Report: Spam attacks targeting high-profile enterprise roles

A recent MessageLabs Intelligence Report has revealed an increase in targeted spam attacks, many of which originate in China and Romania.

The latest figures from Symantec Corp.'s MessageLabs division show that targeted email attacks are on the rise, and are emanating mainly from China and Romania.

In its March 2010 MessageLabs Intelligence Report, which covers the state of the global email landscape during the period of February 21 to March 23, Symantec noted a rise in the number of carefully crafted email attacks aimed at individuals in senior positions in organisations, the purpose being to infect their machines and steal valuable information.

The report reveals that the top five roles targeted in email attacks are director, senior official, vice president, manager and executive director. It also notes that the criminals tend to focus their attacks on certain specific roles, many of which have a political dimension. For instance, the most targeted individuals include people working at diplomatic missions, experts in Asian defence and trade polices, and human rights activists.

Five years ago, we started to see one or two of these types of messages, but now we see 50 or 60 a day.
Paul Wood
senior analystMessageLabs

"Five years ago, we started to see one or two of these types of messages, but now we see 50 or 60 a day," said Paul Wood, a senior analyst with MessageLabs. "Given the billions of email transactions we see each day, it is just a drop in the ocean, but it is on the increase."

Wood said criminals are increasingly gathering information about senior people from social networking sites and from information that is openly published on company websites. Using that information, they can create convincing messages that look business-related and are more likely to win the trust of recipients. Also, being much lower volume than mass-market spam, they are unlikely to be blocked by standard spam filters.

According to the report, China was the country of origin for 28.2% of these highly targeted attacks, followed by Romania (21.1%), the United States (13.8%), Taiwan (12.9%) and the U.K. (12%).

The U.K. as a nation also received the highest proportion of phishing attacks in March -- one in every 254.8 emails, compared to one in 513.7 globally. The small number of large British banks gives phishers a big target to aim for, said Wood. And the figures may have been boosted by the recently released Silon banking Trojan, which is designed to hit U.K. online banking customers only, and has been responsible for 20% of all banking Trojan activity in the U.K.

The report also shows that the global ratio of email-borne viruses in email traffic was 1 in 358.3 emails (0.28%) in March, representing a decrease of 0.05% since February.

In March, 16.8% of email-borne malware contained links to malicious websites, a decrease of 13.7% since February.

The report also highlights the use of different file types for the delivery of malware. Although most users have been trained to be suspicious of .exe attachments, MessageLabs found that 85% of .exe email attachments were not malicious. By contrast, it found that 96.8% of files with a .rar (encrypted archive) suffix were malicious.

It also noted that in March around 20% of all spam used TLS (Transport Layer Security) encryption, with most of this coming from the prolific Rustock botnet which used TLS for 77% of its emails. This trend will place an extra burden on corporate email servers, said Wood, because TLS consumes a lot more bandwidth and processor power than plain-text spam.

"The Rustock network has been updated recently to use TLS. When connected, it asks for certificate exchange and an encrypted channel," Wood continued. "Maybe they are expecting some ISPs to mandate their clients to use TLS or maybe to give priority to TLS traffic. Also, if the ISPs are blocking port 25, this may be a way of guaranteeing connections. It could also be a way of bypassing intrusion detection systems."

Read more on Hackers and cybercrime prevention