June 4, 2013
The email appeared to come from a trusted colleague at a renowned academic institution and referenced a subject that was a hot-button issue for the recipient, including a link to a website where she could obtain more information about it.
But when the recipient looked closely at the sender’s email address, a tell-tale misspelling gave the phishing attempt away — the email purported to come from a professor at Harvard University, but instead of harvard.edu, the email address read “hardward.edu”.
Not exactly a professional con-job from nation-state hackers, but that’s exactly who may have sent the email to an American woman, who believes she was targeted by forces in Turkey connected to or sympathetic to the powerful Gülen Movement, which has infiltrated parts of the Turkish government.
The email contained a link to a web site in Turkey, where a malicious downloader file was waiting to install on her computer — a downloader that has been connected in the past to a spy tool purportedly sold exclusively to law enforcement and intelligence agencies around the world.
The woman, who asked to remain anonymous because she’s concerned about retaliation, sensed the email was a fraud and did not follow the link. Instead, the email was passed to researchers at digital forensics firm Arsenal Consulting, who set up a honeypot to visit the Turkish web site and obtained the downloader.