A wave of sophisticated, ongoing attacks disguised as bills from supposed business partners, complaints from the Better Business Bureau, and investigations by the Internal Revenue Service is snaring high-value business victims with malware-carrying e-mail messages that don't bear the usual telltale signs of phishing.
"When you get one of these things," says Dave Jevans, chairman of the Anti-Phishing Working Group, "they're so well crafted, they look real."
The attacks target corporate executives and other high-level employees at a range of companies. Victims who open attachments or follow download links can pick up a malware infection and hand over the keys to their corporate banking network, financial account log-ins, and a vast assortment of other sensitive and valuable data. "It's a lot more lucrative than stealing a credit card number and making small purchases," says Jevans.
To better snare such prizes, the targeted attacks start with real names and company references to make the messages seem real. For example, a faked invoice sent to PC World came with the subject line: "Proforma Invoice for PC World Communications Inc. (Attn: Harry McCracken)." Both the company name and that of our editor in chief were correct.
Experts suggest many ways the thieves could have collected company and employee names. They could have "scraped" the information from various companies' own Web sites, which often list the names and titles of executive staff. They may have wormed their way into popular online contact databases, or even purchased lists of such information from legitimate marketing firms.
Regardless of the source, seeing an e-mail with your name on it helps convince you that it's real. To further allay suspicions, the messages are well written and professionally presented. You won't see the obvious grammatical mistakes and nonsensical wording that give away run-of-the-mill scams. The faked IRS and BBB e-mail messages even provided the name of the person who supposedly filed the complaint, along with the date it was filed.
Many of the attacks disguise malware as embedded objects inside attached, convincingly named Word documents, such as "Documents_for_Case.doc." The recipient must click an icon inside the document for the attack to succeed, but the arrangement also allows the malware to slip past many antivirus programs. Other attacks include links to downloadable malware in the e-mail.
Some victims have been hit by a Trojan horse that can sift through hard-drive data, spy on anything on screen, or even allow full remote desktop control, says Joe Stewart, a senior threat researcher with SecureWorks who conducted an in-depth analysis of the attacks. Other infections have added an Internet Explorer browser helper object that can steal user names, passwords, and any other data typed into the browser, even if the data is sent afterward over a secured connection.
For an attacker, going to such lengths is justified by the potential of landing a well-heeled victim, in much the same way a sales pitch for a luxury Rolls Royce would be much more polished and directed than what you'd hear at a corner lot filled with junkers.
"Phishers are used to getting tons and tons of crap data to wade through to get to their stolen data," Stewart says. "Targeting execs is a way better payoff for the work involved."