About This Blog

This tumblelog is the extension of a post on my “regular” blog, because that post was getting unwieldy with examples.

I want to highlight the general issue of socially engineered and specifically targeted malware and trojans being spread through crafted spear-phishing emails, because it’s something that affects me on a regular basis.

Since late December, 2006, we have noted these types of attacks where I work. After looking into it in more detail, I have seen instances of this type of stuff going back to as early as 2003. But in 2006 was when we began noticing a pattern of emails that contained malware-infested attachments but that still seemed very, very well written and targeted towards the kinds of topics that my colleagues and I would be interested in.

It began with things like “here is an update on our new board members” or “here is the contact information we have for you, please update and send back” supposedly sent from organizations that we were working with on various projects. They were almost good enough to fool us, but the tone and content of the emails rang false enough that we became suspicious. I began systematically tracking these emails, in an effort to see what on earth was going on. Early on, they were mostly Word files, but that has since changed to become primarily PDF files, and sometimes zip files with .chm (a special type of html files developed by Microsoft for online help documents) files included. Usually they come attached to the targeted email, but sometimes those emails just contain links to outside files hosted on hacked webservers.

Then in the spring of 2007, the non-profit that I work for was used as the “sender” in a big email blast with malicious attachments that really put us on notice that this was going on.  That’s when I started talking to the people in the community about this, and when we started blowing the whistle on this issue to our contacts within the U.S. government.

Our good name and reputation has been used many times since then to try to spread malware. It is incredibly frustrating and scary to see your name and email address used in the from and signature fields in an email that you did not send - an email that contained a trojan-infected attachment, and that then went out to lots of people you work with and some you only know by reputation. It’s usually worse because it’s generally an email that you could potentially have sent out (in my case, usually something about the Taiwan defense conference I plan each year), so they must be watching you in some manner.

This microblog is intended as a place for me to post quickly the new examples of real, actual spear-phishing emails that I receive.

NOTE: This blog is not intended as a malware analysis blog - that niche is covered quite nicely already by the Contagio Dump and others. Rather, it is intended to raise awareness within my work community, and perhaps within the general internet community as well, that this type of activity is ongoing. Posts here are merely a potential tool for learning to recognize targeted emails using readily available information (such as SMTP headers) contained within the emails themselves.

I am working directly with several security researchers on the malware we receive, and I am unable to add any more researchers to the mix - sorry.