This is how good the targeted attacks are getting

Monday

Targeted attacks have been seen frequently in the news this last year. Here is an example of how good there are getting. From businessweek.com:

The e-mail message addressed to a Booz Allen Hamilton executive was mundane—a shopping list sent over by the Pentagon of weaponry India wanted to buy. But the missive turned out to be a brilliant fake. Lurking beneath the description of aircraft, engines, and radar equipment was an insidious piece of computer code known as "Poison Ivy" designed to suck sensitive data out of the $4 billion consulting firm's computer network.

The Pentagon hadn't sent the e-mail at all. Its origin is unknown, but the message traveled through Korea on its way to Booz Allen. Its authors knew enough about the "sender" and "recipient" to craft a message unlikely to arouse suspicion. Had the Booz Allen executive clicked on the attachment, his every keystroke would have been reported back to a mysterious master at the Internet address cybersyndrome.3322.org, which is registered through an obscure company headquartered on the banks of China's Yangtze River. (Source: businessweek.com)

The rest of the article doesn't provide a lot of new elements and in general just points with a big finger at China. I'm not getting into a political issue but an IP in China does not equal the Chinese government of course. Read it with a grain of salt.

Probably a word document was used containing an obfuscated payload that doesn't get well detected by most known virusscanners. And also the well known 3322.org domain was used here. Monitor your DNS lookups I would say.

Some of the social engineering tricks they are using, are getting really creative and probably effective like the following one:

A highly targeted email scam that singled out as many as 20,000 senior corporate executives on Monday resurfaced Wednesday as attackers sought to replicate their success installing identity-stealing software on the PCs of some of the world's most powerful individuals.

Like the first volley of emails, these latest messages masquerade as an official subpoena requiring the recipient to appear before a federal grand jury. The emails correctly address CEOs and other high-ranking executives by their full name and include their phone number and company name, according to Matt Richard, director of rapid response at iDefense, a division of VeriSign that helps protect financial institutions from fraud.

Recipients who click on a link that offers a more detailed copy of the subpoena are taken to a website that informs them they must install a browser add-on in order to read the document. Clicking "yes" installs a backdoor and key logging software that steals log-in credentials used on websites for banks and other sensitive organizations.

About 2,000 executives took the bait on Monday, and an additional 70 have fallen for the latest scam, Richard said. Operating under the assumption that as many as 10 percent of recipients fell for the ruse, he estimated that 21,000 executives may have received the email. Only eight of the top 35 anti-virus products detected the malware on Monday, and on Wednesday, only 11 programs were flagging the new payload, which has been modified to further evade being caught.

The group behind the attack is the same one that has launched other high-profile spear-phishing expeditions, in which a relatively small number of emails are tailored to their targets by including their names, titles and other personal information. The customization is designed to fool the recipients into believing they are legitimate. The practice of targeting CEO and other high-ranking execs is being dubbed as whaling.

The malware installed from Monday's attack caused infected PCs to report to a server based in Singapore. The updated trojan had machines reporting to servers in China, Richard said. In both cases, the IP addresses of attackers' servers were controlled by a group that goes by the name Piradius, among others. (Source: The Register)

Very nice tactic. Ten percent fell for the ruse. Not bad, but I would have expected more. It's better this way of course. I would probably have fallen for the trick by following the link but asking to install a browser plugin would have raised all kinds of red flags with me. Nevertheless, we see that AV detection was 8/35 and that is in the line of what I have seen before. Spylogic has a few more hints about the functionality of this Trojan.

So the lesson here is, don't give your executive management the (administrator) rights to install software. Period. I know this is an exception in a lot of companies where some get 'VIP' treatment.

Also be aware and educate people about the information they put online. A lot of people are using Google, LinkedIN, Myspace etc.... to gather personal information.

I know that a lot of people don't believe in it but I still think that user awareness might be the extra layer that might help.

An article from Darkreading seems to follow this line of thinking:

Educating users on security policies remains the most significant barrier to improving enterprises' ability to protect against malware, cited by 56 percent of respondents, according to the study. More than half (52 percent) of the companies surveyed said "unwillingness of users to follow good security practices" was a chief barrier. "Convincing upper management of the need for more security against malicious code" was a barrier for 34 percent of respondents.
"Some organizations are doing really well and are making security part of their culture," says Drew. "Other organizations -- and these are organizations where a security breach could have profound financial implications -- still haven't even implemented some basic elements of security enforcement. But in both cases, even where things are going well, user education is still one of the biggest issues they face." (Source: Darkreading.com)

On the other hand, users just give their passwords away when being offered chocolate. Is there a way to re-educate them?

PPP: People, Processes and Products. It may be from ITIL but it also applies for security.