Targeted e-mail attacks spoof DOJ, business group

Security experts warned this week of two separate e-mail attacks launched Monday that take aim at specific individuals within corporations.

The first attack, detected by MessageLabs at 4:55 p.m. GMT Monday, was sent to more than 400 individuals at financial institutions, with the e-mail addressed specifically to that individual and purporting to be a complaint from the U.S. Department of Justice. A second attack, spotted three and a half hours later, was similar, but claimed to be from the Better Business Bureau. In both cases, the e-mails contained malicious attachments that could lead to the recipient's system being taken over.

The Trojan horse that gets installed on a computer allows an attacker to have remote access to the machine, but MessageLabs security analyst Paul Wood said the attacker's exact purpose was not clear. "Once they get access to the machine remotely, they can use that machine for anything," Wood said.

Although it is likely the two attacks are related, Wood said, their attachments and delivery mechanisms varied somewhat. The attack spoofing the Justice Department contained an executable program within a zipped file with the extension .scr, typically used by screen savers. In the attack spoofing the Better Business Bureau, the attachment was a Rich Text Format document that contained an executable program disguised as a PDF file.

The rise in specifically targeted e-mail attacks has been of significant concern to security experts. Such attacks are both harder to detect than mass phishing attacks, and more likely to be acted on given the fact they are customized to their recipients, including things such as their name and official title.

In its annual "Security Intelligence Report," issued last month, Microsoft reported a steep rise in such attacks. Wood said that his company started seeing attacks aimed at specific individuals back in 2005, but at the time it saw maybe two such attacks a week. By last year, it was seeing one per day; this year, that number has risen to an average of 10 per day.

One of the big reasons behind the increase is the availability of toolkits that enable criminals to essentially have a template for the attacks, wherein they need to fill in only the targeted information.

"A year or two ago you would have to be fairly technically sophisticated in order to create these attacks," Wood said.

Wood added that the rise of social networks like Facebook and professional networks such as Plaxo and LinkedIn are making it easier for attackers to do their homework on potential victims.

"You can certainly build up a profile and make those attacks much more convincing," Wood said.

This week's attacks are similar to ones that took place in June and September. In the September attack, more than 1,000 senior executives were sent messages with an apparent Word attachment that contained an embedded executable file. The June attack, which also targeted senior executives, purported to be an invoice.

The latest attack spoofing the Better Business Bureau is still ongoing, said MessageLabs. The Better Business Bureau has also been spoofed before in a number of phishing attacks.

[Orwellian]

SCR Files?!?

Who the hell is still allowing .SCR files to pass through their systems? Any halfway decent mail gateway can scan inside ZIP files and should be dropping these at the edge, the DOJ email should be a non-issue. Poor IT management if you ask me.

[`WarpKat]

User Ignorance/Lack of Common Sense

This is why you see reports about OS' being hijacked - and it's something that was underscored with the Windows XP (non-SP2) hack discussion.

User education about computers in general, including security practices, is SOOOOOOOOOOOOOOOOOOO non-existent that it allows things like this to occur.

You don't HAVE to be a computer know-it-all - but you do have to have SOME knowledge coupled with common-sense.

Knowledge of how to update one's operating system and anti-virus...

...and the common sense to frequently get off one's lazy butt to do it...

[spothannah]

"Spoofing"

The author of this story choose a word "spoofing" which has conotations. I would ask the author if the conotations of "spoofing" are appropriate in this case. Journalism is getting a reputation that it may not want. It must hold closely to the ideals that have made it trustworthy in the past.
I would like to hear/read the author's comments about this. Thank you.

[KevinK]

Please clarify your comment

I am not sure I understand your objection to the term "spoofing" - in this instance it seems like the right choice of words.

Spoofing in this context implies an email that appears to come from a specific source but actually doesn't. The term is widely used to refer to any email that represents to come from one source, like say a bank or government agency, but actually comes from a scammer. Spoofs may contain links to spoofed sites which demand sensitive personal information or viral/trojan/worm payloads that compromise a machine and frequently personal information.

You might want to take a look at wikipedia or similar for more on this common usage of the term.

[NoVista]

Well ...

Could you give me a list of a few words without conntations?

Then we can play 'Interpretation and Over-interpretation' OK?

[Lukfire43]

Can this affect macs?

I opened the ZIP file that the .scr file came in but I did not open the
.scr file. Am I at risk? Should I format just incase? Am I paranoid -
yes.

Thank you
Mac OS X 10.5.1

[malcolm.hansen2]

allowing .SCR files to pass through systems is dangerous.