Symantec: A Look Inside Targeted Email Attacks

Via Symantec Über Security Response Blog -

The number of targeted attacks has increased dramatically in recent years. Major companies, government agencies, and political organizations alike have reported being the target of attacks. The rule of the thumb is, the more sensitive the information that an organization handles, the higher the possibility of becoming a victim of such an attack.

Here, we’ll attempt to provide insight on a number of key questions related to targeted attacks, such as where did the malicious email come from, which particular organizations are being targeted, which domains (spoofed or not) sent the email, what kinds of malicious attachments did the emails contain, etc. Our analysis of the data showed that, on average, targeted email attacks are on the rise:

[...]

Three out of the top 10 are governmental agencies. Among the remaining seven organizations, four have strong ties to either local or international governmental bodies. Two organizations (in sixth and tenth position) are not under governmental control; however, their business operations are heavily regulated and may be influenced by governmental organizations.

Governmental organizations are obviously targeted for their politically sensitive information. But why target NPOs and private companies? It’s a foot-in-the-door technique. By compromising those companies with strong ties to government agencies, attackers may acquire contact information for government personnel and craft their next attack around that stolen information.

In one particular organization, ranked 7th on our most targeted list, we observed the following:

• Forty-one people received 10 or more emails, making up 98% of the total attack emails sent to that organization.
• The remaining 2% of emails were targeted at 13 others, resulting in an average of less than two emails per person.

This clearly indicates that certain individuals are targeted more than others, probably because of their profile or particular status within the organization. In this organization, the President, Vice President, Directors, Managers, and Executive Secretary were all targeted. All of their profiles—including email addresses and job titles—are publicly available, which is most likely how malicious attackers got hold of their information in the first place.

Having said that, targeting the top-ranking personnel in an organization is not a “must” for attackers; often, targets are likely to include P.A.s as well as I.T. staff (who often have administrative rights on the target infrastructure). Once the attacker successfully infects or compromises one machine in the organization, they then have the potential to compromise other machines or devices on the same network. This may enable the attackers to harvest further contact information (belonging to other organizations) along the way, which leads to future attacks against different entities—the attackers just need that initial foot in the door.

[...]

In summary:

• On average, targeted email attacks increased during the two-year period we looked at.
• The more sensitive the information that an organization handles, the higher the probability of becoming a victim of such an attack.
• The government/public sector is the most targeted industry.
• A small percentage of people receive the bulk of the emails.
• The attachments of choice are .pdf and .doc, making up a combined 67% of all targeted email attachments.
• Some targeted attacks can be extremely well crafted and quite convincing.
• Certain organizations and companies make for more attractive targets than others.
• The people who work for these “higher value targets” need to take extra special care when dealing with emails that contain attachments or links.