MessageLabs Intelligence Targeted Attack Report: Increase in One-on-One Targeted Attacks
MessageLabs, a leading provider of integrated messaging and web security services to businesses worldwide, today (18 April 2007) revealed new data on the levels, victims and sources of targeted email attacks in March 2007. Last month MessageLabs intercepted 716 emails in 249 separate targeted attacks aimed at 216 different organizations. Of these, almost 200 were one-on-one targeted attacks where the tailored attack comprised a single email designed to infiltrate one organization. These numbers represent a significant increase when compared to the same period last year when attack rates reached one or two per day.
For the first time, PowerPoint has emerged as the most common exploit vector, likely driven by the large number of attacks perpetrated by one gang using the same attack file, mostly originating from an IP address within Taiwan. Achieving notoriety as a carrier of typical email viruses, .exe files only accounted for 15 percent of the targeted attacks, while the more familiar Microsoft Office suite accounted for 84 percent of targeted attacks in March 2007.
Other characteristics of these attacks include that they are typically timed to arrive during the busy workday and rarely over a weekend and most commonly target these five industry sectors: electronics, aviation, public sector, retail and communications.
“The bad guys know which organizations have data worth stealing and are picking them out one by one,” said Alex Shipp, Senior Anti-Virus Technologist, MessageLabs. “These targeted attacks are highly difficult to detect as the large majority consist of a single email to one individual, which means they never have anti-virus signatures created by traditional anti-virus software. However, if you happen to be that one company targeted the impact could be devastating. A proactive anti-virus defense, such as MessageLabs Skeptic™ technology is essential along with employee education and vigilance since many of these attacks are highly personalized.”
SkepticTM, MessageLabs proprietary technology, has proven uniquely successful at detecting and stopping previously unknown threats, such as targeted email attacks. In this report, of the 249 attacks stopped, 65 of them were not stopped by any other anti-virus scanner.
Some cyber-criminals continue to use the same attack file relentlessly. One gang has used the same two attack files since November 2006 and in March the gang used these files 151 times, making them one of the highest profile gangs responsible for more than 20 percent of all targeted attack emails.
The attack is launched by execution of an index.exe file from an IP address that belongs to China United Telecommunications Corporation. Once downloaded, the file gives the attacker complete control over the PC. Detection of this exploit was minimal, with only five anti-virus companies, including Skeptic, recognizing the exploit.
A full report is available at http://www.messagelabs.com/Threat_Watch/Intelligence_Reports .