Even Seemingly Reliable E-Mail Vulnerable to Hackers

SEATTLE, March 22, 2008 — -- You can no longer trust Office or QuickTime files that arrive in e-mail, even from organizations and people you deal with regularly.

For that matter, any file from a popular software application, sent by e-mail or accessible at a website, is no longer trustworthy. Why? Data thieves are increasingly using them as snares in attacks that focus on patrons of companies and agencies that collect sensitive data, or zero in on specific individuals within certain organizations.

Targeted attacks often escape detection. But click on the wrong thing, and "You could be opening up a door that allows the hacker to do some really bad damage," says Alan Paller, research director at The SANS Institute, a tech security think tank.

One indicator this trend is on the rise: Microsoft last week issued security patches for a dozen critical vulnerabilities in its Office suite of programs. Since 2006, more than 260 security holes have been discovered in widely used programs from Microsoft, Adobe, Apple and RealNetworks, according to security firm Secunia. Prior to 2006, there were only a handful.

The driver: powerful "fuzzing" tools that continuously try endless strings of computer code, searching for an open path to the computer hard drive.

"The bad guys are trying billions of random combinations … and finding new ways to break in," says Gartner tech security analyst John Pescatore.

Crooks use flaws uncovered by fuzzing to create tainted files disguised to fool targeted employees. Earlier this year, individuals at several corporations were targeted to receive e-mail carrying an attached Excel file corrupted via a previously unknown flaw. Clicking on the file opened a worksheet with data relevant to the targeted worker; it also gave the attacker a beachhead to probe deeper into the company's network. "The victims never really knew," says VeriSign iDefense researcher Matt Richard, who discovered the attack.

In another attack, crooks installed a tainted QuickTime video file at several porn websites crafted to steal data from eBay and PayPal accounts, according to security firm Intego.