Re: spear phishing attack on me
From: Alejandro Colomar <alx@kernel.org>
Date: 2025-04-09 09:51:11
On Wed, Apr 09, 2025 at 11:47:45AM +0200, Alejandro Colomar wrote:
Hi Serge, On Tue, Apr 08, 2025 at 11:14:52PM -0500, Serge E. Hallyn wrote:quoted
On Tue, Apr 08, 2025 at 02:31:37PM +0200, Alejandro Colomar wrote:quoted
Hi everyone, I'm writing to the mailing lists of every project in which I have write permissions: shadow, linux-man, and neomutt. I also CCed maintainers, LWN, and my contact in the Linux foundation. In BCC is my contact from Google for my sponsorship, which might be of help, and also another friend from Google. Last week someone reported to me a vulnerability in shadow utils. It was a real vulnerability, although something relatively unimportant (needs physical presence of the attacker, or a way to read memory of a setuid-root program --which means they probably already own the system--). In fact, we kind of knew its existence already, and I've been working on mitigating it, and we've discussed it in the project. The report seemed legitimate in the begining, although I was suspicious that it was only sent to me (I'm involved in the project, and am the main contributor by number of commits, but Serge and Iker are the maintainers (I maintain the stable branches only), and the guidelines say they should have been CCd), but that's something that could happen, so I continued discussing the vulnerability with this person. In my responses, I added to CC the co-maintainers. When this person replied to me, it removed the co-maintainers from CC, which again is suspicious, but is something that could happen. This person tried me to open a couple of PNG files, supposedly showing an exploit for the vulnerability. Of course I didn't open any of them. I replied asking for a text-based alternative, because it would be ironic that talking about vulnerabilities I would have to open "unnamed.png" and "unnamed-1.png". The person didn't reply again, which to me was the confirmation that it was an attack, and they realized they got caught.(Had asked this previously privately, but this seems worth discussing publically) Would be great to analyze the images.Yup; I'm attaching the mail containing the suspicious images to this message. The mail is contained in a compressed tarball signed and armored, to make it more difficult to accidentally open the images (MUAs open them carelessly if they can, in some cases).
Oops, I forgot to actually attach it. Hopefully fixed this time. :)
I created the tarball with: $ tar czf ~/Downloads/suspicious_mail.tar.gz cur/1743721130.26271_1.devuan,U=7595:2,RS; $ gpg --armor --sign ~/Downloads/suspicious_mail.tar.gz; It can be open this way: alx@devuan:~/Downloads/sus$ ls suspicious_mail.tar.gz.asc alx@devuan:~/Downloads/sus$ gpg --output sus_mail.tar.gz --verify suspicious_mail.tar.gz.asc gpg: Signature made Wed Apr 9 02:06:19 2025 CEST gpg: using RSA key 4BB26DF6EF466E6956003022EB89995CC290C2A9 gpg: Good signature from "Alejandro Colomar [off-list ref]" [ultimate] gpg: aka "Alejandro Colomar [off-list ref]" [ultimate] gpg: aka "Alejandro Colomar Andres [off-list ref]" [ultimate] alx@devuan:~/Downloads/sus$ ls sus_mail.tar.gz suspicious_mail.tar.gz.asc alx@devuan:~/Downloads/sus$ gunzip --keep sus_mail.tar.gz alx@devuan:~/Downloads/sus$ ls sus_mail.tar sus_mail.tar.gz suspicious_mail.tar.gz.asc alx@devuan:~/Downloads/sus$ tar tvf sus_mail.tar -rw------- alx/alx 31193 2025-04-04 00:58 cur/1743721130.26271_1.devuan,U=7595:2,RS alx@devuan:~/Downloads/sus$ tar xf sus_mail.tar alx@devuan:~/Downloads/sus$ ls cur sus_mail.tar sus_mail.tar.gz suspicious_mail.tar.gz.asc alx@devuan:~/Downloads/sus$ ls cur/ '1743721130.26271_1.devuan,U=7595:2,RS' alx@devuan:~/Downloads/sus$ grep -r From: cur/ cur/1743721130.26271_1.devuan,U=7595:2,RS:From: Mahdi Hamedani Nezhad [off-list ref] Have a lovely day! Alexquoted
Of course it *is* always possible (unless you've found even more evidence to the contrary) that the reporter is legit and just... awkward. Google does come up with a "security researcher" by that name. So I wouldn't go whole-hog on the witch hunt just yet, but the whole thing definitely is fishy.quoted
I don't know why exactly they targeted me, but I assume it's because of my involvement in one of these projects, so maintainers of these projects should be especially careful these days, in case they try another vector. As for me, if anyone tries to impersonate me, please make sure it's me. I almost always sign my email and *always* sign my git commits with my PGP key. If in doubt, please verify it's me. I have never changed my PGP master key, and keep it almost always offline, so that should ultimately be the way to know it's me. The key was certified by Michael Kerrisk, and he knows me physically, in case we ever need to verify (say if my master key ever is stolen and I need to revoke it). This attack was unsuccessful, but if I'm a target of interest, they might succeed in another attack. Don't trust me too much. As for the attacker, I've reported to Google via <https://support.google.com/mail/contact/abuse>, although I'm not sure if they'll do much. It would be interesting to learn the IP of the owner of the account, and if it used a VPN to connect to gmail, if it tried to attack any other people, and any other patterns that might be useful to learn who is interested in this attack. Maybe my contact at Google can talk to people within Google to investigate this further. Or maybe some of you know someone at Google that can help investigate this. The attacker is "Mahdi Hamedani Nezhad [off-list ref]". I presume this is a false name, trying to impersonate someone; I assume noone would try to attack someone else using their real name. There's a real person with that name --or so it seems in LinkedIn--, and is a security researcher in Iran. Have a lovely day! Alex -- <https://www.alejandro-colomar.es/>-- <https://www.alejandro-colomar.es/>
-- <https://www.alejandro-colomar.es/>
Attachments
- signature.asc [application/pgp-signature] 833 bytes