Threats from Message Threads: A Cautionary Tale of IT Security

Updated: August 20, 2012

Consider the following e-mail message thread, which made its way through recently. Please do NOT click on ANY of the links in the e-mail thread, for reasons that will become abundantly clear.

 

[Message thread begins.]

-----Original Message-----

From: Andrew Mosson

Sent: Tuesday, May 04, 2010 10:01 AM

To: Chris Nordman

Cc: Scott Albro

Subject: Fw: Adobe Security Update

Chris,

Just received this important information about a security vulnerability that requires our immediate attention.

Kindly follow the instructions in the email as forwarded as soon as possible.

Regards,

Andrew Mosson

CTO

--- On Fri, 04/30/2010, Scott Albro wrote: ---

From: Scott Albro

To: Andrew Mosson

Subject: Fw: Adobe Security Update

Date: Friday, April 30, 2010, 3:13 PM

Andrew,

Our systems are at risk. Forward the information below to the people we talked about.

All systems will independently be checked, so make sure the instructions are followed as specified to avoid any problems.

A step by step [sic] instruction manual, sent by Adobe Risk Management, is included below.

Scott

--- On Fri, 4/30/10, James Kitchin wrote: ---

From: James Kitchin

To: Scott Albro

Subject: Adobe Security Update

Date: Friday, April 30, 2010, 11:24 AM

Broadcast message:

Adobe has issued a directive which states that all systems running their software should be patched for the latest security glitch.

The CVE-2010-0193 Denial of Service Vulnerability has recently been discovered on several systems running the previously released version of the software, which has been further documented on security sites such as http://www.securityfocus.com/bid/39524.

It is strongly advised that all systems running the Adobe software is updated with the latest security patch to avoid further situations hampering the security and integrity of the system. Failure to follow the directive would mean that any loss which occurs due to the negligence will be a liability of the company and not Adobe. The link to update the system with the latest patch and instructions are provided below:

Download the instructions here: http://64.218.40.74/adobe/update.pdf

To start the update process and download the installation file, click here: http://64.218.40.74/adobe/adbp932b.exe

(READ FIRST THE INSTRUCTIONS BEFORE UPDATING THE SYSTEM)

James Kitchin

Adobe Risk Management

345 Park Avenue

San Jose, CA 95110-2704

Tel: 408-537-6000

 

---

Disclaimer:

This e-mail message and information contained in or attached to this message is privileged, confidential, and protected from disclosure and is intended only for the person or entity to which it is addressed. Any review, re-transmission, dissemination, printing or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited.

[Message thread ends.]

 

Nothing remarkable about the above thread - until and unless you realize that neither Andrew Mosson nor Scott Albro ever sent any of these messages, and that "James Kitchin" of Adobe does not appear to exist. (The phone number listed for "Adobe Risk Management" is also actually the fax number at Adobe Systems' headquarters, which are in fact at 345 Park Avenue in San Jose, CA.)

The core of the message thread is an attempt to get the recipients of the e-mails to click on the links to the supposed instructions and the alleged software patch. Either or both are likely to initiate download of a virus or other malware, however. (The IP address in the link to the alleged "installation file" belongs to a company called "Maass Flange Corp." in Houston, TX, "a fully integrated, forging and machining manufacturer of domestic and import stainless and alloy flanges," according to that legitimate company's Web site.

The bottom line: someone apparently used sophisticated tools to figure out our corporation's organizational structure. That someone then figured out how to identify and "clone" legitimate user names and e-mail addresses, then to craft the above attempts at "social engineering." The miscreant in question also appears to have used "bot" software to hijack a legitimate server, or at least its IP address, to deliver malware to unsuspecting victims of his or her social engineering attempts. And if they could do it to our company, they can do it to yours too.