November 8 - Fake Colleague Email
My colleague got an email “from” me, asking her to click on a link to a zip file, supposedly containing information about how the “Best Chef from Northwest U.S” was “creating new tastes” in Taiwan. The subject is actually the title of an article from a Taiwan newspaper a few days before. The linked file was hosted on the hacked web server of some poor guy’s personal website (I’ve written to him telling him he may want to lock his site down and remove any files he doesn’t recognize.) The zip file contains a .exe file, and has a 6/43 (14.0%) detection rate - rather poor - at VirusTotal.
Subject: Best Chef from Northwest U.S. creates new tastes
Originating IP: 18.104.22.168
X-Mailer: Auto Mailer (www.automsw.com) ID: 284535 [I’m including this because I think it’s the first one I’ve seen an email with this particular mailer.]
September 14 - US Pass the Taiwan Airpower Modernization Act
I got this email - supposedly from my Chairman going by the AOL (heh) email address used as the sender. It was a very poorly constructed email, although the subject matter was clever. Two days earlier, my organization had put out a press release, urging Congress to pass TAMA. The subject was exactly the text of the PR headline, except cutting out a few words to imply that it had actually passed. The link in the email led to a malicious .zip file, hosted on the hacked web server of a company that sells fake brand items (bags, shoes, etc.). That made me laugh, given that I usually name the screenshots for this blog “fake_something.jpg.”
The timing was bad, as it was right in the lead-up to our defense conference. So I didn’t get a chance to process this email (submit to VirusTotal, analyze headers, etc.), but I thought I would post the screenshot anyway.
May 26/27 - Fake Defense Conference Financial Data
This was a pretty targeted one-two attack. On May 26, both my boss and I received an email “from” our colleague, with a cryptic subject header and a link to a zip file purportedly containing data about our annual Taiwan defense conference. It asked us to download information in a zip file from a “purplemoo.com” location online - what appears to be the hacked web server of a legitimate business. I sent the file to Virustotal, which had a decent 33% coverage.
This is all well and good, and sort of standard. But the funny thing was that on May 27, I received another email, with a slightly modified subject line, that claimed “Sory [sic], this is the correct version” and a link to the same file. Again, both my boss and I received the email “from” our colleague, while she received the same email as if “from” my boss. Given that the URL of the compromised file location contained “US-Taiwan”, it seems pretty specific to my NGO only. None of us know what the email subject might be referencing. Headers show both emails sent from 22.214.171.124.
May 26 version:
May 27 version: