If you haven’t done so already, perhaps it’s time to remind your users about the hazards of clicking on e-mail attachments from unknown senders.
Security researchers have detected a significant surge in the number of spam attacks in July containing variants of the Storm worm, a Trojan that turns infected PCs into an army of hacker-controlled botnets. This type of worm was first detected last January.
E-mail and Web security services firm MX Logic has reported a 1,700 per cent spike in the number of worm-related e-mail attacks containing payload files that are new variants of the Storm worm.
The most common of these types of e-mails are those that purport to contain a greeting card attachment, according to Sam Masiello, director of threat research at MX Logic in Englewood, Colo.
The attached fake greeting card contains a link that triggers the download of a piece of malware that then scours the system for specific vulnerabilities. The vulnerability is then exploited by the attacker to gain control of the system, Masiello explained.
“If you can make your message look legitimate and if you can convince the user that what they are about to open is something that they want to open or an attachment that they would like to click on, then your campaign is likely to be successful,” he explained.
Botnets are proving to be financially rewarding for hackers for the various purposes they can serve, from worm propagation and mass spam distribution to launching targeted denial-of-service attacks, Masiello said, adding he expects these types of attacks to continue.
“With the size of the botnet army that they have at their disposal to launch new variants coupled with the success of the social engineering tactics that they have been using, I don’t expect to see Storm falling off the map anytime soon,” Masiello said.
Seen elsewhere
Symantec Corp’s recent Spam Monthly Report has shown a similar trend of rising e-card spam in the month of July.
“The link (to the attachment) in these cases was an exposed IP address, which is a clear indicator that it isn’t a greeting card from an established and reputable e-card service,” the Symantec report said.
Just last month, however, security vendor Fortinet cited on its State of Malware Report a general decline in the number of mass-mailing worms since the start of the year. On the average, the report said, e-mail worms decreased by five per cent each month.
The decreasing trend was attributed to attackers shifting to more targeted attacks, rather than indiscriminate mass mailing, according to Bryan Lu, project manager for the Fortinet Global Security Research Team.
Lu also attributed the reported drop in e-mail worms to increased end-user awareness about social engineering tactics involved with this type of attack, knowing better now than to click on attachments from unknown senders.
But the rising number of bot-infected computers is an indication that social engineering tactics are still an effective attack mechanism, according to Masiello.
Old tricks
Security experts believe attackers are turning to more social engineering-type of attacks as an avenue to get through corporate boundaries, as security defences in the enterprise become increasingly sophisticated and multi-layered.
The recent penetration test done by the U.S. Internal Revenue Service on its employees was a demonstration of what social engineering can accomplish for the bad guys. About 60 per cent of IRS employees readily gave away their username and passwords over the phone to someone pretending to be conducting a help desk call.
Technology can only go so far in detecting attacks and blocking intrusions, stressed James Quin, senior research analyst at Info-Tech Research Group.
“Human barriers are not as foolproof because people often deviate from their programming and abandon caution to blurt out information when they judge the situation to be appropriate,” he said.
Masiello said the obligation is on the IT departments to constantly keep updated on all the new and emerging threats, then inform the users about them.
“If users don’t know about these dangers, how are they supposed to know they are not supposed to click (these attachments)?” Masiello said.
Zully Ramzan, a senior principal researcher at Cupertino, Calif.-based Symantec Corp.’s security response team, said Symantec has seen plain-text attacks before and doesn’t view them as a new problem.
“There’s been a bit of a resurgence lately” with e-card notification messages, possibly because of last month’s July 4 holiday or because criminal groups have been organizing mailing campaigns, he said.
–With files from IDG News Service