Hackers Targeting Executive Emails

Not focusing on Internet security is like opening the cash register to hackers and thieves; these modern-day threats require CEOs [...]

September 19 2007 by Chief Executive

Not focusing on Internet security is like opening the cash register to hackers and thieves; these modern-day threats require CEOs to constantly reassess the emerging dangers of the Internet, warned Champ Mitchell, CEO Networking Solutions in his article with Chief Executive {Read: Taking Internet Security off the backburner}. It’s been two years since the article was published and now there are news reports of email hackers targeting c-level executives with precision malware looking to harvest intellectual information from them. Last month, Internet security firm, MessageLabs intercepted as many as 500 emails laced with malware targeted against individuals in senior managerial positions.

The precision attacks in the form of emails – often mentioned the name of the executive, his designation and other such personal information – are intended to lure the executives to open malicious attachments, says experts. According to an analysis by MessageLabs, 30 per cent of the attacks were aimed at Chief investment officers (CIO), 11 per cent were directed against Chief Executive Officers (CEOs); other job titles among the top ten targets included Chief Information Officers (CIOs), Chief Financial Officers (CFOs), directors of research, directors of developments and company presidents.

MessageLabs, suspects that these attacks are a handiwork of an organized criminal gang which has realized that C level executives make particularly good targets; the potential return from compromising a CEO is much bigger than compromising, say, a teenager still at school, email security system analysts say. “CEOs tend to have bigger bank accounts and access to such information can have substantial resale value. That is what they are aiming to achieve,” Alex Shipp, Anti-virus technologist and Imagineer, Message Labs told Chief Executive Online.

According to MessageLabs, there are a good number of Fortune 500 companies which are being targeted on a daily basis. “Some of the high profile organizations including the Fortune companies get attacked on a daily basis, says Alex Shipp. However, Shipp refuses to divulge the details of the victims, saying; “the organizations have asked us not to name them, and we have to respect this,” (Sic).

Zully Ramzan, senior principal researcher, Symantec security system, says that there is considerable evidence of organized criminal activity and existence of an underground economy which is a basis for such attacks. Increasingly, we are observing that there is an underground economy for all the elements that go into an attack. A black hat researcher may discover vulnerability in an internet browser and sell that information to a programmer who will use the information to infect many computers forming a botnet Ramzan points out.

A report published in eWeek says that right from adware and spyware installations to spam runs and phishing attacks, CPU cycles from botnets drive a billion-dollar underground business that thrives on lax computer security.

Botnets, – a collection of broadband-enabled PCs, hijacked during virus attacks and seeded with software that connects back to a server to receive communications from a remote attacker – are used for mostly for malicious purposes, especially for fraudulently acquiring sensitive information, such as usernames, passwords and credit card details. The hacker in this case is masquerading as a trustworthy entity in an electronic communication, today popularly known as phishing. “The programmer with the botnet may rent out its network to a spammer or a phisher who will use it to jam the network. Some programmers even create easy to use packages for other criminals to execute fraudulent online schemes. These packages surprisingly sophisticated include extensive management consoles that allow the hackers to easily configure the parameters of the attack and observe how successful it is, all from a single screen,” says Ramzan.

Though it is difficult to gauge the frequency of such attacks, Internet security experts, however, say that attacks on executives have been consistently increasing for quite some time. MessageLabs has released figures showing 100 per cent increase in malicious emails to C- level executives. According to inputs from MessageLabs, two years ago the company intercepted at least two to three such attacks every week Last year figure shows five fold increase to about 15 emails every week and this current year the figure has reached its all time high with 50 to 60 malicious emails every week directed towards c – level executives.

“We believe that one gang is now experimenting with this type of attack to see whether it improves their rate of returns. During the same corresponding period, we have also seen attacks by the same gang but on a broader scale. They are probably comparing the rate of returns from these two specific targets,” says Alex Shipp.

On questions about the existence of such gangs, Shipp says that most of the email attacks are routed from Asia-pacific region. “We note that a large number of attacks are similar in nature to those noted elsewhere as ‘Titan Rain’ (U.S. government’s designation given to a series of coordinated attacks on American computer systems since 2003),” he says adding further that Asia Pacific may not be necessarily the place of true origin. MessageLabs says that it analyzes these attacks based on certain criterion which is unique to it. “To further elaborate on this is like providing the information to the notorious gangs, says Shipp with vivid apprehension.

The Better Business Bureau (BBB) has issued a warning on email phishing scam that uses messages claiming to be from BBB, in an effort to entice users to click on a malicious link. SecureWorks, which investigated this scam and located a stolen data repository, says that these phishing attacks were highly targeted and aimed at specific executive level company managers. The investigations further revealed that as of May 25th, there are as many as 1400 victims and 145 megabytes of data in the repository. Approximately 70 MB of data is being collected daily. High net worth individuals could be very lucrative targets. In this case, the attackers are hoping to get a high yield from one successful attack. In contrast, many hackers also launch wider scale attacks to churn out several achievements albeit at a smaller scale, says Ramzan.

“The companies that are facing the malware brunt are primarily big corporations including some of the Fortune companies. So, we think this is a whaling attack, throwing large quantities of plankton with a desire to catch a large whale, and if they can compromise the right person this could be worth vast amounts of money,” says Alex Shipp.

Email security experts, point out that it is highly essential for the CEOs to take immediate steps to check this menace. Further negligence would mean losing confidential information and thereby affecting the overall performance of the company. “Executives should be suspicious of any unsolicited email containing an attachment or a link, even if it mentions the identity of the company and promises information on some critical data of the company,” says Joe Stewart, senior security researcher at SecureWorks.

Experts are of the view that exposure to personally sensitive information can have serious repercussions. Most common and crucial among them, they say is the identity theft. “In case of a more targeted attack, information sensitive to a business can be abused by selling trade secrets; or a data breach would mean personal information of customers is at jeopardy,” Ramzan reiterates.

When an executive’s PC is compromised the attacker can easily gain access to any information stored in his victim’s desktop. Information on personal and company bank accounts, retirement funds, stock brokerage accounts, all stands exposed and this can lead to siphoning of the company’s capital and investments. “Company secrets harvested through this attack could be sold to potential rivals and they can manipulate the stock prices,” warns Joe Stewart adding further that a compromised PC is like giving unfettered access to an outsider.

Executives must make sure that they have defense in depth strategy and they must keep a constant vigil, frequently mining data sources and devising counter measures as and how the bad guys come up with new phishing schemes, says Stewart. “For tackling such a potential threat the end-user should have a comprehensive security solution installed on his / her machine and there should be a consistent mechanism by which incoming emails can be scanned for malicious code prior to reaching the inbox of a CEO,” says Ramzan.

Internet security analysts feel that creating awareness and educating the employees of the company can also be one of the important tasks for the senior executives to be taken up on an emergency basis. “Awareness that they are now being targeted is a key to precaution by itself,” explains Stewart.

Stewart further laments that there is precisely no mechanism to consistently check harmful social engineering emails. “When it comes to social engineering emails (emails containing hacker-speak for tricking a person into revealing their password) there is no single technical counter measure that works for very long, so there must be a constant effort by human analysts to stay ahead of the game and protect their customers,” adds Stewart.

Alex Shipp feels that despite all the precautions it is still very difficult to check these attacks. “These attacks are hard to stop by using signature based technologies, because the attack is generally executed well before the signatures are released,” he says adding that most big security vendors are still stuck with the model of creating signatures for the last piece of malware they missed. “In today’s world this never works, because the criminals bring changes to the malware prior to the release of signatures. So security vendors must create signatures for the next piece of malware that is likely to be released by these hackers. Creating heuristics – the ability to come up with a preventive measure even before the attack is planned – is still an art most security companies need to muster,” says Shipp.

Experts assume that these attacks would continue to bother the executives. “The threats will only increase as criminals think of more ways to extract money from their victims. And of course email is one basic platform. For instance, we have recently seen a large upsurge in malware, which is designed to steal information on accounts used in online gaming, because these are valuable resources,” says Shipp.

However, according to Ramzan, though email seems to be the popular mechanism in place right now, situation is constantly evolving. “As email security solutions improve, attackers will shift their focus more towards other targets. For example, we have seen phishing instances over cellular instant messaging,” he says.