In-Depth

The Latest in Fiendishly Clever Targeted Attack Types

New targeted attacks masquerade as legitimate correspondence from the Better Business Bureau. It's fiendishly clever, which is exactly the point.

• By Stephen Swoyer
• 03/12/2012

At the recent RSA Conference in San Francisco, experts addressed lots of scary stuff. Most of it considered emerging threats, however.

As a recent report demonstrates, however, there's more than enough existing scary stuff to deal with, and thanks to improving techniques, crackers are making it even scarier.

Consider the latest innovation in targeted phishing: namely, attack messages that masquerade as legitimate correspondence from the Better Business Bureau (BBB). In an SMB or small- and medium-sized enterprise context, after all, any communication from the BBB is sure to snag someone's attention. It sounds fiendishly clever.

It's so clever, in fact, that it's been done before: the "new" BBB attacks actually reprise an old BBB attack, although this time around there's an innovative twist.

"A recent surge of similarly designed attacks in 2012 suggest this tactic has made a renaissance [sic]. Like the [first such] attacks in 2007, the recent [incidents] were also socially engineered to suggest that a complaint had been filed against the targeted organization and [that] the details of the complaint could be found in the file attachment," write researchers in the February edition of Symantec Corp.'s monthly Intelligence Report.

The file attachment, not surprisingly, either contains a malicious payload or uses an embedded HTML file (complete with a hidden IFRAME tag) that redirects a user to a compromised Web site. That's par for the course, according to Symantec.

Nevertheless, there was something different about the attacks, Symantec researchers stress. "Although the attacks recorded in 2007 and 2012 bear similar social engineering techniques, the recent waves are using considerably more advanced techniques, including server-side polymorphism," they point out.

From a cracker's perspective, server-side polymorphism (SSP) offers a fantastic way to optimize an attack, chiefly because it "enables the attacker to generate a unique strain of malware for each use, in order to evade detection by traditional anti-virus security software." Implementing SSP is a comparatively trivial task -- it can be done by means of PHP scripting -- and, at this point, it's extremely difficult to police. "[T]he ... nature of these attacks makes them very difficult to recognize and detect using more traditional signature-based defenses."

If the tools of would-be crackers have evolved, so, too -- thankfully -- have those of would-be defenders. For example, Symantec researchers say cloud-based heuristic technologies seem to be more effective against SSP attacks. "[B]ecause of their ability to respond quickly to new and previously unknown threats, cloud-based heuristics ... are very effective at detecting these aggressive strains of polymorphic malware, which in February accounted for 41.1 percent of all [blocked] e-mail-borne malware," according to the report, noting that Symantec's .cloud e-mail service filters SSP attack activity "on an almost daily basis."

The attacks tend to come in waves. As of late-February, Symantec .cloud had intercepted approximately 700 examples, each of which involved e-mail sent to a different Symantec client. "A successful exploitation will connect to a remote server hosted in Russia, which will attempt to download and execute a fake anti-virus product without the user's permission," the report concludes, adding that such URLs are available for a "short period of time."