E-Mail Attackers Target Corporate Execs

During a two-hour period on June 24, something unusual and a bit worrying turned up in e-mail security firm MessageLabs Inc.'s filters: 514 messages tailored to senior executives of corporate clients that contained malicious programs designed to steal sensitive company data.

On Sept. 12 and 13 it happened again, but this time the firm captured 1,100 messages in a 16-hour wave. The messages, which included executives' names and titles, were from a purported employment service and offered attachments supposedly containing information on potential job candidates.

The attachments were Microsoft Word documents -- a common file type erroneously believed to be safe by most computer users -- that if not intercepted would have deposited Trojan horses, or malicious programs disguised as benign ones, onto targeted computers.

The two e-mail bursts point to a new and sophisticated take on an old-style attack with troubling implications for corporations, MessageLabs says.

In the past, most e-mail attacks of this kind have been comparably simple "phishing" scams sent to masses of consumers with the goal of inducing them to part with their financial-account information. A small number of targeted attacks have been seen by security firms, but they typically targeted individuals in government or the military.

These new attacks, however, suggested a fairly low-tech e-mail scheme could begin to create a high-class problem for significant numbers companies, one in which valuable data are at risk and foolproof technical defenses are challenging.

MessageLabs says that it has been intercepting targeted e-mail attacks on corporate clients for at least three years but that the numbers began to track up significantly only over the last year. The firm was catching one message a day as of the end of 2006. That number rose to about 10 a day by May and then jumped dramatically with the June and September attacks. Both of those incidents targeted executives in a wide range of industries.

"All of a sudden somebody new hit the scene," said Mark Sunner, MessageLabs' chief security analyst. Who that was isn't clear because technical tricks disguised the e-mails' origin, he said. But it's likely the person or group responsible came from the digital underground centered in Eastern Europe, where malicious-program writers and organized crime have long worked hand-in-hand online to steal and sell data for use in fraud schemes.

The newcomers appear to be after corporate secrets, he said. They have sought, specifically, to infiltrate the computers of chief executives, chief financial officers, chief technology officers and other senior managers -- and on occasion their assistants. And the Trojan horses were primarily designed to help the attacker gather Microsoft Office files from the "My Documents" directory of infiltrated PCs.

The people targeted "are the custodians of the company's secrets," Sunner said, and have computers full of juicy spreadsheets, financial reports, merger details and trade secrets.

"Why would somebody be targeting a CEO?" asks Scott O'Neal, chief of the Federal Bureau of Investigation's cyber-intrusion section. "It may be to steal intellectual property, it may be corporate espionage, it may be to get into the database."

Attacks of this kind have become much simpler, O'Neal said. "The how-to tutorials out there are getting better and better. And people need less and less technical skills." But unfortunately, few are reported to law enforcement because companies fear an investigation will disrupt their businesses and result in unwanted publicity. Such fears are unfounded, he said. The agency is careful not to be disruptive and maintains strict confidentiality.

In the recent attacks seen by MessageLabs, the attackers tried to improve the chances executives would open the Trojan-laced attachments by referencing bogus business matters and including personal details, such as name and title, which suggests the attackers spent time researching their targets.