Sunday, February 21, 2010

New phishing scams attack with precision

When TippingPoint's president and chief technology officer, Marc Willebeek-Lemair, received an e-mail from the Federal Trade Commission informing him that a client was filing a complaint against his network security company for overcharges, he was directed to download the complaint - a Microsoft Word file - from an FTC Web page and return the attached form with any questions about the process.

The message, sent in 2008, was an elaborate scam targeting top-level executives.

TippingPoint researchers discovered the sender's address had been "spoofed" (faked) and the link didn't lead to the FTC's Web site. In fact, the document - which looked like an FTC complaint - was infected with a data-stealing Trojan horse. Because the message referred to Willebeek-Lemair by name and no one else in TippingPoint received the message, the company concluded that criminals studied its chain of command and selected their target.

"It specifically said something that a C-level executive would get immediately alarmed about," said Rohit Dhamankar, director of security research at TippingPoint's DVLabs.

The message is an example of an increasingly common hacker technique known as spear-phishing, a much more effective and carefully crafted variation of the phishing lures that seek to trick victims into surrendering their private data.

Researchers believe that as spam-filtering technology has improved and people have become savvier at recognizing phishing ploys (such as the classic Nigerian e-mail scam), criminals are now dedicating more time and resources to going after specific groups of individuals. They often trick users into downloading malicious software from infected Web pages or e-mail attachments like Adobe Reader PDFs and Microsoft Office documents.

Carefully planned

In these attacks, the hackers identify specific individuals or groups of people with something in common. To make their attacks more effective, criminals take pains to impersonate credible sources, adorning messages with professional graphics and composing well-written stories to hook their targets.

To personalize the messages and make them more convincing, security researchers believe criminals run simple search queries to find biographical information, including a person's position within an organization and their responsibilities. Hackers can also learn names of friends.

"This is very easy to do. Google, Facebook, LinkedIn and other sites can provide valuable information about anybody," Dhamankar said. sfgate

No comments:

Post a Comment