September 14 - US Pass the Taiwan Airpower Modernization Act

I got this email - supposedly from my Chairman going by the AOL (heh) email address used as the sender.  It was a very poorly constructed email, although the subject matter was clever. Two days earlier, my organization had put out a press release, urging Congress to pass TAMA. The subject was exactly the text of the PR headline, except cutting out a few words to imply that it had actually passed. The link in the email led to a malicious .zip file, hosted on the hacked web server of a company that sells fake brand items (bags, shoes, etc.). That made me laugh, given that I usually name the screenshots for this blog “fake_something.jpg.”

The timing was bad, as it was right in the lead-up to our defense conference. So I didn’t get a chance to process this email (submit to VirusTotal, analyze headers, etc.), but I thought I would post the screenshot anyway.

Fake Chairman Press Release

August 16 - U.S. To Deny Taiwan New F-16 Fighters - AddThis

I got an email “from” my boss, looking like it was sent using one of those “Add This” helper buttons. It was supposedly a link to a Defense News article that had caused quite a stir overnight, with the headline “U.S. To Deny Taiwan New F-16 Fighters" - an issue, as you may imagine, that is something we have been working on.

But look! The actual link wasn’t to the article at all, it was yet another attempt to trick me into revealing my user name and password for my work email. It’s that same link as the last two attempts over the last week or so.

Fake Google Login with AddThis

A couple of interesting things about this email. One, it was sent using Big5 character set (that’s the encoding used for traditional Chinese characters, like the ones used in Taiwan, not the GB set used in China). It was created using the Freeware HTML editor by Kurt Senfer, which I’ve seen a lot of for these types of emails. It was sent from another Hinet IP address of 168.95.4.108 (very close to the ones used in the last two similar emails). Once again, the name of the computer is appropriate, using the name of the supposed sender (although misspelled, which I thought was funny).

Fake Google Login with AddThis - Headers

Interestingly, the link to unsubscribe from AddThis looked legitimate, and I figured that it would tell me where the original version of this email came from, so I followed it to “unsubscribe”. Looks like the email address originally included in the unsubscribe code was “newscomeon@hotmail.com.” Not something that I had seen before, and a search online doesn’t seem to find any hits for that email. Is it a legitimate email of someone they “own”? Is it an email they use for actual tasks like where to send replies or to gather emails that look good for later use? Who knows. Curious!

Fake Google Login with AddThis - Opt Out

Message
Subject: [Name, email address] has shared something with you
Received from: 168.95.4.108]

Update
It struck me that I should look at what an actual “Add This” email would look like from Defense News. It looks pretty much exactly the same, which leads me to think that they must have sent themselves a copy, then modified it. So much work put into this, it’s crazy.

August 15 - Invitation: US-Taiwan Defense Industry Conference 2011

Another email using my defense conference as bait to trick people into opening a malware-laden PDF attachment. The email looks exactly like the one from August 8, down to the attachment - it’s the same file. The original upload of August 8 had 41.9% coverage at VirusTotal. I re-scanned the file, now the coverage is up at 58.1%. Still not all that great, unfortunately.

Fake Defense Conference Marketing 2

The main difference this time was the target list. Last time, it seemed from the returns that it was targeting one of the largest think tanks here in the D.C. area. This time, the target was defense and security think tanks and academic institutions, but also apparently the U.S. Department of State. The vast majority of returns were from non-existing state.gov email addresses:

The coolest thing, though, was to see how some of the recipients’ mail systems dealt with this email. Several have apparently blocked ALL emails coming in from the IP address in question (60.249.181.163) using the Barracuda spam blocking system. I wonder if that is a wider block on Hinet overall, so it blocks legitimate email traffic from Taiwan as well? Hinet is, after all, a main ISP in Taiwan.

Several other systems also blocked the email because they detected the malicious attachment. The one in the screenshot below is apparently using McAfee, although others that blocked it were using Trend Micro - at least if you go by the name of the detection.

It’s encouraging that not all the malware-laden emails sent reached their destinations. Yet I still hate having my hard work organizing this conference be tainted by these malicious emails sent out in our name…

Message
Subject: Invitation: US-Taiwan Defense Industry Conference 2011
Attachment MD5: 61cd38ea5bd91ce96f62540d403bd702
Received from: 60.249.181.163

Update, August 16
Two more campaigns went out overnight. We got about 20 returns for another mailing of the “Invitation” email, and about five for the “Agenda” email. The returns once again came primarily from U.S. government domains, from a bunch of older emails (several returns from emails that I know have been obsolete for a while). Luckily, they are lazy and are using the same PDF with the same hash and the same exploit, and the same mailing server. So it looks like a lot of places have gotten wise to it and blocked the mail either for a malicious attachment, or for coming from a bad IP. Unfortunately, we also got a few “Out of Office” replies as well…

August 10 - Details of First Chinese Aircraft Carrier Revealed

I guess the first try at getting us to give up our email logins today failed, so they are trying again. And this is a really juicy email, about the first Chinese Aircraft Carrier formerly called the Varyag (purchased from Russia). It even has pictures! The pictures come from a real BBC news story on August 10 with the title “China’s first aircraft carrier ‘starts sea trials.’”

The email comes from the same supposed sender, using the same computer name and a slightly different IP address like the one from earlier today. Clicking on either the link or the pictures leads you to that same fake page where we are supposed to unthinkingly try to log in to our work emails. I have to hand it to them, though, the fake login page is very well crafted. (My thanks to a less-paranoid friend who went there and took a screenshot.)

Fake Google Login with Varyag Carrier

Message
Subject: Fw: BBC News: Details of First Chinese Aircraft Carrier Revealed
Received from: 168.95.4.104

NOTE: Just like the computer called “councilpc” is being used to send out emails “from” my NGO, so the computer used in this instance (and in the one earlier today) is named “firstinitial lastname pc” of the person supposedly sending out these emails. Seems like it’s the same group of people doing both of these, according to that pattern.

August 10 - Biden not to discuss with China arms sales to Taiwan

This was likely intended to bait us into revealing email login information, rather than being the “normal” attack emails with an attachment or link to a malicious file that would install malware on our computers. This is more along the line of traditional phishing attacks to try to trick you into giving up your login info. But it was obviously targeted at myself and my colleagues - we all got a copy of this email, and the URL itself in the email seems to indicate that it was targeted just at the three of us.

The supposed “sender” is a scholar at that same think tank that was targeted in the August 8 email linked to our defense conference (he has also spoken at the event before). The subject of the email and the text of the link references one of the major news stories on Taiwan defense issues early this week, and is the wording from a statement by the Taiwan Minister of Foreign Affairs on August 8.

I am too paranoid to actually go to the URL referenced in this email. (I really should get some sort of VM set up so I can look at things without being worried about being infected. I will at some point.) But I’m pretty sure it will look very similar to our email login page. Also interesting is that this bears some resemblance to a June 2009 email that I called “scarephishing” for our login info. The URL used in both are fairly similar, both ending with “servicelogin.htm.”

Google Phishing

Message
Subject: Biden not to discuss with China arms sales to Taiwan
Received from: 168.95.4.109

August 8 - Invitation: US-Taiwan Defense Industry Conference 2011

I am angry about this email, because it really feels like an attack on me personally. This kind of stuff makes doing my job - which includes promoting events - so much harder. 

I only discovered this particular one because it came back as a return for an email sent to an invalid address at a large and influential think tank. Basically, it’s my NGO used as the sender, and the defense conference I plan each year used as the bait, to try to trick the recipients into opening a malicious PDF file named “Conference Registration Form.pdf.” The attached malicious PDF had a decent 41% detection rate at VirusTotal. The text and graphics in the email itself (down to the destinations for the links shown in the email) were taken directly from the front page of the conference website, with small adjustments to fit the text colors to the color scheme of the site.

Fake DefCon11 Marketing

I was able to get a copy from someone else of the original headers for this email, and I found it interesting that it was sent from a computer named “councilpc” - just like a similar email from the 2010 conference. Perhaps there really is a machine out there in attack-land that is dedicated to sending out stuff “from” us? Seems rather random otherwise, but who knows.

Message
Subject: Invitation: US-Taiwan Defense Industry Conference 2011
Attachment MD5: ec8a87a00b874899839b03479b3d7c5c
Received from: 60.249.181.163

From what I have heard, a very similar email to this one was sent out to some prominent members of the community, including one of my speakers. That email had the same header and sender but was called “Agenda - US-Taiwan Defense Industry Conference 2011” and contained an .exe .src file zipped up in a .zip attachment. Haven’t been able to confirm, though, as nobody who I know received it has been able to send me a copy.

Update
Someone who reads this blog (thanks!) kindly provided me with some details on this other email, as follows:

The email with the subject “Agenda for US-Taiwan Defense Industry Conference 2011” had similar headers:

Received:     from councilpc (60-249-181-163.HINET-IP.hinet.net [60.249.181.163]) (authenticated bits=0)
        by msr10.hinet.net (8.14.2/8.14.2) with ESMTP id p78DnWDd011944

The email has no content, only an attachment called: Agenda - US-Taiwan Defense Industry Conference 2011.zip with md5 61cd38ea5bd91ce96f62540d403bd702. The zip file contains a .SCR file which drops out a common targeted attack backdoor. The backdoor connects to rdaccount.dns1.us. The backdoor is the same as the one which is dropped from the PDF in the other email you mention “Invitation: US-Taiwan Defense Industry Conference 2011.”

Message
Subject: Agenda for US-Taiwan Defense Industry Conference 2011
Attachment MD5: 61cd38ea5bd91ce96f62540d403bd702
Received from: 60.249.181.163

August 8 - Fake Training Manual

Another one of the emails targeted specifically at me and my colleagues. This email, supposedly containing a link to a “Training Manual” was sent “from” my colleague who handles HR issues to me, our boss, our Chairman, and to the main organization email. The email address they used for our Chairman wasn’t correct, but it was a pretty good guess. Interesting that they used the same guessed email address for him as for an email we saw in June. The email contained a link to a zip file, hosted at what is probably a hacked server in Hong Kong. 

Fake Email for Training Manual

I didn’t download and scan this sample (no time, no safe environment to do so), but my understanding is that the linked .zip file contains an Excel file, and it’s most certainly malicious. 

Honestly, I was getting a little weirded out at the lack of these types of attack emails lately, and I worried if that indicated that we had been compromised. So I have been extremely paranoid - more so than normal - about scans and monitoring of our work systems. But perhaps it was just a regular lull over the summer…

Message
Subject: Training Manual for US-Taiwan Staffs

August 3 - Fake 2011 Internal Budget

This email is not specifically targeted at the China-watchers like normal, instead it’s more general - the subject could be of interest to anyone working in an office, for example. I don’t know the person who supposedly sent the email. The attached PDF is called “2011 project budget.pdf” (which sounds sort of like the document that caused all those issues for RSA) and had a decent 34.9% (since updated to 41.9%) at VirusTotal. 

Fake Internal Budget

Message
Subject: 2011 project budget
Attachment MD5:  8356b3dfdafc580a9def6dc55bc7aacf

July 4 - China’s Efforts Towards A Peaceful Economically Developing World

I have been remiss in posting a few things, since it’s been a pretty quiet month and a half or so, and I’ve been busy. This email, targeted to the overall China-watching community, came in on July 4. It’s a fake article supposedly from The Economist, attached as a PDF file. I couldn’t find an original article with that title, but the magazine did run a June 23, 2011 special on China, so it’s possible that it’s related to that. The text of the email is pretty good, so I wonder if it’s a re-send of an actual email? I wasn’t familiar with the supposed sender, but it looks like he might be involved in a few China-related organizations. The attached PDF was named “10293874.pdf” and had a pretty good 40.5% coverage on VirusTotal.

Fake Economist Article

Message

- Subject: China’s Efforts Towards A Peaceful Economically Developing World
- MD5   : f8b7c2361416e56928f457f6eb834896

June 16 - Fake Chinese Air Force’s latest weapon

Why yes I do want to know about the latest and greatest weapons developed by the Chinese Air Force! So tempting! Yet I’m not actually willing to risk clicking on this likely-poisoned link… (Update: A researcher friend of mine has confirmed that the link leads to a page with a malicious Flash file, exploiting a vulnerability that was patched by Adobe as late as this Tuesday.)

This email came to all of us in my office, and I wouldn’t be surprised if it was a very widespread blast that went to most of the people in D.C. working on defense issues in Asia. It came from a Yahoo email, using a very common type Chinese name - I have no idea who the person is that’s being impersonated, or indeed if it perhaps just a random name.

Fake Chinese Air Force's Latest Weapon

It’s a pretty humdrum email, to be honest. Yet the message source for the HTML email was kind of unusual. The (simplified) Chinese characters included as title names mean “Click for alternate translations" which is almost exactly the phrasing used on Google Translate. I wonder if the text was auto translated from Chinese to English before being pasted into the email?

Fake Chinese Air Force's Latest Weapon - Source

Also, I was kind of intrigued by the location of the file. It resides on the (likely hacked) webserver of CSCAP, which is the Council for Security Cooperation in the Asia Pacific, and a part of the Center for International Relations (IIR), at National Chengchi University (NCCU) in Taiwan.