Caught in the crosshairs

Security experts say that the mass-mailing threats of the past are becoming fewer as awareness is now more widespread. But don't relax your guard. Criminals are shifting to targeted means to extract assets from known and designated sources, and you could well be in their crosshairs.

While worms and viruses typically attack indiscriminately and self-propagate to any machine available, today's sharper threats go after specific companies or users with a specific objective. Their goal: to gain information or simply to extort money.

The threats are being carried by email, attachments, various files stored on media such as CD-ROMs, DVDs or flash drives. Once the devices are attached, victims unwittingly download the Trojans or spyware into their networks.

Fewer machines, more danger

"We are seeing more specific targeted attacks," said Vincent Gulloto, vice president at AVERT (Anti-Virus Emergency Response Team), McAfee.

He noted criminals now engage in direct stealing and extortion, either by encrypting confidential documents then demanding money in exchange for unencryption, or threatening firms with denial of service (DoS) attacks.

"The days of mass outbreaks are nearing an end," said Gulloto. "These are not the threats that are making money."

He added the attacks that have genuine criminal intent use fewer machines, use specific custom-written trojans, malicious code and malware to gain access to specific users and their data.

Tip of the spear

Another targeted threat known as "spear phishing" is also on the rise. Different from the mass-mailing phishing phenomenon, spear phishing emails target specific individuals and carry information or subject lines that pertain to work or personal interests of that individual.

Often the emails come from spoofs of senders familiar to the target recipient. According to MessageLabs' data, recorded intercepts of spear phishing has risen from a mere 3386 in April to 612,408 in June this year.

A recent report on Trojan email attacks in the UK also highlights the emerging trend away from mass-mailing worms and viruses to more targeted ones. The UK's National Infrastructure Security Co-Ordination Center released a report disclosing that more than 300 government departments and businesses were targeted by a continuing series of email attacks designed to covertly gather sensitive and economically valuable information.

Unlike traditional phishing and mass-mailing worms, the attackers appear to be going after specific individuals who have access to commercially or economically privileged information, the report said.

Unique and one-off

The attacks involved the use of emails containing Trojans or links to websites containing Trojan files. Once installed on a user's system, Trojans covertly run in the background and perform a variety of functions, including collecting usernames, passwords and system information, scanning of drives, and uploading of documents and data to remote computers.

The report highlights how hackers are tailoring their attacks to go after specific high-value targets rather than launching mass-mailing worms and viruses, said Mark Sunner, CTO at MessageLabs, the UK-based email security services firm.

MessageLabs have found via recent scanning of customers' email that one or two unique Trojans have emerged each week which never reappear. "These are not mass mailers-they are packed and encoded uniquely, and are usually one-off occurrences," said Sunner. From historical data MessageLabs then found that these unique one-off Trojans have appeared regularly over the last 13 months.

MessageLabs looked into Trojan statistics gathered after a recent incident of a custom-Trojan being used in Israel to snoop and spy on various companies resulting in the arrest of two people involved in widespread fraud (see "Israeli police uncover Trojan spy ring").

These threats did not only target larger companies, which is the common belief. "Companies of all sizes and industries were the targets for these unique threats," Sunner said.

Decoding the stats

At Hong Kong-based security firm Network Box, the belief is there are more reports on the topic of targeted attacks recently, "but we've seen no first-hand examples in Asia or Hong Kong yet," said Mark Webb-Johnson, CTO at Network Box.

Network Box has also looked into its own data to examine the lesser known threats aimed its customers. "We find 99.8 percent of threats are seen by 50 percent of all our customers with a very small percent that hit only one or two customers," noted Webb-Johnson.

Network Box found these to be a variety of Trojans, scripting and macro viruses which tended to originate from the region. Webb Johnson noted it was uncertain if these equated to targeted attacks. "It all depends on how you interpret such data," he said. "But it's definitely harder to protect yourself from the 0.2 percent of threats that occur."

Low-lying menace

The more common and widespread the threat, the more likely security companies will be alerted and speedily react to protect customers. The emergence of new threats targeted at a few specific companies pose a significant challenge to enterprises and their security providers.

Awareness of such threats is currently very low, noted Sunner from MessageLabs. "It may take one or two huge incidents to wake everyone up," he said. On the technology front there is little to suggest anything immediate to address these targeted specific threats. Sunner admits security firms have yet to address this trend directly as it is not on everyone's radar yet.

According to Carole Theriault, security consultant at antivirus firm Sophos, "the emergence of Trojans and spyware targeted at specific firms brings a slew of new problems for IT administrators." The task is not only to keep bad stuff out, but to protect the information they own from being sent to unauthorized recipients.

Experts agree that firms should ensure they adhere to the fundamentals of a multilayered security strategy. In addition to the usual up-to-date patches, antivirus, IDS, IPS, firewalls and URL/email filtering tools, Theriault also insisted firms must maintain a comprehensive security framework. This includes an inventory of all computers on the network-remote as well as permanent-as well as a list of what each computer is running. "This will help an administrator better control the environment," he said.

As some hacks include insider information, it is also wise for companies to screen employees carefully and communicate what constitutes an information infringement.

McAfee's Gulloto suggests indirect help to combat these emerging threats. Firms should employ better education of employees and partners, improve awareness and use social engineering techniques to control user habits and behavior when faced with these threats, he said

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about AvertIPSMcAfee AustraliaMessageLabsNetwork BoxSophosVIA

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Chee Sing Chan

Latest Videos

More videos

Blog Posts