Friday, May 25, 2007

Attack Targets Executives by Name

If you have received an email from the Better Business Bureau recently, treat it with special care.

The email may not be from the BBB. It may instead be the latest variant of a targeted malware attack first reported by the BBB back in March - one of the first such attacks to use the actual name and title of the executive in addition to their email address.

We received several samples from our industry partners, and one such email yesterday, directly addressed to Doug Brunt, our President. The virus lab posted a report on this version last night. I noticed from Alex Eckelberry's blog that our partners over at Sunbelt Software received a similar email, addressed to their head of marketing.

The format of the email suggests to me that Doug's information and title were harvested from a web site by some form of bot - possibly from the contacts page of our corporate site, or from a business-oriented social network, such as LinkedIn or Spoke.

As with the original attack, the email presents the recipient with a document in RTF format. Upon opening the document, the recipient is presented with a PDF icon, entitled, in our case, "Document_for_Case.pdf". Here's a screenshot:


Clicking on the object (which Patrick Knight, one of our researchers did from the safety of one of our malware research lab computers), links to a server located at a hosting company called IX Web Hosting based in Hopkinsville, Kentucky. At the time we ran the program, the link was down, but we've added it to our 24/7 monitor list and will report back if it goes live.

Our researchers have classed this as a very dangerous threat. The highly-targeted nature of the email, the use of name and title, and co-opting of the Better Business Bureau's trusted mark all add up to a scam that is likely to leave its mark - and provide a template for copycats that may be better-funded and even more creative.

Note: We called IX Web Hosting, the company identified as hosting the server targeted by the attack to alert them to the information contained in the malware payload. The level of interest they displayed in acting on this information and pulling down the server was astounding low. Needless to say, we will not be signing a hosting deal with them anytime soon.

No comments: