Far more dangerous than a normal e-mail attack, targeted attacks choose a particular person as the prospective victim and tailor their message to that recipient. Since their creators craft the messages carefully (with few spelling and grammatical errors, for example), these attacks lack tell-tale indicators and thus stand a far greater chance of snaring a victim.
A recent e-mail blast sent out to LinkedIn users followed this pattern. The e-mail, which appears to have come from firstname.lastname@example.org and addresses LinkedIn members by name, purports to provide a requested list of exported business contacts. In reality, the attachment launches a malware assault against anyone who double-clicks it.
LinkedIn is mum on the question of how attackers managed to lift the contact information for the 10,000 users who received the targeted messages, but similar attacks against Monster.com users last year relied on contact data stolen via a Trojan horse malware infection. Using attacks masquerading as messages from the Better Business Bureau and the Internal Revenue Service, scammers may have lifted names and business titles from profiles on social networking sites and even company Web sites. And a Hungarian site recently disclosed a Twitter vulnerability that allows anyone to type in a URL and see supposedly private messages.
Like nontargeted attacks, the tailored messages direct potential victims to open an attachment or to visit a Web site, which then launches an assault. Patrik Runald, chief security advisor with F-Secure, says that some attacks in the past directed users to visit a site that tried to install a malicous ActiveX control. The control was signed with a valid but stolen certificate to avoid the warnings about installing an unsigned ActiveX–another example of the sophisticated planning that goes into this type of con.
Runald says that targeted attacks–particularly those launched against high-profile targets such as military or defense contractors, government agencies, and certain nonprofit organizations (including groups concerned with Tibet and Darfur)–typically use Word documents, PowerPoint files, or PDFs as attachments. E-mail attachments have enjoyed a recent resurgence as attack vectors after falling into disfavor among crooks for some time.
As always, exercising caution is essential to protecting your system from poisoned e-mail links or attachments. Make it a habit to run suspect links past free online scanners such as LinkScanner at Explabs.com. Another way to avoid being attacked by a booby-trapped attachment is to open it in a nonstandard program. For example, opening an attack PDF with FoxIt Reader instead of with Adobe Reader would likely neuter it–which is all the more reason to try out alternative applications.