October 20 - Fake Taipei Event Registration
This was pretty well done. It’s an invitation to attend and to register for an event in Taipei, jointly held by three of the most prominent foreign trade associations in Taiwan. The event itself is real. The supposed sender is the real event coordinator, and someone with whose name I’m familiar - we work extensively with her organization. The email was sent to three people - me, my boss, and a former colleague - it was the inclusion of that colleague (with a long-retired email address) that tipped me off right away.
The email used the information straight from the website of the real event, but the “sender” uses a well-named yahoo.com email address instead of the person’s real email - another indicator. The email had two attachments - one called “Registration Form.doc” and one called “AmCham BCCT ECCT Joint Luncheon.pdf.” The PDF document had an 11/42 (26.2%) detection rate at VirusTotal, while the Word document was 8/42 (19.0%). (From what I can gather from the detections, the Word file is set to utilize the CVE-2010-3333 “RTF Stack Buffer Overflow” vulnerability in Office.)
Email Subject: AmCham / BCCT / ECCT Joint Luncheon
Attachment MD5 (Word): c4b130ab3dd60b94e0e3a9edb589b735
Attachment MD5 (PDF): b2157f975ae5fbc26a2d97b2af94dc08
Received from: 126.96.36.199