Top executives face personalized e-mail attacks

Online miscreants have targeted 500 key business executives in what is believed to be the first mass-targeted malicious-software attack, according to security vendor MessageLabs.

Targeted attacks aim to bypass security measures by individually addressing e-mails, which often contain zero-day exploits.

On June 26, MessageLabs intercepted more than 500 individual e-mail attacks targeted at individuals in senior management positions in a variety of organizations around the world. Normally, MessageLabs sees approximately 10 targeted attacks per 200 million e-mails per day, according to Mark Sunner, MessageLabs' chief security analyst.

The malicious e-mails contain the name and job title of the victim in the subject line. The vertical sector most targeted was banking and finance, with chief investment officers being targeted in 30 percent of the attacks, according to Sunner. However, other verticals were also targeted. Eleven percent of the intended victims were chief executive officers, while 6 percent were chief finance officers.

Sunner said the executives being targeted were perhaps "not that tech-savvy." In the attacks, an executable file was embedded in a Microsoft Word document. If the victim opened the document and clicked on a link, the file would have run a data-stealing Trojan horse that relied on creating buffer overflow conditions in Office documents.

MessageLabs said it did not know who had perpetrated the attack. "It's a certainty that some executives were compromised," Sunner said.

The intended victims' spouses and relatives were also targeted by name, in attempt to infect other computers related to the victim. The intent was to indirectly gain access to confidential correspondence and intellectual property relating to the target, MessageLabs said.

Sunner said he suspected that the hackers harvested the information using search and social-networking sites.

"Someone somewhere has really done their homework," Sunner said.

Tom Espiner of ZDNet UK reported from London.

[phillynets]

Ever heard of D&B

Summer thinks they may have used search a social netowrking sites...

Why? I can find out who the CEO, CFO, etc. of damn near any company by using any one of D&B's services. If I pretend like I care about their product the Company Reach/Hoovers/etc. salesman will let me test drive their product for a week or more.

Then, it is a matter of using Google to find other connections that might be exploitable.

The Myspace/social networking angle isn't as cost/time-effective as Hoovers and Google.

[rcrusoe]

Why bother with a test drive?

Chances are about 100% that a ton of Windows machines run by businesses are owned by blackhats.

IMO, it's likely they run the D&B searches from them and let their owners pick up the tab.

[hutchike]

At the risk of sounding cynical...

At the risk of sounding cynical, if I were PR for MessageLabs and wanted to tell all the C-level executives about my anti-spam and anti-virus message screening services (since they are the decision makers), I'd sure try to give news.com a scare story about targeted attacks on said C-level execs - without following through with any hard facts. Now, I'm new to this cynicism game - how did I do? :-)

[Grumpyz77]

At the risk of sounding cynical...

Dude, you are on the doorstep to the side-ways view of the world. You are getting your cynicism, now you have to go to work on your jadedness and you will be complete.

[Phillep_H]

Poorly done

The moronic C-level execs need a kick in the butt so they get a clue. They seem split between ignorant paranoids who do everything wrong and overconfident twits who believe taking precautions is for hourlies.

[Kings X Rocks!]

Responsibility...

If you're gonna use the electronic wizardry of today's buisness world, then you better find out how to make it work for you.

Execs are, for the most part, prima-donnas who don't think they need to understand technology to use it.

Hand them a Blackberry, and they're awed...but don't have the sense to monitor whether the unit's radio is on or off.

And spam mystifies them...they think it's a personal affront to their peaceful existence. Minions are mobilized to attempt to track down the source, etc., etc. Just delete thing and get on with life.

And, don't get me started on laptops in their hands...

[versuri32]

email unusseful

I get a lot of email unusseful and i can't subcribe.

http://www.versuri32.com/versuri/oasis/index.php
http://www.versuri32.com/versuri/pearl-jam/index.php
and here
http://www.versuri32.com/versuri/sasha/index.php

[Dr_Zinj]

I kind of like the idea

There really should be direct, personal consequences to top level managers of companies that engage in socially or environmentally (is there really a difference in the end?) egregious manners.

Too bad it's being misused by common criminals.