• PC World
• »Security

Worldwide Production

In fact, these threats appear to employ a black-market supply chain that's making it ever easier to launch both targeted and broad-based assaults upon the Internet. Stewart says that from his research, "it looks like [the attackers] may be groups that started out with plain old phishing and mastered the social engineering ploy, but aren't malware writers."

In other words, the crooks knew how to write a top-notch phishing e-mail, and decided to combine that with someone else's malware. The attached (or downloadable) Trojan horse used in many of these attacks appears to come from a known malware-for-hire group called Nuclear Winter, according to Stewart.

With a crafty message and a fresh variety of malware ready to go, the online thugs needed only a computer server where their malware could dump its stolen data, and where they could host more downloadable malware versions. The one they chose is located in China, Stewart says, which makes it hard for authorities and researchers to bring it down. "We've got plenty of sites there that are hosting this stuff for months on end and never get shut down," he says.

While it's troubling to know that thieves can access a global supply chain to create an Internet attack designed to bleed you dry, in this case the attackers' lack of malware expertise gives you your best shot at defending yourself.

How to Protect Yourself

Unlike some especially dangerous malware assaults, all of these attacks thus far require you to do something beyond simply reading the e-mail or opening the attachment. For the embedded objects in Word documents, you must click the somewhat unusual icon. Many people here at PC World were taken in enough by received BBB e-mail messages to open the attached document, but they stopped short of clicking the contained icon and thereby avoided infection.

Also, if you click a link in some of the messages that supposedly pull down case documents, you'll notice one of the few other attack clues: The download file begins with a valid-looking name, but ends with the telltale .exe extension (for example, "Complaint.doc.exe"). To install on your computer when you double-click, a download needs that .exe extension.

If you're especially observant, you may discover other discrepancies in future e-mail messages that will no doubt follow the targeted trend. For example, the Proforma invoice we received here at PC World listed a business named "Beckman Instruments, Inc.," but when we brought up the supposed sender's domain of Beckman.com in a Web browser, the page was for a company named Beckman Coulter.

Those details can be hard to spot, though, so your best protection is to assume the worst about any links and attachments in all unexpected e-mail, even those messages that look real. If the attackers someday manage to combine these convincing messages with a zero-day attack capable of downloading malware the moment you open a poisoned Word document, that suspicion will prove all the more critical.

"Unless you're in a zero-day scenario," says Alex Eckelberry, president of antispyware maker Sunbelt Software, who himself received one of the IRS attack messages, "nothing will infect you unless you do something."