Re: spear phishing attack on me

["Serge E. Hallyn" <serge@hallyn.com>]

On Tue, Apr 08, 2025 at 02:31:37PM +0200, Alejandro Colomar wrote:
> Hi everyone,
> 
> I'm writing to the mailing lists of every project in which I have write
> permissions: shadow, linux-man, and neomutt.  I also CCed maintainers,
> LWN, and my contact in the Linux foundation.  In BCC is my contact from
> Google for my sponsorship, which might be of help, and also another
> friend from Google.
> 
> Last week someone reported to me a vulnerability in shadow utils.  It
> was a real vulnerability, although something relatively unimportant
> (needs physical presence of the attacker, or a way to read memory of a
> setuid-root program --which means they probably already own the
> system--).  In fact, we kind of knew its existence already, and I've
> been working on mitigating it, and we've discussed it in the project.
> 
> The report seemed legitimate in the begining, although I was suspicious
> that it was only sent to me (I'm involved in the project, and am the
> main contributor by number of commits, but Serge and Iker are the
> maintainers (I maintain the stable branches only), and the guidelines
> say they should have been CCd), but that's something that could happen,
> so I continued discussing the vulnerability with this person.  In my
> responses, I added to CC the co-maintainers.  When this person replied
> to me, it removed the co-maintainers from CC, which again is suspicious,
> but is something that could happen.
> 
> This person tried me to open a couple of PNG files, supposedly showing
> an exploit for the vulnerability.  Of course I didn't open any of them.
> I replied asking for a text-based alternative, because it would be
> ironic that talking about vulnerabilities I would have to open
> "unnamed.png" and "unnamed-1.png".  The person didn't reply again, which
> to me was the confirmation that it was an attack, and they realized they
> got caught.

(Had asked this previously privately, but this seems worth discussing
publically)  Would be great to analyze the images.

Of course it *is* always possible (unless you've found even more
evidence to the contrary) that the reporter is legit and just...
awkward.  Google does come up with a "security researcher" by that
name.  So I wouldn't go whole-hog on the witch hunt just yet, but
the whole thing definitely is fishy.

> I don't know why exactly they targeted me, but I assume it's because of
> my involvement in one of these projects, so maintainers of these
> projects should be especially careful these days, in case they try
> another vector.
> 
> As for me, if anyone tries to impersonate me, please make sure it's me.
> I almost always sign my email and *always* sign my git commits with my
> PGP key.  If in doubt, please verify it's me.  I have never changed my
> PGP master key, and keep it almost always offline, so that should
> ultimately be the way to know it's me.  The key was certified by Michael
> Kerrisk, and he knows me physically, in case we ever need to verify (say
> if my master key ever is stolen and I need to revoke it).  This attack
> was unsuccessful, but if I'm a target of interest, they might succeed in
> another attack.  Don't trust me too much.
> 
> As for the attacker, I've reported to Google via
> <https://support.google.com/mail/contact/abuse>, although I'm not sure
> if they'll do much.  It would be interesting to learn the IP of the
> owner of the account, and if it used a VPN to connect to gmail, if it
> tried to attack any other people, and any other patterns that might be
> useful to learn who is interested in this attack.  Maybe my contact at
> Google can talk to people within Google to investigate this further.  Or
> maybe some of you know someone at Google that can help investigate this.
> The attacker is "Mahdi Hamedani Nezhad <hamedaninezhadmahdi@gmail.com>".
> I presume this is a false name, trying to impersonate someone; I assume
> noone would try to attack someone else using their real name.  There's a
> real person with that name --or so it seems in LinkedIn--, and is a
> security researcher in Iran.
> 
> 
> Have a lovely day!
> Alex
> 
> -- 
> <https://www.alejandro-colomar.es/>