Even Seemingly Reliable E-Mail Vulnerable to Hackers

SEATTLE, March 22, 2008 — -- You can no longer trust Office or QuickTime files that arrive in e-mail, even from organizations and people you deal with regularly.

For that matter, any file from a popular software application, sent by e-mail or accessible at a website, is no longer trustworthy. Why? Data thieves are increasingly using them as snares in attacks that focus on patrons of companies and agencies that collect sensitive data, or zero in on specific individuals within certain organizations.

Targeted attacks often escape detection. But click on the wrong thing, and "You could be opening up a door that allows the hacker to do some really bad damage," says Alan Paller, research director at The SANS Institute, a tech security think tank.

One indicator this trend is on the rise: Microsoft last week issued security patches for a dozen critical vulnerabilities in its Office suite of programs. Since 2006, more than 260 security holes have been discovered in widely used programs from Microsoft, Adobe, Apple and RealNetworks, according to security firm Secunia. Prior to 2006, there were only a handful.

The driver: powerful "fuzzing" tools that continuously try endless strings of computer code, searching for an open path to the computer hard drive.

"The bad guys are trying billions of random combinations … and finding new ways to break in," says Gartner tech security analyst John Pescatore.

Crooks use flaws uncovered by fuzzing to create tainted files disguised to fool targeted employees. Earlier this year, individuals at several corporations were targeted to receive e-mail carrying an attached Excel file corrupted via a previously unknown flaw. Clicking on the file opened a worksheet with data relevant to the targeted worker; it also gave the attacker a beachhead to probe deeper into the company's network. "The victims never really knew," says VeriSign iDefense researcher Matt Richard, who discovered the attack.

In another attack, crooks installed a tainted QuickTime video file at several porn websites crafted to steal data from eBay and PayPal accounts, according to security firm Intego.

"It's not just Microsoft," says Secunia Chief Technical Officer Thomas Kristensen. "Crooks now use many different ways to gain control of computers."

Some crime groups target patrons of large organizations, hoping one corrupted computer can take them deeper into rich databases. Last year, three crime rings launched 40 such campaigns targeting, among others, Salesforce.com, the IRS, the Federal Trade Commission and the Better Business Bureau, according to VeriSign iDefense.

In one case, crooks using the stolen user name and password of a job recruiter logged onto Monster.com and downloaded résumés for 1.3 million job candidates. Next, the thieves sent out faked Monster.com e-mails enticing the job seekers to click on a free job notification tool that carried a data-stealing program.

The crooks likely obtained the job recruiter's account log-in by culling data stolen in a different attack, says Richard.

Computer users should accept all updates from software providers to ensure they have the latest secure version, security experts say.

Microsoft distributes upgrades that can make all versions of Office more secure. Even so, the software giant advises treating all Web links and attachments — including Office files from familiar sources — with caution, says spokesman Bill Sisk.