April 26 - Fake Middle East Report
Another day, another poisoned PDF attachment. The supposed sender is someone we work with quite often, who is well known in the community. You can see that someone just used a common misspelling of his first name, then created a Gmail address using that spelling. The “To” address is a real address to a fairly high level executive within his Asia-related, high-profile NGO.
I was intrigued by this one, because it seems like one of the attachments - ”US OSAC Report” - is completely clean, at least according to Virustotal (I didn’t open it to find out). It’s the other one, called “Middle East Civil Unrest” that is clearly malicious (22.5%). The subject line, as well as most of the actual text of the email, comes straight from a real report released under the auspices of the U.S. Department of State’s Bureau of Diplomatic Security (OSAC=Overseas Security Advisory Council, a joint government/industry security project). The real document was released as a “Global Security Report" on April 19 (scroll down, you can’t link to it directly as it’s behind a login).
The email was signed with a correct nickname, and someone had added “Please open the attached document to view the full report and its content” to the other text copied straight off the OSAC website. I have to wonder if this is a copy of a real email that the person had sent out with the real OSAC report attached, which was then co-opted and re-sent out with the added malicious attachment. Or it could just be that someone is really good at pulling one of these together, I suppose.
April 13 - Fake US Naval Institute
It’s been quiet for a while, but we got three today! Guess the Adobe 0-day is keeping people busy? This email comes “from” the US Naval Institute, and is text copied directly from a cool article on the USNI website (but without the awesome pictures). The supposed sender is probably the first person they could find on the USNI website with full contact info - it’s the info of an advertising manager. The malicious attachment is a PDF, which has about 40% coverage on Virustotal. I thought this was sort of sloppy and weird, and it only went to the main email for my NGO. But the original article is really fun, at least!!
March 2, 2011
I got this email over night. Unusually, it’s a malicious Excel file attachment (coverage at Virustotal is 18.6%), not the normal Word or PDF file. The supposed “bio” (silly to try to pass of a .xls file as a biography) is for a prominent researcher at CSIS. Mr. C won’t be attending any more meetings. He is now retired from DSCA (the organization within the U.S. DOD that does oversight of security cooperation programs. He was the person in charge of Taiwan.)
According to the email headers, this was “Received: from 220.127.116.11
by mail.moeaic.gov.tw with Mail2000 ESMTP ServerV3.20S (3373:0:AUTH_LOGIN) (envelope-from <email@example.com>).” Mail.moeaic.gov.tw is the perfectly legitimate website management system for the Investment Commission of Taiwan’s Ministry of Economic Affairs (MOEA). It’s possible that this is a bastardized version of a real email, perhaps stored on their webmail servers. I guess it’s been compromised, given the “auth login” line, so I forwarded this to someone I know at MOEAIC. I’m not sure why you would use the yahoo address as sender here, though.
March 1, 2011
My colleagues both got this email, but I didn’t. It’s a forward “from” a State Department email, supposedly itself forwarding information about important Taiwan government contacts in an email from Taiwan’s Ministry of Foreign Affairs. I have no doubt that the information in the email text is correct, but there is also an attached .rar file that is malicious (Virustotal shows 14% coverage). Received from IP 18.104.22.168.
December 9, 2010
This was a weird one, also sent directly to me. It looks like it could be a copy of a real email sent from a staff member of a Congressperson, sending along a resume for consideration. Obviously not a real email, as the greeting is for “John” not me. It contains a malicious Word file attachment. The sender is from a yahoo address, mimicking the normal house.gov style of email addresses. I sent a note to the real house.gov email in the signature, telling her about the use of her name. But it bounced - I guess it’s no longer a valid email.
We received so many other emails through the year that were spoofed and that carried malicious payloads of some kind. Most of them were instantly recognizable as faked, while others took a little work to identify. I quit taking screenshots of all of them after a while, but here are some representative samples:
- About F-16’s from a spoofed sender at a defense contractor with whom we work, using a fake gmail account.
- An email supposedly “from” Brookings about the dangers of mounting US-China rivalry.
- A spoofed CEIP email about revitalizing democracy assistance.
- A fake mass email about a meeting, sent out to a bunch of government employees and defense contractors. Many of the emails addresses used are the personal emails of well known China/Taiwan analysts and/or lobbyists.
- A fake email sent about an invitation ceremony to a new aerospace supply chain alliance in Taiwan.
A supposedly “secret” note about the disputed Diaouyutai islands (at a time when the issue of ownership was an issue in the media). The “sender” of the forward to me is a previous employee at an important pro-Taiwan independence NGO in Washington, D.C. It would be pretty normal for them to send us something like this, except - of course - that I knew the supposed sender no longer worked there.
Fake email “from” the deputy representative of Taiwan’s embassy about the Dalai Lama’s recent trip to Taiwan.
May 5, 2010
In May of 2010, the Secretary of Health and Human Services was traveling to the World Health Assembly meeting in Switzerland and to China for the U.S.-China Strategic and Economic Dialogue. In early May, I received this very detailed internal memo, with an attached “draft plan” in a .rar file, supposedly “from” the person handling Asia affairs inside HHS. We had no involvement in any of this, so it was obvious right away that it was fake. The list of people copied on the email was very small, only nine people, of both China-focused and Taiwan-focused members of the community. I contacted HHS about this, and they apparently already had their internal IT people working on figuring out how this very substantial working memo came into the hands of malicious actors.
August 19, 2009
A spoofed email using as the “from” address the name of someone who used to work on Taiwan issues at the Department of State, and using a specially-created Gmail account in his name. The email, see this screen shot of the fake email, proclaims “China’s war games unnerve neighbors”, and tells you to read the attached malware-infested PDF file “in case this missed you”.
The title of the email and the attachment is taken from an Asia Times article published the day before the email was sent. This email was obviously sent out to a huge list of people, as you can see the other people copied on my message. It was sent from an alphabetical list of emails, as my colleagues all received the same email with a separate and alphabetically-appropriate group of copies (like mine having addresses starting with “L” and “M”).
The “U.S.-China Strategic and Economic Dialogue" was held in D.C. July 27-28, 2009. Hosted jointly by the Department of State and the Department of the Treasury, it was the hottest thing in U.S.-China relations that summer. Of course, there was lots of malware spreading using this event. I have two.
First is a screen shot of a spoofed email that I received on July 28 “from” someone at the Business Roundtable. The email contained a malware-infected PDF document that promises an analysis of the S&ED. Note that it’s specifically sent to me, using my real name in the salutation.
The second spoofed email came on July 29 as an invitation to attend a seminar at Treasury about the recently concluded S&ED. Below is a screen shot of the fake email. It looks very similar to other real event invitations that I’ve received from Treasury before, so it wouldn’t surprise me if this mimics a real invitation. There is no attachment, and the link text looks fine - it supposedly goes to a document at The Financial Management Service of Treasury. But a look at the html source for the email shows a different story - the link leads somewhere totally different.