Sophisticated phishing attacks aimed at business executives have hooked thousands of users.
Erik Larkin, PC World
Friday, July 27, 2007 3:00 PM PDT

A wave of sophisticated, ongoing attacks disguised as bills from supposed business partners, complaints from the Better Business Bureau, and investigations by the Internal Revenue Service is snaring high-value business victims with malware-carrying e-mail messages that don't bear the usual telltale signs of phishing.

"When you get one of these things," says Dave Jevans, chairman of the Anti-Phishing Working Group, "they're so well crafted, they look real."

The attacks target corporate executives and other high-level employees at a range of companies. Victims who open attachments or follow download links can pick up a malware infection and hand over the keys to their corporate banking network, financial account log-ins, and a vast assortment of other sensitive and valuable data. "It's a lot more lucrative than stealing a credit card number and making small purchases," says Jevans.

To better snare such prizes, the targeted attacks start with real names and company references to make the messages seem real. For example, a faked invoice sent to PC World came with the subject line: "Proforma Invoice for PC World Communications Inc. (Attn: Harry McCracken)." Both the company name and that of our editor in chief were correct.

Experts suggest many ways the thieves could have collected company and employee names. They could have "scraped" the information from various companies' own Web sites, which often list the names and titles of executive staff. They may have wormed their way into popular online contact databases, or even purchased lists of such information from legitimate marketing firms.

Regardless of the source, seeing an e-mail with your name on it helps convince you that it's real. To further allay suspicions, the messages are well written and professionally presented. You won't see the obvious grammatical mistakes and nonsensical wording that give away run-of-the-mill scams. The faked IRS and BBB e-mail messages even provided the name of the person who supposedly filed the complaint, along with the date it was filed.

Many of the attacks disguise malware as embedded objects inside attached, convincingly named Word documents, such as "Documents_for_Case.doc." The recipient must click an icon inside the document for the attack to succeed, but the arrangement also allows the malware to slip past many antivirus programs. Other attacks include links to downloadable malware in the e-mail.

Some victims have been hit by a Trojan horse that can sift through hard-drive data, spy on anything on screen, or even allow full remote desktop control, says Joe Stewart, a senior threat researcher with SecureWorks who conducted an in-depth analysis of the attacks. Other infections have added an Internet Explorer browser helper object that can steal user names, passwords, and any other data typed into the browser, even if the data is sent afterward over a secured connection.

For an attacker, going to such lengths is justified by the potential of landing a well-heeled victim, in much the same way a sales pitch for a luxury Rolls Royce would be much more polished and directed than what you'd hear at a corner lot filled with junkers.

"Phishers are used to getting tons and tons of crap data to wade through to get to their stolen data," Stewart says. "Targeting execs is a way better payoff for the work involved."

And it's working, he says. Within a day of the Proforma invoice scam's being sent out, his company knew of about 200 infections. Thousands more fell victim to the BBB and IRS e-mail attacks, he says.

"We're going to see more of this type of activity," Stewart says.

In fact, these threats appear to employ a black-market supply chain that's making it ever easier to launch both targeted and broad-based assaults upon the Internet. Stewart says that from his research, "it looks like [the attackers] may be groups that started out with plain old phishing and mastered the social engineering ploy, but aren't malware writers."

In other words, the crooks knew how to write a top-notch phishing e-mail, and decided to combine that with someone else's malware. The attached (or downloadable) Trojan horse used in many of these attacks appears to come from a known malware-for-hire group called Nuclear Winter, according to Stewart.

With a crafty message and a fresh variety of malware ready to go, the online thugs needed only a computer server where their malware could dump its stolen data, and where they could host more downloadable malware versions. The one they chose is located in China, Stewart says, which makes it hard for authorities and researchers to bring it down. "We've got plenty of sites there that are hosting this stuff for months on end and never get shut down," he says.

While it's troubling to know that thieves can access a global supply chain to create an Internet attack designed to bleed you dry, in this case the attackers' lack of malware expertise gives you your best shot at defending yourself.

Unlike some especially dangerous malware assaults, all of these attacks thus far require you to do something beyond simply reading the e-mail or opening the attachment. For the embedded objects in Word documents, you must click the somewhat unusual icon. Many people here at PC World were taken in enough by received BBB e-mail messages to open the attached document, but they stopped short of clicking the contained icon and thereby avoided infection.

Also, if you click a link in some of the messages that supposedly pull down case documents, you'll notice one of the few other attack clues: The download file begins with a valid-looking name, but ends with the telltale .exe extension (for example, "Complaint.doc.exe" ). To install on your computer when you double-click, a download needs that .exe extension.

If you're especially observant, you may discover other discrepancies in future e-mail messages that will no doubt follow the targeted trend. For example, the Proforma invoice we received here at PC World listed a business named "Beckman Instruments, Inc.," but when we brought up the supposed sender's domain of Beckman.com in a Web browser, the page was for a company named Beckman Coulter.

Those details can be hard to spot, though, so your best protection is to assume the worst about any links and attachments in all unexpected e-mail, even those messages that look real. If the attackers someday manage to combine these convincing messages with a zero-day attack capable of downloading malware the moment you open a poisoned Word document, that suspicion will prove all the more critical.

"Unless you're in a zero-day scenario," says Alex Eckelberry, president of antispyware maker Sunbelt Software, who himself received one of the IRS attack messages, "nothing will infect you unless you do something."