[neomutt-devel] spear phishing attack on me

[Alejandro Colomar]

Hi everyone,

I'm writing to the mailing lists of every project in which I have write
permissions: shadow, linux-man, and neomutt.  I also CCed maintainers,
LWN, and my contact in the Linux foundation.  In BCC is my contact from
Google for my sponsorship, which might be of help, and also another
friend from Google.

Last week someone reported to me a vulnerability in shadow utils.  It
was a real vulnerability, although something relatively unimportant
(needs physical presence of the attacker, or a way to read memory of a
setuid-root program --which means they probably already own the
system--).  In fact, we kind of knew its existence already, and I've
been working on mitigating it, and we've discussed it in the project.

The report seemed legitimate in the begining, although I was suspicious
that it was only sent to me (I'm involved in the project, and am the
main contributor by number of commits, but Serge and Iker are the
maintainers (I maintain the stable branches only), and the guidelines
say they should have been CCd), but that's something that could happen,
so I continued discussing the vulnerability with this person.  In my
responses, I added to CC the co-maintainers.  When this person replied
to me, it removed the co-maintainers from CC, which again is suspicious,
but is something that could happen.

This person tried me to open a couple of PNG files, supposedly showing
an exploit for the vulnerability.  Of course I didn't open any of them.
I replied asking for a text-based alternative, because it would be
ironic that talking about vulnerabilities I would have to open
"unnamed.png" and "unnamed-1.png".  The person didn't reply again, which
to me was the confirmation that it was an attack, and they realized they
got caught.

I don't know why exactly they targeted me, but I assume it's because of
my involvement in one of these projects, so maintainers of these
projects should be especially careful these days, in case they try
another vector.

As for me, if anyone tries to impersonate me, please make sure it's me.
I almost always sign my email and *always* sign my git commits with my
PGP key.  If in doubt, please verify it's me.  I have never changed my
PGP master key, and keep it almost always offline, so that should
ultimately be the way to know it's me.  The key was certified by Michael
Kerrisk, and he knows me physically, in case we ever need to verify (say
if my master key ever is stolen and I need to revoke it).  This attack
was unsuccessful, but if I'm a target of interest, they might succeed in
another attack.  Don't trust me too much.

As for the attacker, I've reported to Google via
<https://support.google.com/mail/contact/abuse>, although I'm not sure
if they'll do much.  It would be interesting to learn the IP of the
owner of the account, and if it used a VPN to connect to gmail, if it
tried to attack any other people, and any other patterns that might be
useful to learn who is interested in this attack.  Maybe my contact at
Google can talk to people within Google to investigate this further.  Or
maybe some of you know someone at Google that can help investigate this.
The attacker is "Mahdi Hamedani Nezhad <hamedaninezhadmahdi at gmail.com>".
I presume this is a false name, trying to impersonate someone; I assume
noone would try to attack someone else using their real name.  There's a
real person with that name --or so it seems in LinkedIn--, and is a
security researcher in Iran.


Have a lovely day!
Alex

-- 
<https://www.alejandro-colomar.es/>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://mailman.neomutt.org/pipermail/neomutt-devel-neomutt.org/attachments/20250408/48948ac5/attachment.sig>