November 16 - “The Most Se*y Staff in Thales”
I’m just posting this to show the sometimes unintentionally hilarious and weird world I live in. In the early 1990:s, Taiwan bought some LaFayette fighters from France. The whole thing turned into a scandal involving bribery and death - see this BBC article for more. The Taiwan government received some of the bribery money back from France in 2007, but they are still trying to recoup some of it. The French company involved in the scandal was Thomson-CSF, which now is called Thales.
That’s the background of why this otherwise rather pedestrian “using unclothed women as a lure to get people to open malicious files” email still feels related to some of the other stuff we see, particularly as the originating IP (184.108.40.206) is from Hinet (Taiwan’s largest ISP) and the same IP address as in an August 16 entry.
(* instead of x avoid the inevitable crap visits you get when using that word online…)
October 20 - Fake Taipei Event Registration
This was pretty well done. It’s an invitation to attend and to register for an event in Taipei, jointly held by three of the most prominent foreign trade associations in Taiwan. The event itself is real. The supposed sender is the real event coordinator, and someone with whose name I’m familiar - we work extensively with her organization. The email was sent to three people - me, my boss, and a former colleague - it was the inclusion of that colleague (with a long-retired email address) that tipped me off right away.
The email used the information straight from the website of the real event, but the “sender” uses a well-named yahoo.com email address instead of the person’s real email - another indicator. The email had two attachments - one called “Registration Form.doc” and one called “AmCham BCCT ECCT Joint Luncheon.pdf.” The PDF document had an 11/42 (26.2%) detection rate at VirusTotal, while the Word document was 8/42 (19.0%). (From what I can gather from the detections, the Word file is set to utilize the CVE-2010-3333 “RTF Stack Buffer Overflow” vulnerability in Office.)
Email Subject: AmCham / BCCT / ECCT Joint Luncheon
Attachment MD5 (Word): c4b130ab3dd60b94e0e3a9edb589b735
Attachment MD5 (PDF): b2157f975ae5fbc26a2d97b2af94dc08
Received from: 220.127.116.11
About This Blog
This tumblelog is the extension of a post on my “regular” blog, because that post was getting unwieldy with examples.
I want to highlight the general issue of socially engineered and specifically targeted malware and trojans being spread through crafted spear-phishing emails, because it’s something that affects me on a regular basis.
Since late December, 2006, we have noted these types of attacks where I work. After looking into it in more detail, I have seen instances of this type of stuff going back to as early as 2003. But in 2006 was when we began noticing a pattern of emails that contained malware-infested attachments but that still seemed very, very well written and targeted towards the kinds of topics that my colleagues and I would be interested in.
It began with things like “here is an update on our new board members” or “here is the contact information we have for you, please update and send back” supposedly sent from organizations that we were working with on various projects. They were almost good enough to fool us, but the tone and content of the emails rang false enough that we became suspicious. I began systematically tracking these emails, in an effort to see what on earth was going on. Early on, they were mostly Word files, but that has since changed to become primarily PDF files, and sometimes zip files with .chm (a special type of html files developed by Microsoft for online help documents) files included. Usually they come attached to the targeted email, but sometimes those emails just contain links to outside files hosted on hacked webservers.
Then in the spring of 2007, the non-profit that I work for was used as the “sender” in a big email blast with malicious attachments that really put us on notice that this was going on. That’s when I started talking to the people in the community about this, and when we started blowing the whistle on this issue to our contacts within the U.S. government.
Our good name and reputation has been used many times since then to try to spread malware. It is incredibly frustrating and scary to see your name and email address used in the from and signature fields in an email that you did not send - an email that contained a trojan-infected attachment, and that then went out to lots of people you work with and some you only know by reputation. It’s usually worse because it’s generally an email that you could potentially have sent out (in my case, usually something about the Taiwan defense conference I plan each year), so they must be watching you in some manner.
This microblog is intended as a place for me to post quickly the new examples of real, actual spear-phishing emails that I receive.
NOTE: This blog is not intended as a malware analysis blog - that niche is covered quite nicely already by the Contagio Dump and others. Rather, it is intended to raise awareness within my work community, and perhaps within the general internet community as well, that this type of activity is ongoing. Posts here are merely a potential tool for learning to recognize targeted emails using readily available information (such as SMTP headers) contained within the emails themselves.
I am working directly with several security researchers on the malware we receive, and I am unable to add any more researchers to the mix - sorry.