Targeted Email Attacks - August 16 - U.S. To Deny Taiwan New F-16 Fighters

This blog provides examples of socially engineered and/or specifically targeted spear phishing emails, intended to spread trojans and malware. These examples are generally focused on the China/Taiwan analyst community in Washington, D.C. (More Background)

August 16 - U.S. To Deny Taiwan New F-16 Fighters - AddThis

I got an email “from” my boss, looking like it was sent using one of those “Add This” helper buttons. It was supposedly a link to a Defense News article that had caused quite a stir overnight, with the headline “U.S. To Deny Taiwan New F-16 Fighters” - an issue, as you may imagine, that is something we have been working on.

But look! The actual link wasn’t to the article at all, it was yet another attempt to trick me into revealing my user name and password for my work email. It’s that same link as the last two attempts over the last week or so.

A couple of interesting things about this email. One, it was sent using Big5 character set (that’s the encoding used for traditional Chinese characters, like the ones used in Taiwan, not the GB set used in China). It was created using the Freeware HTML editor by Kurt Senfer, which I’ve seen a lot of for these types of emails. It was sent from another Hinet IP address of 168.95.4.108 (very close to the ones used in the last two similar emails). Once again, the name of the computer is appropriate, using the name of the supposed sender (although misspelled, which I thought was funny).

Interestingly, the link to unsubscribe from AddThis looked legitimate, and I figured that it would tell me where the original version of this email came from, so I followed it to “unsubscribe”. Looks like the email address originally included in the unsubscribe code was “newscomeon@hotmail.com.” Not something that I had seen before, and a search online doesn’t seem to find any hits for that email. Is it a legitimate email of someone they “own”? Is it an email they use for actual tasks like where to send replies or to gather emails that look good for later use? Who knows. Curious!

Message
Subject: [Name, email address] has shared something with you
Received from: 168.95.4.108]

Update
It struck me that I should look at what an actual “Add This” email would look like from Defense News. It looks pretty much exactly the same, which leads me to think that they must have sent themselves a copy, then modified it. So much work put into this, it’s crazy.

kerlinquallb likes this
targetedemailattacks posted this

65 notes #link #article #defense #google #credentials #email #phishing

Short URL for this post: http://tmblr.co/ZCE6ox8Q1JTI