Hackers target security firm’s CEO via limo service

Graham Cluley

LimousineKevin Mandia is one chief executive who is very suspicious of the emails that arrive in his inbox.

He’s got good reason, after all. He’s the CEO of Mandiant, the security firm which earlier this year published an extensive report [PDF] which tracked a notorious hacking gang right to the door of a building belonging to the People’s Liberation Army of China.

According to a report in Foreign Policy, Mandia was recently targeted by cybercriminals posing as the limousine service his company uses.

Mandia is used to his limo company emailing him PDF invoices after he makes a trip, but a recent series of emails purporting to come from the cab firm raised suspicions.

“I’ve been receiving PDF invoices not from them, but from an [advanced hacking] group back in China; that’s awesome,” said Mandia in D.C. recently. He only caught the attack when the hackers sent receipts on days when he hadn’t used the car service. “I forwarded them to our security service, and they said, ‘Yup, that’s got a [malicious] payload.”

This raises an interesting question, of course.

How did the hackers know that Mandiant’s CEO used *that* limo service?

It’s possible, I suppose, that a disgruntled former employee of Mandiant could have decided to ring up the hackers and tell them that it would make a terrific disguise for a targeted malware attack. But it seems unlikely.

It’s possible, I suppose, that Mandiant employees could have breathlessly tweeted their love for the limo company, or posted selfies of themselves with their favourite chauffers on Facebook, after a particularly smooth ride to the airport. But it seems unlikely.

It’s possible, I suppose, that Mandiant is just one of many companies in the area that has received out-of-the-blue malicious emails claiming to come from a local limo company, and it just so happens that they are the firm which poked a hackers’ hornet’s nest earlier this year. But it seems unlikely.

So, other possibilities? Well, Mandia himself suspects that the Chinese have been spying on him when he gives public presentations, and using old-fashioned espionage techniques to see how, and with which limousine company, he leaves the event afterwards.

Certainly it would be easy to forge a limo firm’s email address, and create a plausible-looking PDF invoice using the company’s logo… and hide within an exploit that would download malware onto a chief executive’s computer.

As ever, it’s extremely difficult to prove that the Chinese were behind this particular attack – but it sounds as if no-one would be particularly surprised if they were.

The moral of the story? Always take care over the email attachments you open, and the links you click on, even if you believe they have been sent to you by someone you know and trust.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET UPDATES