As targeted e-mail attacks proliferate, companies wince

Attacks such as the ones detailed by McAfee this week in a report are frequent and hard to detect

The strange e-mails arrived in executives' inboxes around the same time that the Australian oil company was negotiating a deal with a Chinese energy company.

The e-mails had the same structure and format as those sent around the company and were baited with text that appeared to refer to a supposed continuing discussion between executives. The messages looked authentic from a nontechnical perspective, just part of normal electronic communication within a company.

But the corporate IT administrator felt something wasn't quite right. Upon closer examination, the administrator found the e-mails, while appearing to come from internal company servers, were actually coming from other domains not authorized to send e-mail for the company.

The e-mails contained a malicious link that would redirect the person who opened it to a website of another energy company whose Web pages had been hacked in order to deliver malicious software designed to steal data. Victims would have no indication they'd been attacked.

It became clear that hackers were on a campaign to find out more about the pending deal.

"This was just their [the hackers] idea of due diligence," said the Australian IT administrator, who did not want himself or his company to be identified in this story due to the sensitivity of the intrusion.

The situation that faced the Australian company is one that is confronting companies and organizations worldwide regardless of their industry: hackers are getting a lot better at breaking through the defenses designed to keep information safe.

The attacks these days are "getting worse," said Alex Lanstein, a network and systems architect at security vendor FireEye, which makes systems designed to thwart Web-based attacks.

On Tuesday, McAfee -- a major security vendor now owned by Intel -- said it had gained access to a server that had logged intrusions into 72 companies, nongovernmental organizations and governments, including the U.N., U.S. defense contractors and the World Anti-doping Agency, among many others.

Dubbed "Operation Shady RAT" (remote access tool), McAfee heralded the operation as one of the most significant examples of "advanced persistent threats," or cyberattacks that are undetected for a long time.

Some of the most frequently targeted organizations are financial institutions, energy companies, defense contractors and pharmaceutical companies, but hackers are also expanding their remit to other areas, such as law firms, Lanstein said.

Law firms are always at the core of many business transactions, ranging from mergers and acquisitions to patent negotiations and more. And their computer security practices are not quite as good as more frequently targeted organizations, Lanstein said.

"There are always lawyers involved and they always have the most sophisticated information," he said.

Governments are a frequent target. William Hague, the U.K.'s foreign secretary, said in a speech in February that three of his staff were sent e-mails from a purported colleague outside the Foreign Office, the U.K.'s equivalent of the U.S. State Department.

"The e-mail claimed to be about a forthcoming visit to the region and looked quite innocent," Hague said. "In fact it was from a hostile state intelligence agency and contained computer code embedded in the attached document that would have attacked their machine. Luckily, our systems identified it and stopped it from ever reaching my staff."

Cisco's ScanSafe division, which specialized in products that scan Web traffic for malicious activity, released a report earlier this week that looked at how frequently employees of enterprises encounter malicious software on the Internet. It found employees as a group ran into malware an average of 335 times per month for the first half of this year.

Companies in pharmaceutical, chemical, energy and oil industries are at the highest risk for encountering malware on the web, the report said.

In response to the targeted attacks against the Australian oil company, the IT administrator said he built a tool that automatically strips out links in e-mails that come from outside his company. That may be inconvenient for some users, but "we can do without the links but we can't do without security," he said.

Fundamentally, the administrator said many executives still regard computer security as a hindrance and that "these geeks are just trying to make their life hard."

"I still think they think this is a nuisance and that the security guy will take care of it," the IT administrator said. "They are not elected [to the board] for IT savvy. They're old-school business people."

Send news tips and comments to

Join the CSO newsletter!

Error: Please check your email address.

Tags securitydata breachFireEyeDesktop securityExploits / vulnerabilitiesdata protectionmalware

More about CiscoetworkFireEyeIntelMcAfee Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place