New Attacks Target Top Executives

Trojan-style attack designed to fool CXOs into downloading data-sucking malware, researcher says

In a new round of targeted attacks, phishers are sending messages directly to selected top executives and luring them to download the malware inside.

Researchers at security company MessageLabs today said they intercepted some 1,100 messages targeted toward high-ranking executives at a variety of companies during a 16-hour period between Sept. 12 and Sept. 13. The attack bears many similarities to the targeted attacks on CXOs reported by MessageLabs less than three months ago. (See Targeted Attacks on the Rise.)

"This attack was larger and more sophisticated than the one in June, but there are enough coincidences between the two that it's reasonable to conclude that they are linked," says Paul Wood, senior analyst at MessageLabs. "And I would expect that we'll see a similar type of attack within a matter of months, and that it might be larger still."

The attack, which occurred as a series of four email blasts from three legitimate email servers, sent messages to top-ranking executives in a wide variety of roles and a wide variety of companies, both large and small. There doesn't immediately appear to be any common thread among the targets, "although it's possible that they might have some business partners in common," Wood says.

In each case, the executive receives an email from what appears to be a legitimate employment services company, with a subject line that says something like, "Agreement update for XYZ Co.," using the legitimate name of the executive's firm.

There is no text in the message, but there is a rich-text format (RTF) document embedded in it. When the executive clicks on the document, it routes him to a URL, where he picks up another executable file warning that Microsoft Word is having a problem and needs to close, Wood explains.

When the executive clicks on the Microsoft message, he activates a nasty bit of malware that sucks data off the machine and sends it to the "mother ship" for storage in an SQL format, Wood says.

MessageLabs could not say for sure what data the malware is harvesting, but it might be IP addresses or address books. "It's difficult to say what data it's taking, or what its purpose might be," he says. "But we know the data is being prepared for import into an SQL database, which would make it much easier to parse than simple flat-file theft."

It's possible that the original recipient is not even the intended target, Wood speculated. The June attack contained a pro forma invoice -- something a top executive normally would not handle -- which led researchers to believe that the attackers were actually hoping that the message would be forwarded to another recipient, such as an accounting department or a larger trading partner.

MessageLabs also could not say how the attackers got access to the three legitimate email servers, or how they got the addresses of the executives. "It's possible that they used a Trojan to access the servers, but we can't say for sure," Wood says. "The email addresses could have been Googled from Websites that post contact information for executives, or perhaps simply by learning the company's email naming convention and the names of top executives, and then making some educated guesses."

Over time, companies can expect to see an increasing number of these targeted attacks, Wood says. "It's much easier to create customized malware than it used to be, with kits available all over the Web. As attackers become more specialized, they are finding that this sort of targeted attack can pay a dividend."

To protect themselves, some companies are changing their email-naming conventions so that top executives' email addresses are more difficult to guess, Wood observes. Some companies also give their executives separate email accounts -- usually in a different domain -- for everyday messaging, leaving the "public" email box available in a quarantined area for untrusted correspondents.

Enterprises can also work with their ISPs to analyze logs of messages that might be filtered by ISP spam or malware detection tools, Wood advises. "If you don't look at the ISP logs as well as your own, you only see the data that gets through the filters," he says. "You need to evaluate all of that information in order to recognize a targeted attack."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Editors' Choice
Tara Seals, Managing Editor, News, Dark Reading
Jim Broome, President & CTO, DirectDefense
Nate Nelson, Contributing Writer, Dark Reading