We received so many other emails through the year that were spoofed and that carried malicious payloads of some kind. Most of them were instantly recognizable as faked, while others took a little work to identify. I quit taking screenshots of all of them after a while, but here are some representative samples:
- About F-16’s from a spoofed sender at a defense contractor with whom we work, using a fake gmail account.
- An email supposedly “from” Brookings about the dangers of mounting US-China rivalry.
- A spoofed CEIP email about revitalizing democracy assistance.
- A fake mass email about a meeting, sent out to a bunch of government employees and defense contractors. Many of the emails addresses used are the personal emails of well known China/Taiwan analysts and/or lobbyists.
- A fake email sent about an invitation ceremony to a new aerospace supply chain alliance in Taiwan.
A supposedly “secret” note about the disputed Diaouyutai islands (at a time when the issue of ownership was an issue in the media). The “sender” of the forward to me is a previous employee at an important pro-Taiwan independence NGO in Washington, D.C. It would be pretty normal for them to send us something like this, except - of course - that I knew the supposed sender no longer worked there.
Fake email “from” the deputy representative of Taiwan’s embassy about the Dalai Lama’s recent trip to Taiwan.
There were several times through the year 2010 that my colleagues and I were used as the spoofed “sender” of some of these types of emails. Apparently, I sent out a very poorly worded email about “Taiwan’s Self Defense Needs” linking to a zip file containing malicious Word files, hosted on the hacked webserver of a Canadian company selling orthopedic products! Both my colleagues got copies of that email, but I didn’t - at least they were smart enough not to send it directly to me. I contacted the Canadian company, and asked that they remove the file (and told them to let their IT people know, so they could secure their server).
Also, one of my colleagues was the supposed sender on a an email about “US-Taiwang News” [sic], which also linked to a zip file with malicious contents, hosted on the hacked webserver of a swimming association in Colorado. I contacted this organization too, asked them remove the file, and to notify their IT people that they had been hacked.
Finally, my boss was used as the “sender” for an email about Taiwan military modernization. He did write those words - they came directly from an editorial he wrote that was published in Defense News more than a year earlier. The email had a malicious PDF attached.
Copying information directly from a website and sending it out as an HTML email with a malicious attachment became a trend through the end of the year. In September, I received an email supposedly “from” my own organization, using content copied from our website, this time with information about our quarterly semiconductor report, with a malicious PDF attachment. The PDF was named “Executive Summary” because we post executive summaries of the reports on the website.
The graphics and text are taken from the Tech Products page on our website, while the contact info/open hours are taken from the contact page.
Similarly, in October, I received information about F-16:s (the topic of a report I had edited earlier in the year), with content straight off the Lockheed Martin website. Both of these emails used information and pictures from various pages on the websites (so it wasn’t as easy as just copy/pasting a single page, they were specifically crafted) and had PDF attachments containing malware.
My defense conference was in early October of 2010, and we began receiving malware-laden emails as early as in January of that year. We got quite a few of them, too many to include every single one here. But I thought I would put up two examples. On September 28, I received this email with text copied from the conference website. The text was taken directly from the introduction page on the conference site, including using the right color green for the text. It came from a specifically-crafted Yahoo address, but - curiously - didn’t have any attachments or links.
The next day, I again received an email with text copied from the conference website, this time with text taken directly from the agenda page and incorporating the background graphic from the website. This time, there was a malicious PDF attachment. Interestingly, the email was sent from the same Yahoo address, but the “return to” email was configured differently.
Also, the computer that sent the email was called “councilpc” (none of our in-house computers have that name). Not sure what that means (intended to confuse people who read headers, a dedicated computer for sending emails that are “from” us?), but it’s kind of creepy.
My 2010 Defense Conference-related targeted attacks have apparently started already, more than nine months out. Oh joy…
There were two emails from a gmail account - a user “jswang”, which is a pretty generic Chinese name. One was sent directly to me, and I was included in a mass mail for the other. The titles of these emails - see the screen shot of the direct email below, and this screen shot of the mass email - are both “US-Taiwan Defense Industry Conference 2010”, with an infected PDF file of that same name attached. Oh, and look! It’s sent from that same computer as the December 23, 2009 one - both emails are “Received: from testacb8580da5”.
We received more emails from this computer too, on January 16, a fake bio of a prominent researcher. Another email from January 13, talking about CSIST (the Taiwan military’s R&D organization), see this screenshot, was sent from user “jswang” again, at a nonexistent Taiwan government domain, and with that same “Received: from testacb8580da5” in the header.
Now I think these are still pretty sloppy, actually. Particularly the defense conference ones, given that it’s MY conference and I would know right away when an email about it isn’t real.
January 4, 2010
There are three of us in my office - my boss and I and another colleague. On the first day back to work after the holidays in 2010 - on January 4 - both my colleague and I received an email “from” our boss. The title of the email was “Please read the work plan of 2010”, with an infected PDF file called “Work_Plan_2010” attached. The email greets us with a “Happy New Year!!!” and a “Welcome Back!!!”, then asks us to look at the work plan. Luckily, the English is just slightly off, and the writing style isn’t even close, so both of us knew right away that it was a fake. Talking to my boss, he got a few bounced returns for emails sent to previous colleagues’ email addresses, so it seems like it was targeted directly at the staff (and previous staffers) of my organization. Good thing that all three of us were in the office, so it was easy enough to determine that it wasn’t real.
December 23, 2009
A spoofed email “from” a defense contractor with which we work often (although the alleged “sender” isn’t someone I know). The title of the email is “US Taiwan Statement”, with an infected PDF file of that same name attached.
I thought this was pretty sloppy at first. It seems obviously directed at us, given the title/filename, but not very well crafted at all. But then I took a look at the email headers, which say “Received: from testacb8580da5”, so perhaps it’s a proof of concept mailing rather than the final thing? All I know is that it’s looking like things are picking up again, after being very, very quiet during September/October/November. I wonder if that has anything to do with the extra harsh crackdown/blocking in China during approximately that same time? Hmm…
December 18, 2009
A spoofed email “from” an international graduate school in Singapore. The title of the email is “The Obama Doctrine and Southeast Asia by Alistair D. B. Cook”, and it encourages you to read the attached malware-infested PDF file as a commentary on Obama’s Nobel Peace Price speech on December 10. The title of the email and the name of the attachment are taken directly from the actual, real RSIS Commentary as published on the graduate school’s website.
Interestingly, this was the first of these types of spoofed emails that we have received since late September - it’s been unusually quiet. Also, the email was set to request a “read” receipt from the recipients using Outlook, something I think I’ve only seen once or twice before. I declined to send one, but if I had done so, the read receipt would have gone to a Gmail address - “Michael.email@example.com”.
I also thought it was interesting that the Michael Daly 21 email address is used for other things too. I got a malicious spam email using the tragedy in Haiti as bait for clicking on poisoned links. The message - using the subject line “Help for Haiti” - had an embedded request to send a reply message when it was deleted. And the email used there as a return address/deletion confirmation address was the same, except the last name was properly capitalized.
August 19, 2009
A spoofed email using as the “from” address the name of someone who used to work on Taiwan issues at the Department of State, and using a specially-created Gmail account in his name. The email, see this screen shot of the fake email, proclaims “China’s war games unnerve neighbors”, and tells you to read the attached malware-infested PDF file “in case this missed you”.
The title of the email and the attachment is taken from an Asia Times article published the day before the email was sent. This email was obviously sent out to a huge list of people, as you can see the other people copied on my message. It was sent from an alphabetical list of emails, as my colleagues all received the same email with a separate and alphabetically-appropriate group of copies (like mine having addresses starting with “L” and “M”).
The “U.S.-China Strategic and Economic Dialogue” was held in D.C. July 27-28, 2009. Hosted jointly by the Department of State and the Department of the Treasury, it was the hottest thing in U.S.-China relations that summer. Of course, there was lots of malware spreading using this event. I have two.
First is a screen shot of a spoofed email that I received on July 28 “from” someone at the Business Roundtable. The email contained a malware-infected PDF document that promises an analysis of the S&ED. Note that it’s specifically sent to me, using my real name in the salutation.
The second spoofed email came on July 29 as an invitation to attend a seminar at Treasury about the recently concluded S&ED. Below is a screen shot of the fake email. It looks very similar to other real event invitations that I’ve received from Treasury before, so it wouldn’t surprise me if this mimics a real invitation. There is no attachment, and the link text looks fine - it supposedly goes to a document at The Financial Management Service of Treasury. But a look at the html source for the email shows a different story - the link leads somewhere totally different.