Thanks to F-Secure mention of some of the targeted attack emails from our collection, there was an increased interest to the content and appearance of the messages. We usually pay more attention to malware and forget about the message part, which is supposed to look impressive and lure recipients into opening malicious attachments. Today we present the Top Ten particularly well crafted messages of 2009-2010. They blend in with the rest of the mail filling our mailboxes and most are designed to look like another newsletter or publication. Some of the messages below were posted here earlier in 2010 or 2009. Some are spoofed while others are from free email accounts. PDF attachments are most common but MS Office documents get sent often too - especially during the days of unpatched vulnerabilities.
Update July 10, 2010 - Here are 10 more messages to add to the list of winners
This recent message from Russia reminded me about this targeted emails design contest we had in March 2010 and I decided to add more candidates. Shall we choose one winner in the end of the year?
I would say there is a subtle evolution in the design and sophistication of the attacks - comparing to the Top Ten winners posted in March 2010(scroll down to see)
Virustotal links show the malicious payload as it would be detected at the time of the receipt
2. Apr 10 CVE-2010-0188 PDF Research Paper on Nuclear Posture Review 2010 and the upcoming Nuclear Security Summit
May 9 CVE-2010-0188 PDF Concept Paper.pdf from firstname.lastname@example.org
The forwarded conversation (it might be real or fake) together with a malicious attachment are quite convincing.
8. Mar 23 CVE-2009-4324 PDF Talking Points on Chinese Currency from email@example.com
9. Mar 14 CVE-2010-0188 PDF 2010 Trade Policy Agenda from firstname.lastname@example.org
10. Mar 18 CVE-2009-4324 PDF Report on 2010 NPC Mar 18, 2010 8:53 AM
ORIGINAL TOP TEN LIST (March 2010)
Virustotal links show the malicious payload as it would be detected these days. Most of them had much lower antivirus detection rate at the time of the receipt - compare it to the AV detection rate of one of the recent messages (CVE-2010-0188).
Click on the pictures to enlarge
1 US-Taiwan Exchange Program Enhancement
2 2009 DoD ATC Procedures
3 Wolf Letter to Secretary Clinton Regarding China Human Right
4 Asking for an interview from NBC Journalist
5 Peer Review - Assessing Chinese Military Transparency
8 RSIS Commentary 54/2009 Ending the LTTE
9 The Chinese Navy's Budding Overseas Presence
10 Road Map for Asian-Pacific Security