Targeted e-mail attacks spoof DOJ, business group

Security expert says latest attacks part of an escalating problem. Availability of toolkits, rise of social networks are making it easier for phishers. Images: Customized e-mail attacks

Ina Fried Former Staff writer, CNET News

During her years at CNET News, Ina Fried changed beats several times, changed genders once, and covered both of the Pirates of Silicon Valley.

See full bio

Ina Fried

Nov. 20, 2007 12:35 p.m. PT

3 min read

Security experts warned this week of two separate e-mail attacks launched Monday that take aim at specific individuals within corporations.

The first attack, detected by MessageLabs at 4:55 p.m. GMT Monday, was sent to more than 400 individuals at financial institutions, with the e-mail addressed specifically to that individual and purporting to be a complaint from the U.S. Department of Justice. A second attack, spotted three and a half hours later, was similar, but claimed to be from the Better Business Bureau. In both cases, the e-mails contained malicious attachments that could lead to the recipient's system being taken over.

The Trojan horse that gets installed on a computer allows an attacker to have remote access to the machine, but MessageLabs security analyst Paul Wood said the attacker's exact purpose was not clear. "Once they get access to the machine remotely, they can use that machine for anything," Wood said.

Although it is likely the two attacks are related, Wood said, their attachments and delivery mechanisms varied somewhat. The attack spoofing the Justice Department contained an executable program within a zipped file with the extension .scr, typically used by screen savers. In the attack spoofing the Better Business Bureau, the attachment was a Rich Text Format document that contained an executable program disguised as a PDF file.

The rise in specifically targeted e-mail attacks has been of significant concern to security experts. Such attacks are both harder to detect than mass phishing attacks, and more likely to be acted on given the fact they are customized to their recipients, including things such as their name and official title.

In its annual "Security Intelligence Report," issued last month, Microsoft reported a steep rise in such attacks. Wood said that his company started seeing attacks aimed at specific individuals back in 2005, but at the time it saw maybe two such attacks a week. By last year, it was seeing one per day; this year, that number has risen to an average of 10 per day.

One of the big reasons behind the increase is the availability of toolkits that enable criminals to essentially have a template for the attacks, wherein they need to fill in only the targeted information.

"A year or two ago you would have to be fairly technically sophisticated in order to create these attacks," Wood said.

Wood added that the rise of social networks like Facebook and professional networks such as Plaxo and LinkedIn are making it easier for attackers to do their homework on potential victims.

"You can certainly build up a profile and make those attacks much more convincing," Wood said.

This week's attacks are similar to ones that took place in June and September. In the September attack, more than 1,000 senior executives were sent messages with an apparent Word attachment that contained an embedded executable file. The June attack, which also targeted senior executives, purported to be an invoice.

The latest attack spoofing the Better Business Bureau is still ongoing, said MessageLabs. The Better Business Bureau has also been spoofed before in a number of phishing attacks.