Hackers target security firm’s CEO via limo service

Graham Cluley
Graham Cluley
@[email protected]

LimousineKevin Mandia is one chief executive who is very suspicious of the emails that arrive in his inbox.

He’s got good reason, after all. He’s the CEO of Mandiant, the security firm which earlier this year published an extensive report [PDF] which tracked a notorious hacking gang right to the door of a building belonging to the People’s Liberation Army of China.

According to a report in Foreign Policy, Mandia was recently targeted by cybercriminals posing as the limousine service his company uses.

Mandia is used to his limo company emailing him PDF invoices after he makes a trip, but a recent series of emails purporting to come from the cab firm raised suspicions.

Sign up to our free newsletter.
Security news, advice, and tips.

“I’ve been receiving PDF invoices not from them, but from an [advanced hacking] group back in China; that’s awesome,” said Mandia in D.C. recently. He only caught the attack when the hackers sent receipts on days when he hadn’t used the car service. “I forwarded them to our security service, and they said, ‘Yup, that’s got a [malicious] payload.”

This raises an interesting question, of course.

How did the hackers know that Mandiant’s CEO used *that* limo service?

It’s possible, I suppose, that a disgruntled former employee of Mandiant could have decided to ring up the hackers and tell them that it would make a terrific disguise for a targeted malware attack. But it seems unlikely.

It’s possible, I suppose, that Mandiant employees could have breathlessly tweeted their love for the limo company, or posted selfies of themselves with their favourite chauffers on Facebook, after a particularly smooth ride to the airport. But it seems unlikely.

It’s possible, I suppose, that Mandiant is just one of many companies in the area that has received out-of-the-blue malicious emails claiming to come from a local limo company, and it just so happens that they are the firm which poked a hackers’ hornet’s nest earlier this year. But it seems unlikely.

So, other possibilities? Well, Mandia himself suspects that the Chinese have been spying on him when he gives public presentations, and using old-fashioned espionage techniques to see how, and with which limousine company, he leaves the event afterwards.

Certainly it would be easy to forge a limo firm’s email address, and create a plausible-looking PDF invoice using the company’s logo… and hide within an exploit that would download malware onto a chief executive’s computer.

As ever, it’s extremely difficult to prove that the Chinese were behind this particular attack – but it sounds as if no-one would be particularly surprised if they were.

The moral of the story? Always take care over the email attachments you open, and the links you click on, even if you believe they have been sent to you by someone you know and trust.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.