Targeted malware attack against U.S schools intercepted

Targeted Malware AttackTiming is everything, and from a cybercriminal’s perspective, a new school year means segmenting their email databases to launch a targeted attack welcoming everyone back online. According to MessageLabs Intelligence :

“Starting in early September, MessageLabs intercepted a targeted, email-borne malware attack on US schools and government organizations, a majority of which are located in New Mexico, Virginia, Illinois and Hawaii. The attack comprised more than 1000 emails from only 15 source IP addresses, most of which were located in the former Soviet Union on consumer-based address ranges signaling that the attacks are the result of a botnet that may be looking to expand. The attached table illustrates the distribution of mails intercepted from the source IP addresses used in the attack.”

Naturally, the attackers are taking advantage of already infected with malware hosts, and using them as stepping stones for launching the attacks ending up in anecdotal cases where U.S based infected hosts are used to launch targeted attacks against U.S schools and organizations.

Some more details on the specifics of the attack :

“Analysis reveals that dispersement lasted almost two days and used social engineering techniques to deliver the malware, Trojan-Spy.Win32.Zbot.ele, as both an executable email attachment and a link within an email, disguised as a Microsoft Windows Update. There were three similar attacks targeting US schools, businesses and state governments. According to MessageLabs, these attacks may be deploying the Antivirus XP 2008 malware.”

As of recently, cybercriminals are putting more efforts into the quality assurance of their campaigns by means of localizing the spam message to the native language of the receipts, known due to the segmented email database belonging to a particular sector that they’ve already purchased. However, in this particular targeted attack they seem to have underestimated the personalization of the emails, and despite the obvious segmentation of potential victims to spam, were taking advantage of average social engineering tactics more suitable for a large scale malware campaign.Spear Phishing

The much more sophisticated from a social engineering perspective variant of this targeted attack, is spear phishing, which according to iDefense is increasing, with a few groups specializing into targeting high-profile targets :

“The victim counts from these attacks is staggering – over 15,000 corporate users in 15 months. Victims include Fortune 500 companies, government agencies, financial institutions and legal firms. In these attacks, the goal is to gain access to corporate banking information, customer databases and other information to facilitate cyber crime. Two groups of attackers have carried out 95 percent of these attacks.”

Earlier this month, South Korean officers were also reportedly under a targeted attack from North Korean hackers that managed to obtained the personal emails of the officers thanks to a “real life email harvester” collecting name cards with the emails on them, and spam them with malware :

“A North Korean spyware e-mail was reportedly transmitted to the computer of a colonel at a field army command via China in early August. The e-mail contained a typical program designed automatically to steal stored files if the recipient opens it. Some officers whose email addresses are on their name cards have suffered hacking attacks.”

What’s important to note is that in such cases a high-profile victim’s personal email address can easily turn to be the weakest link in an ongoing espionage campaign against a particular country, where despite that the adversaries aren’t capable of breaching their private emails, the ongoing and previous conversations found in their personal ones could contribute to real-life espionage attempts against them.

In times when phishers, spammers and malware authors are consolidating, it is logical to assume that targeted attacks will only get more personalized and well crafted in the very short term.

[Source: zdnet]