Sponsored by..

Showing posts with label NATO. Show all posts
Showing posts with label NATO. Show all posts

Monday 4 November 2013

CCDCOE.org "Information Security Audit" spam

Here's a weird spam email..

From: CCDCOE [mailto:ccdcoe@ccdcoe.org]
Sent: Monday, November 04, 2013 12:16 PM
Subject: Information Security Audit


Dear Sir,

I am writing to inform you that NATO Cooperative Cyber Defence Centre of Excellence
conducted an information security audit of the network infrastructureof your organization. It
was carried out as part of exercise Steadfast Jazz 2013.

Our specialists have obtained access to theprivate network and the administration panel of the
website of your organization.

The level of information security of your organization does not meet the requirements of
NATO cyber security guidelines.

It is strongly recommended that you pay attention to this fact.

For more information you should contact NATO Cooperative Cyber Defence Centre of
Excellence.


Sincerely,

Col. Artur Suzik
Director,NATO Cooperative Cyber Defence Centre of Excellence


E-mail: ccdcoe@ccdcoe.org
Phone: +3727176800
Fax: +3727176308
Adress: Filtri tee 12, Tallinn 10132, Estonia

The email was sent to a target in Estonia, and the CCDCOE is a genuine NATO facility, also located in Estonia. The domain, telephone and fax number all appear genuine, and there are no attachments to the email nor are there any links.

However, the email is not genuine as it comes from 213.157.216.139 which is a Caucasus Online LLC ASDL subscriber in Georgia. Caucasus Online IPs are often seen in conjunction with botnets, so this is almost definitely a botnet node. The CCDCOE logo used in the email is also out of date.

A close examination of the mail headers shows that some of them have been faked in order to spoof an originating IP of 217.146.66.99 in Estonia.

Received: from dvb35.srv.it.ge (HELO dvb35.srv.it.ge) (213.157.216.139)
  by [redacted] with SMTP; 4 Nov 2013 10:15:35 -0000
Received: mx1.zone.ee (HELO ccdcoe.org) ([217.146.66.99])  by
 dvb35.srv.it.geL with ESMTP; Mon, 4 Nov 2013 12:01:08 +0200

Received: by ccdcoe.org (Postfix, from userid 309) id fu73vb6de6220; Mon, 4 Nov
 2013 12:00:45 +0200
Received: from 10.1.1.218 (10.1.1.218:35781)    by ccdcoe.org (Postfix) with SMTP
 id gkuuqe31b7s45.9.2013.11.04.59.56;    Mon, 4 Nov 2013 11:59:06 +0200
Message-ID: <20130e3f74d2.4353bd02@user>
From: "CCDCOE" <ccdcoe@ccdcoe.org>
To: [redacted]
Subject: Information Security Audit
Organization: CCDCOE


I can't figure out the purpose of this message, but it is almost definitely malicious. Perhaps there is a second part to this why has not been seen yet?