North Korean Economy Watch

I have now been notified by four individuals about recent hacking attempts.  I have posted the emails these individuals received below.  There are four different messages.  I am happy to post these types of attacks, but if you receive one, please consult with an IT professional about obtaining the “email header”. This is what is most valuable to IT security professionals.  Please send me the “email header” to post (see below for an example).

Below are the four malicious emails of which I am aware:

Email 4: Targeted at one known individual

From: Suzan Park
Date: Fri, May 27, 2011 at 7:02 AM
Subject: interview questions
To:

Hi, this is Park of NCN News.
We are producing a documentary on “International Status of Northeast Asian Countries in Perspective of Soft Power”.
I was informed you are professional in this field.
It would be grateful if you could answer the interview questions about this documentary.

Documentary & Questions Link is here : Focusing on Current Situations of North Korea

Best regards!
Park

The phrase “Focusing on Current Situations of North Korea”  links to “ncnbroadcasting.reportinside.net/producer/2011FocusingOnDPRK.hta”.

The header for this email can be found below

Email 3: Targeted at one known individual

From: Pam Benson <pbenson261@yahoo.com>

Date: Tue, May 17, 2011 at 8:08 AM

Subject: FW: Kim Il Sung:the Great Hero of Mankind(ask your comments)

To: [DELETED]

I am forwarding the feature column : “Kim Il Sung: the Great Hero of Mankind”.

This writing concerns his great achievements.

The column is very realistic and beautiful.

I guess everyone who reads this column is impressed with his history.

I wonder what you think about this writing.

Thanks.

Sincerely Yours.

Attached to this email is a MS Word document titled, “Great Leader Kim Il Sung.doc”.  Do not open this attachment.

Email 2: Targeted at two known individuals

From: David L <l_david19@yahoo.com>

To:

Date: Thu, 12 May 2011 00:58:07 -0700 (PDT)

Subject: final draft

It’s been a long time since I last corresponded with you.

How have you been? I hope everything is well with you, your family.

Finally, The final draft was complete yesterday.

It will be announced next Month after collecting more opinions from experts in the field.

The Current Situation and Future Prospects in Northeast Asia : JAPAN, NORTH KOREA, SOUTH KOREA, CHINA

I look forward to sharing my insights with you once I receive your assessment.

I hope to hear from you soon .

Sincerely Yours,

David in Japan

The title underlined above was actually a link to the following: http://reportinside.net/draft/fainaldraft_201105.htaXX ( I added the XX at the end to prevent anyone from accidentally linking to the server).

Email 1: Targeted at one known individual

From:

Date: 2011/4/13

Subject: contact list

To:

Prof.

attach contact list

교수님

학회 명단 첨부합니다.

The email contained an attached MS Word document which contained the virus.

Keep your eyes open folks.  This has happened before.

Here is the header information from Email #4:

Delivered-To: XXXXX
Received: by 10.229.245.145 with SMTP id lu17cs38890qcb;
Thu, 26 May 2011 23:02:14 -0700 (PDT)
Received: by 10.42.167.200 with SMTP id t8mr2928768icy.270.1306476134254;
Thu, 26 May 2011 23:02:14 -0700 (PDT)
Return-Path: <suzan.park7@yahoo.com>
Received: from nm2-vm3.bullet.mail.ne1.yahoo.com (nm2-vm3.bullet.mail.ne1.yahoo.com [98.138.91.132])
by mx.google.com with SMTP id c8si774389icw.1.2011.05.26.23.02.12;
Thu, 26 May 2011 23:02:13 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of suzan.park7@yahoo.com designates 98.138.91.132 as permitted sender) client-ip=98.138.91.132;
Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of suzan.park7@yahoo.com designates 98.138.91.132 as permitted sender) smtp.mail=suzan.park7@yahoo.com; dkim=pass (test mode) header.i=@yahoo.com
Received: from [98.138.90.53] by nm2.bullet.mail.ne1.yahoo.com with NNFMP; 27 May 2011 06:02:12 -0000
Received: from [98.138.89.244] by tm6.bullet.mail.ne1.yahoo.com with NNFMP; 27 May 2011 06:02:12 -0000
Received: from [127.0.0.1] by omp1058.mail.ne1.yahoo.com with NNFMP; 27 May 2011 06:02:12 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 857277.490.bm@omp1058.mail.ne1.yahoo.com
Received: (qmail 59400 invoked by uid 60001); 27 May 2011 06:02:12 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1306476132; bh=pWoXMwYQ8EQcw2SLEczW6rjq1nhYdsj2Kx5S4gyJuZI=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=0wiJUxWnvCC4IzzFHsyk0chyhsI4tWNBXoJZqBhLjWBL396QPFHxId3IRmX0a79NWidPt4WpZ+CmcDW+vSMAJLRccylXv1rjEP+DHesFRkOp9B5ooez1XbEe3bYxe2WcMJDznkMBTFzrJTZo2YimAzeFP+rTB33W9maiEHM51CE=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type;
b=YCHpgXo+4TyIJbp17UXBhvIE+DNI0DmU/hQZXy83JsEAN5leR5GSEmCsdI4SZzQZd2uOgGCP/C95CjsOQXNAo2PL/RGa0ybIj5JUO5AY7TEGIevZc9sfgS5C/aO+lHbkUi+dMj7sODIrmLlwMZk+HLZ3hyeQkNF9y+oHcLZJm/Q=;
Message-ID: <784855.55224.qm@web125220.mail.ne1.yahoo.com>
X-YMail-OSG: lnJOtxwVM1lRvwYV6FMNXyRQpqXH7El4eV82aOjgSG5w3sb
ESapHq6xLclsgpoEhJUOLX8HmdpHemC3l52xKBvh9hSOJoMXzs4caBgMJDJQ
IL03HLjG7xI4ViVYuvivjNFohW8Ecc_bvnVFI1IpAHdstYZuh8671c324VGl
8sJGLjfIEwlxjrC7muzGTBv26vRIZTLoejFYKARccUQw7_qbZM5ga1Gq7pyh
Aj2H3BZQGhQh08HuCcXSB1E9GyQ_N_Nwy4qSF1mSPxQUtamiEXDWypdceD14
iOArQPgs2NsH2.EmvKzszMl96XzlH8Pul4K8H9D.B3OrgxtOT2GraQUykvxx
fve4Xk94YY68VUpRePvkCpXMr.P5P0f63K3yWG86FyFm6j4BFamNwQ71bAso
VvxjvKakqW16lU1bZOSWax..ZKzqLV5avhydQy5BBd5ATb1LQVtURJGudrtc
b
Received: from [210.110.151.146] by web125220.mail.ne1.yahoo.com via HTTP; Thu, 26 May 2011 23:02:12 PDT
X-Mailer: YahooMailWebService/0.8.111.303096
Date: Thu, 26 May 2011 23:02:12 -0700 (PDT)
From: Suzan Park <suzan.park7@yahoo.com>
Reply-To: Suzan Park <suzan.park7@yahoo.com>
Subject: interview questions
To: XXX
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=”0-1266752663-1306476132=:55224″

–0-1266752663-1306476132=:55224
Content-Type: text/plain; charset=us-ascii

Hi, this is Park of NCN News.
We are producing a documentary on “International Status of Northeast Asian Countries in Perspective of Soft Power”.
I was informed you are professional in this field.
It would be grateful if you could answer the interview questions about this documentary.

Documentary & Questions Link is here :Focusing on Current Situations of North Korea

Best regards!
Park
–0-1266752663-1306476132=:55224
Content-Type: text/html; charset=us-ascii

<html><body><div style=”color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt”><div>Hi, this is Park of NCN News.<BR>We are producing a documentary on “International Status of Northeast Asian Countries in Perspective of Soft Power”. <BR>I was informed you are professional in this field. <BR>It would be grateful if you could answer the interview questions about this documentary. <BR><BR>Documentary &amp; Questions Link is here :<A href=htXtp://ncnbroadcasting.reportinside.net/producer/2011FocusingOnDPRK.hta> Focusing on Current Situations of North Korea</A> <BR><BR>Best regards! <BR>Park <IMG src=”hXttp://ncnbroadcasting.reportinside.net/producer/pga/page.php?no=010″ width=1 height=1> </div></div></body></html>
–0-1266752663-1306476132=:55224–

And here is some header information from Email #3:

Delivered-To: [DELETED]

Received: by 10.229.245.145 with SMTP id lu17cs2064qcb;

Tue, 17 May 2011 00:08:45 -0700 (PDT)

Received: by 10.42.221.3 with SMTP id ia3mr277704icb.181.1305616124633;

Tue, 17 May 2011 00:08:44 -0700 (PDT)

Return-Path:

Received: from nm7-vm1.bullet.mail.ne1.yahoo.com (nm7-vm1.bullet.mail.ne1.yahoo.com [98.138.90.250])

by mx.google.com with SMTP id z27si453516ibz.114.2011.05.17.00.08.44;

Tue, 17 May 2011 00:08:44 -0700 (PDT)

Received-SPF: pass (google.com: best guess record for domain of pbenson261@yahoo.com designates 98.138.90.250 as permitted sender) client-ip=98.138.90.250;

Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of pbenson261@yahoo.com designates 98.138.90.250 as permitted sender) smtp.mail=pbenson261@yahoo.com; dkim=pass (test mode) header.i=@yahoo.com

Received: from [98.138.90.49] by nm7.bullet.mail.ne1.yahoo.com with NNFMP; 17 May 2011 07:08:43 -0000

Received: from [98.138.89.196] by tm2.bullet.mail.ne1.yahoo.com with NNFMP; 17 May 2011 07:08:43 -0000

Received: from [127.0.0.1] by omp1054.mail.ne1.yahoo.com with NNFMP; 17 May 2011 07:08:43 -0000

X-Yahoo-Newman-Property: ymail-3

X-Yahoo-Newman-Id: 614059.4378.bm@omp1054.mail.ne1.yahoo.com

Received: (qmail 86611 invoked by uid 60001); 17 May 2011 07:08:43 -0000

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1305616123; bh=YRmhoQ/kNM5QGsVIpIZM4yJ/dZh4Yc9QDNzHtAgWy1A=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=SxqwX+mV7jiCVbtSqJHfkGdEf/T6XY4cA8aelRhM0hA8NPqZeuigfxak+HTmfYyMzemvSyG1t6TtzRDkVXRcRti0m3aR7T/CAX3VoRnDj5hWevgHXNrjZkCFa5hXzQanOao+WcQrc8im2FTgh0yybsLNWdPpRqwjsggAOdh8wB8=

DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;

s=s1024; d=yahoo.com;

h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type;

b=A/jZPcax9+pda8SDIs51AlbFD/Cu+jD0XOE5RijEz+OI8eU738GK+BeT2TsmAUF+XQ+fwzZ1Hx5SzyH2RQa1Ov4ls4xmrr/rnxrEovOjYp+kqJqxn4ZITci4sClednvB+dwPfWemFGILcrNdJH+ZpTnPB5gnL6OeCX+dxp5e8BA=;

Message-ID: <477809.82736.qm@web121110.mail.ne1.yahoo.com>

X-YMail-OSG: dCgK8H8VM1kieK4XmBo5P9j5RAVlONmIR97dyZnRe5Rlirl

VOdJvUlKK1P2pqBLJiwYU6FYzyYu2GXBsTuxiZEcjt0tHWAH719rmpja_65u

VezOv9BNUzWlU2d.gD_Gqlv6V5KFaLoS7PqDG6cvMJvuOlBoHJ0fS2lUHVpi

whFEhmNgpGI7WghDdQbtTs8l_SFkXVGQ0DaG9FQFM3fWrVFHYNA5SnH.CqvE

OjKKUf9_CYlk1YeNDsIWImpGT.OMeN.MZYfhPwzgU5y16hl9BkKXk2K3iimA

gYEU41eKj4o53MPb79gUf_o3FIG7pZd8nBu0vVZJCvWPTO3t95majJfqKOhH

vt0t__sX7qcplRDW7HAKuhcJJyQpZK6Pr5NS0B7H2uiUz1WCz1jgtFrD.bhD

D4eq4tNfPibw6JchlQ1ewmoAWHy3xB3nSkVvqIQ–

Received: from [85.237.165.150] by web121110.mail.ne1.yahoo.com via HTTP; Tue, 17 May 2011 00:08:43 PDT

X-Mailer: YahooMailWebService/0.8.111.303096

Date: Tue, 17 May 2011 00:08:43 -0700 (PDT)

From: Pam Benson

Reply-To: Pam Benson

Subject: FW:Kim Il Sung:the Great Hero of Mankind(ask your comments)

To: “[DELETED]

MIME-Version: 1.0

Content-Type: multipart/mixed; boundary=”0-1151318799-1305616123=:82736″

–0-1151318799-1305616123=:82736

Content-Type: multipart/alternative; boundary=”0-1420268040-1305616123=:82736″

–0-1420268040-1305616123=:82736

Content-Type: text/plain; charset=us-ascii

I am forwarding the feature column : “Kim Il Sung: the Great Hero of Mankind”.

This writing concerns his great achievements.

The column is very realistic and beautiful.

I guess everyone who reads this column is impressed with his history.

I wonder what you think about this writing.

Thanks.

Sincerely Yours.

–0-1420268040-1305616123=:82736

Content-Type: text/html; charset=us-ascii

This entry was posted on Tuesday, May 17th, 2011 at 6:31 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.