RSA 2011: E-mail is still top cyber attack method

E-mail is still the top attack method for targeted and espionage attacks, say security experts

E-mail is still the top attack method for targeted and espionage attacks, says Mikko Hypponen, chief research officer at security firm F-Secure.

Chat, instant messaging and web-based attacks are still in the minority, he told delegates at the RSA Conference 2011 in San Francisco.

The reason espionage is increasingly moving online, he said, is simply that most information is now stored digitally, and it is possible to steal information without necessarily gaining access to the target organisations.

Typically these are targeted attacks, where an individual within an organisation will receive an e-mail that appears to come from someone they know.

The e-mails also typically have a document attached that makes sense and is relevant to the recipient that is often a copy of actual documents used by the supposed sender's organisation.

The recipient views the document, but is totally unaware that malware is being installed in the background that creates a backdoor, said Hypponen.

"This backdoor not only gives the attacker access to the victim's system, but also to everything on the network that they are authorised to access," he said.

Even though Word and other document types are used, PDF is the most common document used for targeted attacks.

"Attackers exploit vulnerabilities in Adobe Reader to install the malicious code on the victim's machine," said Hypponen.

In the face of these types of targeted espionage attacks, businesses should make employees aware of the tell-tale signs.

If documents take longer than usual to appear, it could be that a backdoor is being installed before a fake document is displayed, said Hypponen.

A difference in the name of the attached file and the file that is eventually displayed, is also an indicator of a potential targeted attack.

Anyone who suspects that e-mail may be illegitimate should check with the supposed sender to see if they did indeed send the e-mail in question, preferably before they open the attachment, he said.

Businesses can also better detect targeted attacks by monitoring the sites to which employee computers are connecting, said Hypponen.

In addition to several well-known malicious sites, businesses can monitor for sites that use variations on the spelling of legitimate sites.

"If an employee's computer is connecting to a site like, it is likely to be a malicious site," said Hypponen.

It is important for businesses to ensure security patching is always up to date and they are monitoring all connections made from corporate computers, he said.

Hypponen also recommends businesses use an alternative PDF reader than the product from Adobe. His reasoning is that other readers do not have the same install base and are therefore less targeted.

Read more on Antivirus, firewall and IDS products