CyberEye

Blog archive
Mandiant phishing report on hook as bait

Report about hacking becomes spear-phishing bait

“It was only a matter of time,” the security company Mandiant said about recent phishing attacks using its report on Chinese hacking as bait.

Mandiant released its report, “APT1: Exposing One of China’s Cyber Espionage Units” on Feb. 18, focusing on the activities of a group that the company says is responsible for a cyber espionage campaign against a broad range of Western companies and governments over the last seven years. The report immediately attracted worldwide attention, not all of it benign. Within two days, two apparently unrelated phishing attacks were identified using the report as bait.

“We are currently tracking the threat actors behind the activity and have no indication that APT1 itself is associated with either variant,” Mandiant wrote in its response. “Mandiant has not been compromised.”

The first attack, reported by Symantec appears to be aimed at Japanese targets with an e-mail attachment titled “Mandiant.pdf.” When opened, the attachment contains the first page of the report, but also delivers malicious code exploiting a vulnerability in Adobe Reader. A patch for the vulnerability was released Feb. 20. The malware communicates with a command and control server hosted in Korea.

The second attack was identified by researcher Brandon Dixon  and targets Chinese journalists with an attachment titled “Mandiant_APT2_Report.pdf.” When opened it exploits another Adobe Reader vulnerability. The malicious code connects with a domain associated in earlier attacks against human rights activists.

The attacks are another example of how attacks are being refined to specific targets. Scammers have often targeted viral Internet topics in wide-scale phishing scams, trying to lure people into clicking on malicious links that purportedly related to Steve Jobs’ death, an on-court outburst by tennis star Serena Williams or photos of Osama bin Laden. Now, targeted, spear-phishing attacks are being used to target journalists reporting on a report about hacking.

The advice is old, but bears repeating: Be careful opening attachments. Hashes for the malicious PDF files are available on the report blogs. The hash for the genuine report is available from Mandiant’s download site. If you’d like to read the report, download it yourself.  Don’t wait for someone to e-mail it to you.

Posted by William Jackson on Feb 25, 2013 at 9:39 AM


Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.