ZDNet UK

• CNET NETWORKS UK BUSINESS SITES:
• atlarge.com
• BNET UK
• silicon.com
• SmartPlanet.com
• ZDNet.co.uk

Targeted Web attacks

Robert Vamosi CNET

Published: 13 Jul 2005

• 
• 
• 
• 
• 

Forget the notion of a lone script kiddie sitting at a computer, launching wide-scale attacks on random computers around the world. Now that there's good money to be made in criminal hacking, security experts are warning that highly organised groups of attackers are doing their research online before carefully selecting their targets.

The goal is to obtain intellectual property that only an insider would have access to, then offer it for sale or demand a ransom. Armed with an arsenal of custom Trojan horses, these organised criminals are going after secrets within high-profile companies and even within government agencies. Often, the victim is unaware that it's happening.

Warning from the UK
According to a June 16 2005 briefing by the NISCC (National Infrastructure Security Co-ordination Centre, in the United Kingdom), targeted email Trojan horse attacks have increased in sophistication within the last few months. The basic concept is not new (I first wrote about a similar concept two years ago). Similar to phishing attacks or to email-borne viruses, the criminal hackers (a.k.a. 'crackers') target a specific company or government agency, then create a fake email that appears to be an internally sent document. Crackers are literally Googling their quarry, gaining valuable background information regarding the organisational structure of the target system first, then shaping the social engineering part of their email attacks for maximum impact. For example, a subject line might read Re: Project Bluebird, where bluebird is an internal mandate.

Déjà vu
By looking up legitimate email addresses within a particular government agency, then spoofing an email broadcast back to as many recipients of that domain as possible, an attacker can penetrate fairly deeply within an otherwise protected network. According to NISCC, the documents used in these new targeted Trojan horse attacks are often publicly available and usually sent to email distribution lists. The attackers simply modify the original document to include their custom-built Trojan horse.

The irony is that the thieves themselves don't have to know much about programming. Individuals are available on IRC chats and on the Web who will custom-design a Trojan horse to fit specific needs. Because the attacks are so specific, antivirus and security companies may not identify the exact Trojans used to carry out the attack until much later.

Smash and grab
Using known vulnerabilities in Windows, Outlook and Internet Explorer, a targeted Trojan horse can be installed on an insider's computer, often without his or her knowledge. Once in place, these Trojans can record keystrokes, gain access to other parts of the internal network or expose an internal network to a remote attacker. The Trojans can reside on desktops and networks for days or weeks before they are detected. This allows crackers to 'smash and grab' files located deep within a company or government agency before conventional antivirus and security systems recognise there's a problem. I'm speculating that the recent theft of the information on 40 million credit cards from a CardSystems Solutions' database in Arizona might have been accomplished in this stealth manner.

Prevention
Since these attacks rely mostly upon vulnerabilities in software, you should patch your PC regularly. The Windows Update service from Microsoft can be set to run automatically within Windows XP. If you're running older versions, you should check the site manually at least once a month. In addition, good antivirus, personal firewall, and antispyware applications provide layers of security, making it harder for intruders to gain access to your individual PC or private network.

Related articles

• 
• 
• 
• 
•