back to article You might have been phished by the gang that stole North Korea’s lousy rocket tech

The United States and the Republic of Korea have issued a joint cyber security advisory [PDF] about North Koreas "Kimsuky" cyber crime group. The warning came after the Democratic People’s Republic of Korea (DPRK aka North Korea) earlier this week tried and failed to launch a surveillance satellite. In their joint advisory, US …

  1. Neil Barnes Silver badge

    Peak macro?

    Have we reached the time yet when the perceived usefulness of macros within documents has been exceeded by their risks? I speak particularly of text documents; personally I've never seen the need to include a Turing complete language in a word processor.

    1. Adam Foxton

      Re: Peak macro?

      Just because you can't see the need doesn't mean there isn't one.

      In MS Office post-2003, Macros already need their own format that explicitly does contain a macro. So any normal DOCX is, by definition, not macro-enabled. Anything else should be treated with suspicion and can be easily automatically recognised and flagged as a potential attack vector.

      This seems like the best solution, covering not just your use-case but also the rest of the world.

  2. jonnycando

    I wonder if

    Those who they butter up are really all that smart if they can fall for these lame tactics?

    1. ThatOne Silver badge

      Re: I wonder if

      Don't forget that "intelligence" is only very vaguely correlated to "street smarts", which is the feature needed here.

      I know some extremely intelligent people, highest level mathematicians, who you could sell the Brooklyn bridge to...

    2. doublelayer Silver badge

      Re: I wonder if

      The attack method is kind of basic, but the rest of it isn't. They do a lot of research into their victims before they attempt to compromise them. They know a lot of information which can be used to convince them they're legitimate, and they do it to so many people that they have chances to practice.

      I think we overestimate our own resistance to scams. We have technical knowledge to know about macros in Office documents, which is great, but it doesn't follow that we also have knowledge to detect scams in other areas in which we don't work. I've known people who were great at IT and did not understand finance or law, and if someone tried a scam that wasn't related to computers, they would be more likely to fall for it. It's not even limited to lack of knowledge, as successful manipulation of the victim's emotions can circumvent an otherwise skeptical person's brain. That includes both you and me, if the scammer is good enough at finding our weaknesses.

  3. Pascal Monett Silver badge

    "Do not enable macros on documents received via email, unless the source is verified"

    It is crestfalling that this still has to be said at all.

    1. t245t

      Re: "Do not enable macros on documents received via email, unless the source is verified"

      "Do not enable macros on documents received via email, unless the source is verified"

      How does one verify the source since the email address could be spoofed?

      1. ThatOne Silver badge

        Re: "Do not enable macros on documents received via email, unless the source is verified"

        > the email address could be spoofed?

        Impossible: The email headers contain the whole resume of the email, from the initial sender's IP address, through all the mail servers it went, up to your own mail server. It's part of the protocol, so there are no spoofed emails, only careless/gullible readers.

        Now I have to admit almost all email clients do whatever they can to obfuscate this dangerous information so you worry your pretty little head about that ugly, complicated stuff, and just believe whatever the nice friendly sender says...

        1. doublelayer Silver badge

          Re: "Do not enable macros on documents received via email, unless the source is verified"

          When that protocol was younger, it still contained all of that, but it didn't check any of it. I could open a connection to a mailserver, submit a message with any headers I liked, from any address I liked, with a long fake history if I pleased, and all that would be available afterward to try to track me down would be the IP address with which I connected to the first real server in the chain.

          Nowadays, there are a lot of patches designed to prevent that from working, and most servers actually check those. However, it doesn't stop people from trying the old ways. I've run my own mailserver at times, although I don't now, and looking at what bots tried to do was instructive. Several types of attack were attempted, including many spoofed emails and some attempts to get my server to act as a relay for messages going to others. Fortunately, relay attempts were rejected and spoofed emails went to a separate mailbox for curiosity until I just sent them all to /dev/null. Still, not only can a mail client be manipulated to show an inaccurate source, headers can be spoofed if your server isn't careful.

    2. yetanotheraoc Silver badge

      Re: "Do not enable macros on documents received via email, unless the source is verified"

      I don't understand the "unless the source is verified" part. Even at work from work for work, I just _have_ to look at the code first. (It helps that I'm a big fan of the horror genre.) When at home I look at the code only out of curiosity, because I'm not running it no matter what it looks like.

  4. Electric Panda

    Macros are very old hat and written in ancient, arcane, runic languages. Maybe it's time for Microsoft to look at phasing them out in newer versions of Office.

  5. Anonymous Coward
    Anonymous Coward

    So exactly the same rudimentary techniques I invented and implemented successfully 20+ years ago to infect and harvest millions of computers before collating them all into various groups of interest to then further analyse with a view to isolating those of interest.

    Not much has changed it seems.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like