just like yesterday, but with a better lure, I think. The email says “Please refer to,Have a nice weekend!” in an attempt to get me to open the poisoned “Conference information for next week.pdf” attachment. The VirusTotal scan shows a decent 12/43 (27.9%) detection rate. Just...
7 tags
November 3 - Fake "Statement" campaign
For the last week+, I have been getting these pdf “statement” emails - sometimes several a day. It’s starting to get ridiculous. All of us have been receiving them, including our general office email box. Until today, though, they have all been from senders using Chinese characters in the “from” and subject fields, and in the email text if there is any. Nobody here...
October 2011
4 posts
5 tags
October 26 - Fake "Halloween Briefing Points" from...
I found this very amusing. It is a lazy spearphish type email using the upcoming Halloween holiday as a lure. At first I wondered if it used to be different types of briefing points originally, and the text was just changed? There is an extra space in the text before “Halloween,” which is why it seemed like it was edited. But then I went to the website of the Navy Safety Center, and...
4 tags
October 25 - Excel File from "IBM111"
Another random Excel file. No idea who the sender is supposed to be. It uses a relevant subject line, although the excel file name isn’t anything except a date and a number. The file has an 8/42 (19%) detection rate at VirusTotal, a little higher today than when I originally submitted it. Might not have bothered posting this, except for the fact that it came from that IBM111 server that we...
7 tags
October 20 - Fake Taipei Event Registration
This was pretty well done. It’s an invitation to attend and to register for an event in Taipei, jointly held by three of the most prominent foreign trade associations in Taiwan. The event itself is real. The supposed sender is the real event coordinator, and someone with whose name I’m familiar - we work extensively with her organization. The email was sent to three people - me, my...
6 tags
October 12 - Malicious Excel File from Fake Air...
This is pretty sloppy. Who, in this day and age, would just open a mystery Excel spreadsheet sent in a blank email from some random Wright-Patterson Air Force Base email? But it’s definitely from one of the same groups that have been sending us better targeted stuff for a while - I think I’ve seen that “IBM111” computer before. The attached .xls file has only a 14%...
September 2011
2 posts
5 tags
September 30 - Fake Internship Application
It had to happen eventually. Luckily, my colleague is a star who is diligent about scanning all the internship applications she gets, and who is also savvy enough to see the warning signs of a disconnect between sender email/sender name and the signed name at the bottom of the email. We have a very active internship program, and she is listed as the contact on our website, so she gets quite a few...
9 tags
September 14 - US Pass the Taiwan Airpower...
I got this email - supposedly from my Chairman going by the AOL (heh) email address used as the sender. It was a very poorly constructed email, although the subject matter was clever. Two days earlier, my organization had put out a press release, urging Congress to pass TAMA. The subject was exactly the text of the PR headline, except cutting out a few words to imply that it had actually passed....
August 2011
8 posts
7 tags
August 16 - U.S. To Deny Taiwan New F-16 Fighters...
I got an email “from” my boss, looking like it was sent using one of those “Add This” helper buttons. It was supposedly a link to a Defense News article that had caused quite a stir overnight, with the headline “U.S. To Deny Taiwan New F-16 Fighters” - an issue, as you may imagine, that is something we have been working on.
But look! The actual link...
8 tags
August 15 - Invitation: US-Taiwan Defense...
Another email using my defense conference as bait to trick people into opening a malware-laden PDF attachment. The email looks exactly like the one from August 8, down to the attachment - it’s the same file. The original upload of August 8 had 41.9% coverage at VirusTotal. I re-scanned the file, now the coverage is up at 58.1%. Still not all that great, unfortunately.
The main difference...
6 tags
August 10 - Details of First Chinese Aircraft...
I guess the first try at getting us to give up our email logins today failed, so they are trying again. And this is a really juicy email, about the first Chinese Aircraft Carrier formerly called the Varyag (purchased from Russia). It even has pictures! The pictures come from a real BBC news story on August 10 with the title “China’s first aircraft carrier ‘starts sea...
6 tags
August 10 - Biden not to discuss with China arms...
This was likely intended to bait us into revealing email login information, rather than being the “normal” attack emails with an attachment or link to a malicious file that would install malware on our computers. This is more along the line of traditional phishing attacks to try to trick you into giving up your login info. But it was obviously targeted at myself and my colleagues - we...
7 tags
August 8 - Invitation: US-Taiwan Defense Industry...
I am angry about this email, because it really feels like an attack on me personally. This kind of stuff makes doing my job - which includes promoting events - so much harder.
I only discovered this particular one because it came back as a return for an email sent to an invalid address at a large and influential think tank. Basically, it’s my NGO used as the sender, and the defense...
5 tags
August 8 - Fake Training Manual
Another one of the emails targeted specifically at me and my colleagues. This email, supposedly containing a link to a “Training Manual” was sent “from” my colleague who handles HR issues to me, our boss, our Chairman, and to the main organization email. The email address they used for our Chairman wasn’t correct, but it was a pretty good guess. Interesting that they...
4 tags
August 3 - Fake 2011 Internal Budget
This email is not specifically targeted at the China-watchers like normal, instead it’s more general - the subject could be of interest to anyone working in an office, for example. I don’t know the person who supposedly sent the email. The attached PDF is called “2011 project budget.pdf” (which sounds sort of like the document that caused all those issues for RSA) and had a...
6 tags
July 4 - China’s Efforts Towards A Peaceful...
I have been remiss in posting a few things, since it’s been a pretty quiet month and a half or so, and I’ve been busy. This email, targeted to the overall China-watching community, came in on July 4. It’s a fake article supposedly from The Economist, attached as a PDF file. I couldn’t find an original article with that title, but the magazine did run a June 23, 2011 special...
June 2011
6 posts
9 tags
June 16 - Fake Chinese Air Force's latest weapon
Why yes I do want to know about the latest and greatest weapons developed by the Chinese Air Force! So tempting! Yet I’m not actually willing to risk clicking on this likely-poisoned link… (Update: A researcher friend of mine has confirmed that the link leads to a page with a malicious Flash file, exploiting a vulnerability that was patched by Adobe as late as this Tuesday.)
This...
5 tags
June 14 - Fake Chairman About Defense Conference
And it has begun, the exploiting of my defense conference to trick people into opening malicious files. I got this lovely email this morning “from” my Chairman, telling me to download a zip file in order to provide feedback on the conference. Of course, the zip file contained a payload (36.6% at Virustotal). Whoever sent it didn’t do a good job, though, because it landed in my...
5 tags
June 13 - Fake Navy Procurement Cuts
Another malicious file sent via the compromised mail server of that doctor’s office in Kentucky. Its the same as my May 31 and June 1 entries. (Mila at Contagio has more extensive data on some of these files)
This time, the payload of the spear phishing email was contained in a PDF file (Virustotal 11.9%) talking about Navy procurement (the last few have been Word .doc files). But again...
7 tags
June 9 - Fake ICTSD
A malicious email targeted at the China-watcher community. This is another one that doesn’t have an attachment, it only links to a malicious file/website (which I did not visit out of an abundance of caution). If I had to guess, I would say (based on the URL including the folder name “swf”) that it probably goes to a web page with a malicious embedded Flash file. Perhaps to take...
5 tags
June 7 - Fake F-16 Info from SASC
This spear phishing/attack email is actually unusually targeted - it looks like the only recipients of this particular email are current/past employees of my NGO, along with our main public email address. The supposed sender was someone well known to us, but who is no longer at that U.S. government post. It came from a Yahoo address, cleverly named so as to slightly misspell the person’s...
6 tags
June 1 - Two Fake Defense/Military Emails
A steady stream of malicious files… Again, these were more targeted at the D.C. area defense policy people in general, rather than directly at us. But both my colleagues got these - I did not. Both came from the same seemingly-hacked mail server as the one from yesterday. (Use it or lose it, perhaps?)
Both had Word document attachments - one called “Q and A.doc” (Virustotal...
May 2011
4 posts
5 tags
May 31 - Fake Obama Speech
A “target all Washington, D.C. policy wonks” type email sent to my colleague. Not targeted at my NGO, and not really at the Taiwan/China community either. The email text contains President Obama’s remarks on the Middle East and North Africa, a speech he gave on May 19. The attached Word file was named “President Obama’s Speech.doc” and had 20.9% coverage on...
8 tags
May 26/27 - Fake Defense Conference Financial Data
This was a pretty targeted one-two attack. On May 26, both my boss and I received an email “from” our colleague, with a cryptic subject header and a link to a zip file purportedly containing data about our annual Taiwan defense conference. It asked us to download information in a zip file from a “purplemoo.com” location online - what appears to be the hacked web server of a...
5 tags
May 18 - Fake Article Forward from CFR/NC
Another sort-of-targeted email - by that I mean targeted at the China-analyst community in general, not at me or my NGO specifically. Again with a malicious Word file attachment. We used to get .doc files all the time, but then it switched to .pdf almost exclusively. Guess that’s changed lately.
The attachment has decent coverage at Virustotal (38.1%). The immediate sender, supposedly...
8 tags
May 3 - Osama bin Laden Malware
It was inevitable that such a hugely important event would be used to spread malware. There was even a segment about watching out for it on the radio this morning! I’m actually kind of excited to have received one, weirdly enough. None of my colleagues got a copy.
The sender is supposedly a Senior Fellow at a prominent local NGO, although the “From” email listed isn’t...
April 2011
6 posts
5 tags
April 26 - Fake Middle East Report
Another day, another poisoned PDF attachment. The supposed sender is someone we work with quite often, who is well known in the community. You can see that someone just used a common misspelling of his first name, then created a Gmail address using that spelling. The “To” address is a real address to a fairly high level executive within his Asia-related, high-profile NGO.
I was...
5 tags
April 20 - Fake Meeting Minutes
Another of what I think of as not-that-targeted-but-sort-of emails, containing a malicious Word attachment of supposed draft meeting minutes labeled “Asia policy notations.” The file had about 24% coverage on Virustotal the first time I scanned it, but that’s been upped to 31.7% a day later.
Although the “From” and “To” names are different, the email...
6 tags
April 14 - Fake Contacts Update
Fake email sent to my colleague, attempting to get him to open the attached malicious Excel file. The coverage for this one is very sparse - only 7.1% at Virustotal. The “from” name is probably supposed to be prominent government affairs/strategy person from one of the largest trade associations in D.C. However, it’s not someone we normally interact with. The name in the gmail...
6 tags
April 13 - Fake US Naval Institute
It’s been quiet for a while, but we got three today! Guess the Adobe 0-day is keeping people busy? This email comes “from” the US Naval Institute, and is text copied directly from a cool article on the USNI website (but without the awesome pictures). The supposed sender is probably the first person they could find on the USNI website with full contact info - it’s the info...
3 tags
April 13 - Fake China Strategy Intel
This came as a BCC to my boss today. The “To” recipient is a person at the local D.C. office of the Taiwan government (effectively the embassy, although it’s not officially called that). It has the same user name as his official Taiwan government email, so I wonder if it’s his personal email address. The attachment, a Word document with no name (possibly because the...
4 tags
April 13 - All over the place
This email, sent both to me and my two colleagues, is completely all over the place. It is so messed up that it seems amateurish in light of the other stuff we see. However, the Excel attachment does not have very good coverage at Virustotal.
I say that it’s all over the place, because the “From” name is the President of a prominent NGO. The (likely fake) ...
March 2011
8 posts
3 tags
November 25, 2009 - Fake Email on Defense Issue
I have a saved Google search that scans for certain phrases appearing online. Today, it came across this post on the Contagio malware dump website that I hadn’t seen before. The post concerns an email supposedly “from” my boss, using a gmail account he doesn’t control, writing to someone about an important issue - something that we have been actively working on for a long...
7 tags
March 24 - Fake Red Cross ("World Nuclear...
Another not as targeted as normal email, but still interesting. The subject line trumpets “Warning!! World nuclear disaster” and the email itself purports to link to a research report on how “Japan’s nuclear radiation will cause great disaster in the near future, including US. Europe, China etc.”
The link in the email to the “research report” is to a zip...
7 tags
March 15, 2011 - Fake Wikileaks
Ok, this wasn’t as targeted as normal, but I found it amusing.** It’s an appeal supposedly “from” Wikileaks to download a .zip file with information about the Japan earthquake and tsunami. But it’s also playing on fears of war in Asia: “After the earthquake will once again revive Japanese militarism, China, South Korea, North Korea, Southeast Asia will once...
4 tags
March 2, 2011
I got this email over night. Unusually, it’s a malicious Excel file attachment (coverage at Virustotal is 18.6%), not the normal Word or PDF file. The supposed “bio” (silly to try to pass of a .xls file as a biography) is for a prominent researcher at CSIS. Mr. C won’t be attending any more meetings. He is now retired from DSCA (the organization within the U.S. DOD that...
5 tags
March 1, 2011
My colleagues both got this email, but I didn’t. It’s a forward “from” a State Department email, supposedly itself forwarding information about important Taiwan government contacts in an email from Taiwan’s Ministry of Foreign Affairs. I have no doubt that the information in the email text is correct, but there is also an attached .rar file that is malicious...
4 tags
December 16, 2010
A “Happy New Year” greeting sent directly to me, supposedly “from” a prominent Taiwan researcher at CSIS. I know this person, but I also know that he has been used as the sender of these types of emails before, poor guy. And the writing style is nowhere close, of course. The fact that it’s about two weeks early for a Happy New Year’s greeting is another clue....
3 tags
December 9, 2010
This was a weird one, also sent directly to me. It looks like it could be a copy of a real email sent from a staff member of a Congressperson, sending along a resume for consideration. Obviously not a real email, as the greeting is for “John” not me. It contains a malicious Word file attachment. The sender is from a yahoo address, mimicking the normal house.gov style of email...
5 tags
December 2, 2010
I got this email “from” my boss, telling me “How about having a meeting tomorrow?” It then asked me to download information about the meeting in a zip file from a yahoodaily.com location online and provide my opinion. Apart from the fact that the email had terrible grammar, this would be so outside the range of normal interaction between us that it’s just silly. But...
February 2011
24 posts
7 tags
Miscellaneous, 2010
We received so many other emails through the year that were spoofed and that carried malicious payloads of some kind. Most of them were instantly recognizable as faked, while others took a little work to identify. I quit taking screenshots of all of them after a while, but here are some representative samples:
About F-16’s from a spoofed sender at a defense contractor with whom we work,...
6 tags
July/August/September, 2010
There were several times through the year 2010 that my colleagues and I were used as the spoofed “sender” of some of these types of emails. Apparently, I sent out a very poorly worded email about “Taiwan’s Self Defense Needs” linking to a zip file containing malicious Word files, hosted on the hacked webserver of a Canadian company selling orthopedic products! Both my...
5 tags
September/October, 2010
Copying information directly from a website and sending it out as an HTML email with a malicious attachment became a trend through the end of the year. In September, I received an email supposedly “from” my own organization, using content copied from our website, this time with information about our quarterly semiconductor report, with a malicious PDF attachment. The PDF was named...
4 tags
September, 2010
My defense conference was in early October of 2010, and we began receiving malware-laden emails as early as in January of that year. We got quite a few of them, too many to include every single one here. But I thought I would put up two examples. On September 28, I received this email with text copied from the conference website. The text was taken directly from the introduction page on the...
3 tags
May 5, 2010
In May of 2010, the Secretary of Health and Human Services was traveling to the World Health Assembly meeting in Switzerland and to China for the U.S.-China Strategic and Economic Dialogue. In early May, I received this very detailed internal memo, with an attached “draft plan” in a .rar file, supposedly “from” the person handling Asia affairs inside HHS. We had no...
3 tags
February 5, 2010
Funny. Someone is using those Google Aurora attacks to get people to install malware. I received this very nice warning email from “Symantic Labs” [sic] and a helpful tool to “clean” my computer. No thanks! The list of people copied on the email contained a lot of prominent Taiwan-related people.
5 tags
January, 2010
My 2010 Defense Conference-related targeted attacks have apparently started already, more than nine months out. Oh joy…
There were two emails from a gmail account - a user “jswang”, which is a pretty generic Chinese name. One was sent directly to me, and I was included in a mass mail for the other. The titles of these emails - see the screen shot of the direct email below, and...
