This is a late-breaking update courtesy of PAUL WOOD, Senior Security Analyst at MessageLabs. I think you'll agree that this hits pretty close to home for practicing accountants and our clients.
It seems their spam filters have had a spike in targeted attacks on banks. The emails are purportedly from the Better Business Bureau and use employees' specific names and organizations mentioned in the subject lines, all in an effort to obtain sensitive and valuable information.
Interestingly, the attachment used to entice employees to submit is called complaint.scr, a screen-saver that contains malware. While previous attacks used links, this latest surge indicates a return to using malicious attachments.
gll
Here is Paul's communication:
Targeted Attacks aim at the Financial Sector
On 19 November a series of targeted attacks, specifically targeting the Financial Sector, were intercepted by MessageLabs. The first attack, at 16.55 EST involved 472 emails, the second at 20.30 GMT involved 312 emails and is still continuing.
Subject Line
In the first wave of attack, the subject line copy included the full name of the recipient, and the full name of their organization. The attachment is a zip file containing a .SCR (executable).
In the second wave of attack, the subject line was similar, and referred to the full name of the recipient. However, the attachment is an RTF file with a .DOC extension, but contains an EXE which appears to masquerade as a PDF. Previous attacks from this group have also utilized links to websites hosting the malicious documents.
The format of the subject lines were consistent across all the attacks and is almost identical in format to the 12/13 September attacks which focused on cross-sector C-level executives. This attack was from a gang purporting to the Better Business Bureau, and the same gang is predicted to be responsible for this latest round of targeted attacks.
November 19 Subject Line Example:
1 Complaint Update for [name], [name of target company] (Case id: random number)
September 12 Subject Line Example:
Agreement Update for [name], [name of target company], (Case id: random number)
Targets
All attacks were aimed at individuals within leading financial organizations and across multiple geographies including, North America, Europe, Middle East, Asia Pacific. In some cases, more than one recipient was targeted at a specific organization. In the second wave, the target organizations were still financial, but included many other organization types too.
Server or Botnet?
The originating servers appear to be compromised or under the control of the senders - 56% of the offending mails were sent from servers in the US, and 43% from sites in Japan. They are real servers, not botnets. Early analysis suggest it installs a backdoor remote access trojan of some kind, potentially for stealing data.
Example of wave one email:
Example of wave two email:
