Authorities in many countries are concerned that attacks on business and government resources will become the next battleground in cyber warfare. In the throne speech earlier this year, the Canadian government announced that it is developing a National Cyber-Security Strategy to address a range of concerns from economic disruptions and state secrets to consumer scams and identity theft.
The March 2010 MessageLabs Intelligence Report examined the nature and origins of targeted attacks. The ultimate aim of a targeted attack is to gain access to sensitive and valuable data or internal systems by targeting specific individuals or companies.
These malicious emails are sent in relatively small volumes, typically to senior executives, with the express purpose of getting control of a target’s computer for industrial espionage.
An analysis of targeted attacks in the month revealed that the majority of targeted malware originated in the United States – 36.6 pe rcent – based on mail server location. But when analyzed by sender location, more targeted attacks actually originated in China at 28.2 per cent, followed by Romania at 21.1 per cent and the United States at 13.8 per cent.
Further analysis of targeted attacks showed that the top five targeted roles are Director, Senior Official, Vice President, Manager and Executive Director. The individuals that receive the most targeted malware are responsible for foreign trade and defense policy, especially in relation to Asian countries.
The malicious messages are frequently related to business, or to some newsworthy event, and are sent from a webmail account or with a spoofed ‘From’ address crafted to appeal to the target.
They attempt in some way to give the impression that the attachment contains important information, such as current affairs, meetings, legal documents, agreements or contracts. The targeted attacks seek the stealth deployment of malicious code on the recipient’s computer, often hidden within legitimate-looking documents such as .PDF, .DOC, .XLS and .PPT file types.
A large proportion of targeted attacks are sent from legitimate webmail accounts which are located in the US. Therefore, the IP address of the sending mail server is not a useful indicator of the true origin of the attack. Analysis of the sender’s IP address, rather than the IP address of the email server, reveals the true source of these targeted attacks.
Free-to-use webmail services are frequently used by cyber criminals. They write very sophisticated malware and are almost certainly aware that a number of these services will not reveal their true location to the recipient of the mail. This offers a reasonable explanation as to why cyber criminals favor them now and why they will continue to use them in the future.
In addition to targeted attacks, the March MLI Report also analyzed other key, ongoing security threats:
- In Canada, the virus ratio was 1 in 492.8 emails and the spam level was 89.5 per cent
- The global of virus ratio was 1 in 358.3 emails and the spam level was 90.7 per cent
- Phishing activity was 1 in 513.7 emails
- As a proportion of all email-borne threats such as viruses and Trojans, phishing emails increased by 8.4 percentage points to 64.6 percent
- The public sector remained the most targeted industry for malware with 1 in 77.1 emails being blocked as malicious
Cyber attacks are targeting businesses, governments and consumers. Private and public sector organizations need to be aware of these threats and adopt best practices and SaaS solutions to protect and preserve economic stability, national security and personal privacy.
Seth Hardy is Senior Malware Analyst at Symantec Hosted Services