The Rise Of The Customised Security Attack

The email security landscape is constantly changing, and one of the biggest shifts during the past twelve months has been the dominance of convergence – the practice of combining virus, spam and other attack methods. The motivation behind this technique is undoubtedly financial, with virus writers and spammers collaborating in order to increase the loot.

As criminals operating online have begun to realise the potential commercial value of Internet-related crimes, so they have started to investigate other ways of using malware to line their pockets.

In the not too distant past few people would have known what a phishing scam was. Yet the practice of targeting an online organisation and its customers with the hope of collecting details of accounts that could then be abused has become familiar to many.

In September 2003, only 279 of the tens of millions of emails scanned by MessageLabs every day were phishing-related. By September 2004 this number had risen to over two million, and during the whole of 2004 over 18 million emails were intercepted. There is a simple explanation for the rise in phishing – it works.

During the short time phishing has been on the scene the perpetrators have developed and honed their techniques effectively. Recent phishing emails have reduced the need for human error by capturing online details automatically, for example. There is also evidence that phishers have tried to dupe unsuspecting users into becoming middlemen for money laundering operations.

What makes phishing different to many virus and spam operations is that it is in some way customised to the victim. Typically, there is no specific target for a virus outbreak or spam run – those behind it simply want to reach as many people and their machines as possible. Phishing emails may be spammed out to many random recipients, but the target is usually one company and its customers. The email will probably have been designed to look as though it could have come from that organisation, and the company will probably have been selected on account of its brand, and the fact that it has a high number of consumer customers, amongst other factors.

This move to a more tailored approach, signalled by the advent of phishing, is beginning to show itself in other online scams and operations. Last year, in the run up to major sporting events such as the Cheltenham Gold Cup and European Championships online betting sites were threatened with denial of service attacks if they didn’t pay the blackmailers. These gaming companies were selected because of their reliance on ecommerce, and according to periods of peak business. Obviously, in these instances, the primary threat is to revenue and profits, although other impacts include possible damage to the brand and consumption of internal technical resources.

Another example is the company threatened with having child pornography sent out in the their name, and once again the perpetrators demanded money in order to suspend the attack. Although the golden rule is not to give in to a blackmailers demands, the possibility of something as sensitive as child pornography being released into the public domain apparently from your organisation is a threat that has to be taken seriously and be handled appropriately.

Given the examples above it is not too hard to imagine what could potentially be achieved by using malicious code in the execution of crime. Blackmail, extortion and protection are just a few of the options. Every organisation has its weaknesses, and most now rely upon the Internet and email in some way. Even the least sophisticated cybercriminal could probably think of way to compromise most businesses.

What about the malware itself? Are the perpetrators using common methods of creating the tools used in these attacks, or is something more sinister going on? To date, most of the viruses, Trojans and worms have been of the same ilk as you’d expect to be used in a random attack. But there is evidence to suggest that this is changing, and there have been some instances of Trojans constructed with a particular organisation in mind. By investigating the defences of a company, it is possible to design a piece of malicious code with the express purpose of circumventing them.

Consider the following scenario. It wouldn’t be too difficult to find out which anti-virus software product a company is using and how efficient that vendor is at issuing signatures for new viruses. All that is then needed are the names of users working in department most likely to have access to sensitive information, perhaps the financial team. It is possible to create a virus designed to search for documents with particular filenames, such as “sensitive’ or “confidential’, and email these documents to a designated account.

If this is the first time the virus has been seen, a company using reactive software probably won’t be alerted. By the time the infection is discovered, it will take another few hours to issue a patch. But the damage has already been done, and your highly sensitive information and intelligence has already exited the building.

It isn’t possible to say for certain which organisations are more likely to be targeted with these types of attacks. In reality, any business is a potential victim. However, those with a strong online presence or heavy reliance on ecommerce are most likely to be at risk. Anyone with a high profile brand should also seriously consider this type of threat – it takes years to build a brand but only minutes to destroy it.

Companies relying on generic, blanket security products such as out of the box software may find it most difficult to protect against customised attacks. Software products are generally unable to identify where a threat has come from, and do not have a team of experts acting as an early warning system. A proactive managed service provider has these capabilities, precisely because email traffic must pass through its systems – allowing for analysis of unusual traffic patterns, email origin and new, previously unseen vulnerabilities and malicious code. The perpetrators of email security attacks are learning to adapt their methods according to their target, and are making it personal. To effectively combat this breed of threat, organisations must do the same.