Comparative Analysis of Targeted Threats Against Human Rights Organizations

Principal investigator: Professor Ronald J. Deibert (Citizen Lab, Munk School of Global Affairs, University of Toronto)

Purpose of the Study

Human rights and civil society organizations face a growing spectrum of online threats including Internet filtering, website defacements, denial of service attacks, and targeted malware attacks. Human rights and civil society organizations can be particularly vulnerable to such attacks due to limited resources or lack of security awareness. Of these threats targeted malware attacks in particular are becoming an increasing problem. Typically, the target of such an attack receives an email possibly appearing to be from someone they know with some text that urges the user to open an attached document (or visit a web site). If the user opens the attachment with a vulnerable software application and no other mitigations are in place, their computer will likely be compromised. Once the victim's computer is compromised attackers can extract documents, email and other data, and possibly use the infected computer as a mechanism to exploit the victim's contacts or other computers on the targeted network. The purpose of this study is to conduct a comparative analysis of targeted malware attacks against human rights and civil society organizations to better understand the technical and social nature of the attacks and the political context that may motivate them.

Identifying an email as malicious, before opening any attachments, is very important. Some common techniques that attackers use include:

  • Using legitimate content (e.g. conference publications) to hide malicious content
  • Using current events to encourage users to open attachments
  • Referencing legitimate organizations to encourage users to open attachments
  • Implying sensitive or confidential data is attached (e.g. government or military data)
  • Using email account names that appear official, but originate from common webmail providers (e.g. Gmail)
However, it is common for these types of emails to have noticeable errors. Some typical mistakes of targeted attack emails include:
  • Emails addressed to someone other than the recipient
  • Excessive spelling and grammar errors, or text that's hard to understand
  • Mismatched names in the To: address and in the message body
  • Mismatched names in the From: address and in the message body
If an email matches characteristics from the first list (social engineering methods) as well as from the second (common mistakes), the email should be considered suspicious and attachments should not be opened until they are verified as clean.

Identifying malicious files in email attachments has become increasing difficult. Over the last few years, malicious emails generally use file attachments from popular business applications (primarily Microsoft Office documents and PDFs). This practice makes it harder to distinguish malicious documents from legitimate ones, especially as malicious documents may use content that appears normal.

However, there are some ways of identifying suspicious attachments, including the following:

  • Is the file an executable (.EXE extension)? These files are almost always malicious.
  • Does the file claim to be a screensaver (.SCR extension)? These files are typically executables and are rarely actually screensavers.
  • Is the file an archive (.ZIP, .RAR)? Sometimes email providers block all files with dangerous file types, e.g. executable files. In order to get them around this block, attackers may put the files in archives.
  • Is the file a password-protected archive with a password mentioned somewhere in the email or another attachment? This is also a common way of getting malicious files around anti-virus scanners.

If you open a document (DOC, PPT, XLS, PDF) and it exhibits the following behavior, it is likely that your machine has been compromised:

  • The program (Word, PowerPoint, etc.) crashes
  • The program splash screen appears, the program opens for an instant, disappears, then reappears
  • A document opens with garbage text in it or is completely empty

Example of a targeted malicious email (this example is from Contagio Malware Dump)

1. Email address

The email may appear to come from someone you know within or outside of your organization. Attackers can spoof the sender email address to make it seem to originate from the real institutional address of the individual. Alternatively, they can register a fake account through a popular email service like Gmail that appears to be associated with the individual. In this example the name of the sender refers to a real person, but the Gmail account used is probably fake.

2. File Attachment

The file attachment is often a PDF, Word document, or other commonly used workplace file format, and is typically used as the delivery mechanism for malware. If you open the attachment it will appear to be a normal document with relevant content. In this example the attached file is a real essay written by the actual person from whom the email appears to be sent (see figure 2). However, the file is not a normal document and will contain an exploit that can compromise a vulnerable version of the software used to read the file (e.g. Acrobat Reader, Microsoft Word, etc.) and execute malicious code on your computer. Once your computer is compromised attackers can extract documents, email, and other data, and possibly use your infected computer to exploit stored contacts or other computers on your network.

3. Email Body

The body of the message may reference topics that are relevant to your organization and will typically urge you to open a file attachment or visit a website URL, which may contain malicious code.

4. Email Signature

The email may end with the signature of the supposed sender that provides real contact information. In this example the signature accurately lists the name, position, and institution of the person from whom the message appears to be sent.

Example of a document used in a targeted malicious email (this example is from Contagio Malware Dump)

Analysis of the malware attached to this email revealed that it is poorly detected by antivirus software. Only 8/42 (19.05%) anti-virus products detected that the file was malicious. The malware contains malicious code that, if opened by a user, exploits programming flaws (CVE-2009-4324) in the Adobe Reader software allowing the attackers to compromise the user’s computer. The compromised computer then attempts to connect to a control server ( in order to report that it has been compromised and to receive instructions from the attackers.

Please send emails (with attachments and full headers) that you suspect to contain malicious attachments or links to the email address supplied to you by the Citizen Lab malware study coordinator.

Sending emails with header information

All emails contain headers that track each server they have passed through on the Internet. This information can be used to help determine whether an email is malicious or not. Each “Received:” header in the email corresponds to a server that the email has been through. By watching the path the email has taken, a lot of information can be determined on where it originated and how it was sent. The headers look like this:

Received: from ( by ( with Microsoft SMTP Server id; Fri, 14 Jan 2011 01:33:19 -0800
Received: from localhost (localhost.localdomain []) by (Postfix) with ESMTP id 208A114A7B; Fri, 14 Jan 2011 01:33:20 -0800 (PST)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ulz2zUmNcimh; Fri, 14 Jan 2011 01:33:18 -0800 (PST)
Received: from ( []) by (Postfix) with SMTP id 27D4A14AC0; Fri, 14 Jan 2011 01:33:17 -0800 (PST)
Received: from source ([]) by ([]) with SMTP; Fri, 14 Jan 2011 04:33:17 EST
Received: by pzk28 with SMTP id 28so433969pzk.35 for ; Fri, 14 Jan 2011 01:33:16 -0800 (PST)
Received: by with SMTP id o1mr522054wfg.419.1294997585898; Fri, 14 Jan 2011 01:33:05 -0800 (PST)
Received: by with HTTP; Fri, 14 Jan 2011 01:33:05 -0800 (PST)
When forwarding an email to the Citizen Lab submission address, these headers are not kept intact by default. There are two ways to preserve the headers: the first is to configure your email client to show them, then copy/paste them into the forwarded email. The other way is to include the entire email as an attachment (e.g. as an EML file attachment). Receiving emails in this format with the headers intact gives us a lot more information to work with, please do it when you can. Please see the next section for step-by-step instructions for submitting samples with full headers.

Submitting emails from Gmail

1. View the bad email by clicking on it. If it asks to display images, do not click on the link.

2. Click on the arrow to the right of the “Reply” button at the top of the message, then select “Show original”.

This will open a new window with a text-only version of the email:

3. Save the page. In the program menu, “File - >Save As” in IE, “File- >Save Page As” in Firefox or Chrome; or, right click and select “Save Page As” in Firefox or Chrome. Choose a descriptive filename, and have it end with an .eml extension, e.g. “bademail -fakeresume.eml”.

4. Compose a new email, and attach the saved file as a regular attachment.

Submitting emails from Thunderbird

1. Compose a new email.

2. Drag the bad email from your inbox to the  attachments list of the new email. It will show up as “Attached Message” in the attachment list.

If drag and drop doesn't work do the following:

  • Right click on the bad email in your inbox, and select “Save As”. Use the default filename (the subject of the email).

3. Compose a new email, and attach the saved file as a regular attachment.

Submitting emails from Outlook

1. Compose a new email.

2. Drag the bad email from your inbox to the new email. It will show up as an attachment with an envelope icon and the subject of the bad email.