North Korea Accused of Attacking Windows Users

John Lister's picture

Microsoft has warned users to pay particularly close attention to emails that appear to come from "". A simple trick involving spelling was the key to a security attack that Microsoft believes was instigated by North Korea.

A US court has given Microsoft legal control of 50 web domains it says were used to carry out cyber attacks on Windows users. It's said to be the work of a group dubbed Thallium operating out of North Korea.

Microsoft says the attacks were targeted at "government employees, think tanks, university staff members, members of organizations focused on world peace and human rights, and individuals that work on nuclear proliferation issues." (Source:

Social Media Used For Targeting

The attacks involved something called "spear phishing." That's a variant on the familiar tactic of sending messages that appear to come from a trusted source to trick recipients into opening an attachment, then clicking a link or handing over sensitive data. The end goal is to use malware to gain access to, and even control of, the victim's computers.

"Spear" refers to the attackers not simply spamming as many people as possible and playing the numbers game, but rather specifically targeting users in particular groups. That may have involved using social media or even staff directories. (Source:

In this case the bogus messages claimed somebody had tried to sign in to the user's account and that Microsoft itself was contacting the user as a security check. One variant of the message invited users to click a link to review their recent web activity.

Misspelling Overcomes Skepticism

The trick which appears to have worked comparatively well involves the sender's address. Often phishing attacks rely on spoofing the displayed sender's name and hoping the victim doesn't look closely at the details in their email software or service, which often reveal the actual address from which the message came.

The attackers were able to send the messages from an address at "" That may be clear for many readers on Infopackets, but in some email applications and with some type settings, it's not obvious at first glance that the "rnicrosoft" begins with an 'r' and an 'n' rather than an 'm'.

What's Your Opinion?

How good do you think you are at spotting phishing attempts? Have you ever contacted a friend or colleague to check if it was really them who sent an attachment or link? Can companies and governments really hope to win the battle against scammers if they are up against state-sponsored hackers?

Rate this article: 
Average: 4.9 (10 votes)


buzzallnight's picture

Bogus report of somebody had tried to sign in to my account and that Facebook itself was contacting me as a security check when I tried to log in. The message invited me to click a link to review the login attempt log and they wanted my phone number which I would not give them. They locked me out for a few days and then I was able to get in again after that.

Does anybody know if this was Facebook standard operating procedure?

buzzallnight's picture

Our own government intelligence agencies found and used undocumented flaws in windows 7.
They stored them on a server on the internet and of course they got hacked!!!!!!!!

Our government is no help as they are IDIOTS!!!!!!!!!!!!!!!

kitekrazy's picture

How about give them a dose of their own medicine?

Last week I had 255 emails which sent a red flag. Someone had gotten into my Yahoo web mail. They tried to order with a card that no longer existed that was left on my Fry's Electronics account. I do have to question that maybe it's better to go back to an email client and go with my isp more often. It is nice that Gmail and some banks will send you a warning if they don't recognize your ip address.
A lot of hacking is by countries where the user can't afford software. Gaming accounts are often hacked.
I think the only solution is once they are found, assassinate them.

Private companies can do a better job than any government. (not named Microsoft)