November 8 - Fake Colleague Email
My colleague got an email “from” me, asking her to click on a link to a zip file, supposedly containing information about how the “Best Chef from Northwest U.S” was “creating new tastes” in Taiwan. The subject is actually the title of an article from a Taiwan newspaper a few days before. The linked file was hosted on the hacked web server of some poor guy’s personal website (I’ve written to him telling him he may want to lock his site down and remove any files he doesn’t recognize.) The zip file contains a .exe file, and has a 6/43 (14.0%) detection rate - rather poor - at VirusTotal.
Subject: Best Chef from Northwest U.S. creates new tastes
Originating IP: 22.214.171.124
X-Mailer: Auto Mailer (www.automsw.com) ID: 284535 [I’m including this because I think it’s the first one I’ve seen an email with this particular mailer.]
August 16 - U.S. To Deny Taiwan New F-16 Fighters - AddThis
I got an email “from” my boss, looking like it was sent using one of those “Add This” helper buttons. It was supposedly a link to a Defense News article that had caused quite a stir overnight, with the headline “U.S. To Deny Taiwan New F-16 Fighters” - an issue, as you may imagine, that is something we have been working on.
But look! The actual link wasn’t to the article at all, it was yet another attempt to trick me into revealing my user name and password for my work email. It’s that same link as the last two attempts over the last week or so.
A couple of interesting things about this email. One, it was sent using Big5 character set (that’s the encoding used for traditional Chinese characters, like the ones used in Taiwan, not the GB set used in China). It was created using the Freeware HTML editor by Kurt Senfer, which I’ve seen a lot of for these types of emails. It was sent from another Hinet IP address of 126.96.36.199 (very close to the ones used in the last two similar emails). Once again, the name of the computer is appropriate, using the name of the supposed sender (although misspelled, which I thought was funny).
Interestingly, the link to unsubscribe from AddThis looked legitimate, and I figured that it would tell me where the original version of this email came from, so I followed it to “unsubscribe”. Looks like the email address originally included in the unsubscribe code was “email@example.com.” Not something that I had seen before, and a search online doesn’t seem to find any hits for that email. Is it a legitimate email of someone they “own”? Is it an email they use for actual tasks like where to send replies or to gather emails that look good for later use? Who knows. Curious!
Subject: [Name, email address] has shared something with you
Received from: 188.8.131.52]
It struck me that I should look at what an actual “Add This” email would look like from Defense News. It looks pretty much exactly the same, which leads me to think that they must have sent themselves a copy, then modified it. So much work put into this, it’s crazy.
August 10 - Details of First Chinese Aircraft Carrier Revealed
I guess the first try at getting us to give up our email logins today failed, so they are trying again. And this is a really juicy email, about the first Chinese Aircraft Carrier formerly called the Varyag (purchased from Russia). It even has pictures! The pictures come from a real BBC news story on August 10 with the title “China’s first aircraft carrier ‘starts sea trials.’”
The email comes from the same supposed sender, using the same computer name and a slightly different IP address like the one from earlier today. Clicking on either the link or the pictures leads you to that same fake page where we are supposed to unthinkingly try to log in to our work emails. I have to hand it to them, though, the fake login page is very well crafted. (My thanks to a less-paranoid friend who went there and took a screenshot.)
Subject: Fw: BBC News: Details of First Chinese Aircraft Carrier Revealed
Received from: 184.108.40.206
NOTE: Just like the computer called “councilpc” is being used to send out emails “from” my NGO, so the computer used in this instance (and in the one earlier today) is named “firstinitial lastname pc” of the person supposedly sending out these emails. Seems like it’s the same group of people doing both of these, according to that pattern.
August 10 - Biden not to discuss with China arms sales to Taiwan
This was likely intended to bait us into revealing email login information, rather than being the “normal” attack emails with an attachment or link to a malicious file that would install malware on our computers. This is more along the line of traditional phishing attacks to try to trick you into giving up your login info. But it was obviously targeted at myself and my colleagues - we all got a copy of this email, and the URL itself in the email seems to indicate that it was targeted just at the three of us.
The supposed “sender” is a scholar at that same think tank that was targeted in the August 8 email linked to our defense conference (he has also spoken at the event before). The subject of the email and the text of the link references one of the major news stories on Taiwan defense issues early this week, and is the wording from a statement by the Taiwan Minister of Foreign Affairs on August 8.
I am too paranoid to actually go to the URL referenced in this email. (I really should get some sort of VM set up so I can look at things without being worried about being infected. I will at some point.) But I’m pretty sure it will look very similar to our email login page. Also interesting is that this bears some resemblance to a June 2009 email that I called “scarephishing” for our login info. The URL used in both are fairly similar, both ending with “servicelogin.htm.”
Subject: Biden not to discuss with China arms sales to Taiwan
Received from: 220.127.116.11
July 4 - China’s Efforts Towards A Peaceful Economically Developing World
I have been remiss in posting a few things, since it’s been a pretty quiet month and a half or so, and I’ve been busy. This email, targeted to the overall China-watching community, came in on July 4. It’s a fake article supposedly from The Economist, attached as a PDF file. I couldn’t find an original article with that title, but the magazine did run a June 23, 2011 special on China, so it’s possible that it’s related to that. The text of the email is pretty good, so I wonder if it’s a re-send of an actual email? I wasn’t familiar with the supposed sender, but it looks like he might be involved in a few China-related organizations. The attached PDF was named “10293874.pdf” and had a pretty good 40.5% coverage on VirusTotal.
- Subject: China’s Efforts Towards A Peaceful Economically Developing World
- MD5 : f8b7c2361416e56928f457f6eb834896
May 18 - Fake Article Forward from CFR/NC
Another sort-of-targeted email - by that I mean targeted at the China-analyst community in general, not at me or my NGO specifically. Again with a malicious Word file attachment. We used to get .doc files all the time, but then it switched to .pdf almost exclusively. Guess that’s changed lately.
The attachment has decent coverage at Virustotal (38.1%). The immediate sender, supposedly forwarding an interesting article, is at the “NC” - i.e. the National Committee on US-China Relations. The original sender of the email was from the Council on Foreign Relations. The title of the shared article is taken from a real article published on May 17. The original sending out of the article from CFR was at 10:50am on the 17th. That’s a quick turnaround to use it for malicious purposes - I got the email at 5:10am on the 18th.
Given the tone of the text in the email, I wonder if this is spoofing a real email?