Author Topic: Who launched that attack?  (Read 7602 times)

0 Members and 1 Guest are viewing this topic.

September 10, 2007, 09:35:47 pm
Read 7602 times


  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964

Mass e-mailing is no longer hip for hackers. Spam attacks are now yesterday’s news and have been replaced with targeted attacks. There are two predominant reasons for the switch:

First, mass mailing malware is noisy and slow; it typically takes considerable time for an e-mail to work its way across the Internet. This global lag provides administrators with ample time to notify users and lock down the network to mitigate the attack.

Second, using a broad and unqualified e-mail address list may generate a few hits for a hacker--but for the most part it delivers lots of misses. Simply put, if the malware launcher wants to capture banking credentials with a key logger, he would be better served to only target users who have high balances in their bank accounts.

A recent report from Gartner clearly shows that the bad guys have, in fact, become much more targeted. Gartner found that if you earn more then $138,000 per year, you will receive 50 percent more spam, and higher income individuals tend to lose more money when they fall for a scam as well. For example, if you earn less then $138,000 and fall victim to phishing, the average loss is $1,500, while those earning more than $138,000 lose $5,700 on average.

So how do attacks begin and evolve? Let’s take a look.

First a BBB phishing Trojan
The most recent example of this was a phishing scam that started as a targeted attack against executive-level managers. The mass e-mail included a subject line indicating the message contained a consumer complaint from the Better Business Bureau (BBB). If a recipient clicked the attachment, a sophisticated Trojan was installed on the recipient PC that stole all interactive data sent from the recipients’ web browser to a compromised web server.

Morphed into IRS phish
As with the BBB e-mail, a new version of the phishing Trojan was disguised as a criminal investigation notice from the IRS. This was also a targeted attack against executive-level managers and contained a similar—if not identical—malware payload. When the user clicked the attachment, a sophisticated Trojan was installed on the recipient PC that stole all interactive data sent from the recipients' Web browser. With the IRS e-mail, the malware launcher set up a new server to receive the stolen information that was registered to a domain in China. The server was also physically located in China.

Reverted back To BBB Trojan
The second time around, the e-mail scam used a domain called "," registered in China. This second version was thought perhaps to be a more convincing message due to the domain name.

Change in tactics: FTC camouflage
In this scam, hackers used a spoofed FTC e-mail address designed to convince the recipient that someone had filed a complaint against them. A copy of the complaint was attached to the e-mail—but the attachment contained the Trojan. Again, the e-mail targeted executive-level managers. When the recipient clicked to view the attachment, a sophisticated Trojan was installed on the recipient PC. Next, the Trojan stole all interactive data sent from the recipients’ Web browser.

New "proforma invoice" disguise
The current version of the scheme is still operating as a targeted attack aimed at executive-level managers and is again using a Trojan. The Trojan steals all interactive data and sends it from the recipients’ web browser to one of three domains: (1), (2) and (3) This scheme uses so-called social engineering--which is the hacking of a normal human process or occurrence. Specifically, this scheme uses a Proforma Invoice, the receipt of which, by a senior level manager, is not an uncommon occurrence.

So, who's behind these schemes? There is some disagreement within the research community. Some researchers believe there is a single group of coordinated hackers at work. Others think competing groups are each learning from the others’ success and adding the new wrinkles to the next variant of the scam. Most believe the Trojans send stolen information to China either through servers registered and located within China or through compromised servers in other countries thought to be controlled by Chinese hackers.

As of June 2007, only a small number of anti-virus vendors were able to detect the payload of the Proforma Invoice e-mail as being malicious. For unsuspecting users, these e-mails are quite well written. They typically include a plausible subject line and a well-socially-engineered message.

Since these are very targeted messages rather than bulk spam blasts, anti-virus will not be able to detect the payload and this scam will likely be one of the most profitable in recent memory.

Paul Henry is vice president for technology evangelism at Secure Computing. Paul can be reached at