We're used to the idea that web traffic can be tracked to its location, but malicious code developers often take extra steps to try and conceal their identity. However, there are often tell-tale clues even when that happens -- everything from the font used on phishing mails to the file structures evident in malware code.
A report from security software developer FireEye identifies seven "calling cards" that can point to the origin of a particular malicious attack. In the example above, while the text is written in Russian, two fonts commonly used in Korea (Batang and KPCheongPong) are also visible. "Those font choices reconfirmed existing evidence from other sources that pointed to North Korea, including the author’s name and the CnC servers used in the attack," the report notes.
Others on the list include repeated language mistakes (which can sometimes be reverse-engineered to suggest the language of origin) and common patterns of DNS registration across multiple attack sites.
These clues aren't easily analysed by the casual observer, though bad expression remains one of the most obvious indicators of phishing emails. Hit the link for the full report.
Digital Bread Crumbs [FireEye]