"This exemplifies or illustrates that these kinds of attacks are becoming more and more targeted," said Sam Masiello, director of the threat management team at MX Logic Inc. "Companies need to be much more diligent about educating their own users."
Masiello said his company's antispam algorithms on the night of May 24 detected a growing number of messages purporting to be from the Better Business Bureau. The messages informed recipients that their company was the subject of a formal complaint and instructed readers to click on an attachment to view that complaint.
"When executed, the Word document launched a Trojan that installed itself onto your PC," Masiello said. The Trojan, a keystroke logger, would upload keystrokes to a third-party Web site, where the spammers could collect sensitive information such as passwords and account information.
Masiello said the messages were aimed at high-level executives, such as CEOs, CFOs and COOs. The spammers put the targets' individual names and the names of their companies into the messages. He said the spammers probably acquired the targets' email addresses by fishing for executives' names on corporate Web sites and blasting messages to common formulations of email addresses based on those names.
Spam purporting to be from a federal agency is unusual because it tends to get spammers into much more trouble.
"Government agencies aren't targeted frequently," Masiello said. "The federal government has tons of resources at their disposal. Being on the federal government's radar for spam purported to be from the Better Business Bureau, that's something that's going to be picked up very quickly and you're going to have a lot of resources dedicated to finding you and putting you in jail."
On Monday the Better Business Bureau issued a press release that contained a warning to businesses and consumers about the phishing attacks. The spam messages appeared to be from legitimate bureau email addresses, the release warned. The bureau also said it was working with the Electronic Crimes Task Force to track down the spammers.
Masiello said a new variation on the message started appearing Thursday. The content of the message remained mostly unchanged, but the purported sender was now the IRS.
These spear phishing attacks are problematic for antispam technology because the volume of the messages is much lower than typical spam attacks and, thus, more difficult to detect. Masiello said this trend will only continue.
"Instead of having these large blast attacks where millions upon millions of users are getting the same message, you'll start to see more localized, targeted attacks," Masiello said. "This tends to fly under the radar of service providers who process millions of messages a day. It's easier to get through if a smaller group of customers are targeted. You get fewer complaints from customers, too, so providers have not caught on."
Another common form of attack is a spam message claiming to be from a company's internal IT department. The message tells users, for instance, that their corporate passwords are out of compliance and instructs them to click on a link and change their password. Of course, this scam just compromises the users' existing passwords by taking them to an external Web site.
Avivah Litan, vice president and distinguished analyst at Stamford, Conn.-based Gartner Inc., said with spear phishing criminals are getting more sophisticated with their social engineering techniques and their technological approaches.
Phishers are moving away from using big brand names like credit card companies and large banks, she said, and are using brands that are less often associated with spam, such as the Better Business Bureau. This is trouble for users, who are getting better at spotting fake emails from banks but might be tricked by an email from the bureau.
Litan said spam filters use IP address identification to verify traffic purported to be from banks and other common sources of spam messages. Often these filters don't even know the IP address of something like the Bureau.
These targeted attacks are even harder for them to detect because of the volume.
"It makes it harder because there's no volume," Litan said. "One indicator of a spam attack is the volume of email coming from one server. There's no volume on the destination and not a lot of volume on the server because they're sending messages across their botnets."
Litan said IT organizations can try to educate users about the dangers of these phishing attacks, but it won't be enough.
Bill Kisse, CEO of Electronic Systems Services, a Clarksburg, Md.-based manufacturer of point-of-sale equipment for retailers and food service companies, said he hasn't seen any spam purporting to be from the Better Business Bureau or the IRS. He said he keeps his company's spam-filtering technology on a very high setting that blocks most questionable email.
Despite the vigilance of his spam-filtering technology, his company also takes time to educate users regularly about phishing attacks. Good antispam technology is important he said, but education is as well.
"My system administrator at the office, when he sees something unusual he will send out a reminder," Kisse said. "For instance, messages asking you to update your information with Bank of America or PayPal. It's something you would have heard about six months ago, then forget. He reminds them."
Kisse said he did once fall for a phishing attack.
"I was victimized. It asked me to update my information and I did it. Then I realized and said, 'Bill, you idiot!' Ten seconds later I changed my password. Sometimes, you just get fooled. It's a very effective tactic. Even if only one out of 1,000 succeeds, it's still worth it [to the spammers]."
Let us know what you think about the story; email: Shamus McGillicuddy, News Writer