Trojan Horse E-mails Suggest Trend Toward Targeted Attacks

A report on Trojan horse e-mail attacks against critical infrastructure systems in the United Kingdom highlights an emerging trend away from mass-mailing worms and viruses to far more targeted ones, analysts say.

The UK's National Infrastructure Security Co-Ordination Center released a report this week disclosing that more than 300 government departments and businesses were targeted by a continuing series of e-mail attacks designed to covertly gather sensitive and economically valuable information.

Unlike with phishing and mass-mailing worms, the attackers appear to be going after specific individuals who have access to commercially or economically privileged information, the report says.

The attacks involved the use of e-mails containing so-called Trojan horse programs or links to Web sites containing Trojan horse files. Once installed on a user's system, Trojan horses covertly run in the background and perform a variety of functions, including collecting user names, passwords, and system information; scanning drives; and uploading documents and data to remote computers.

"The e-mails use social engineering to appear credible, with subject lines often referring to news articles that would be of interest to the recipient," the report says. "In fact, they are 'spoofed,' making them appear to originate from trusted contacts, news agencies, or government departments."

Information Theft

The report highlights how hackers are starting to tailor their attacks and go after specific high-value targets instead of simply launching mass-mailing worms and viruses, says Mark Sunner, chief technology officer at MessageLabs, a New York-based provider of e-mail security services.

"Certainly for the last few years, what everyone perceived to be the main issue was the mass-mailing worm," Sunner explains, adding "But there does seem to be a new trend where e-mail viruses are being created with the express intention of getting into specific organizations and planting Trojan horses or keystroke loggers." Over the past year, MessageLabs has been intercepting a growing number of such e-mails, he says.

Another big message here is that "information theft is becoming one of the major aims of people writing these e-mail Trojan [horses]," according to Richard Wang, manager of Sophos, a vendor of antivirus products with offices in Lynnfield, Massachusetts. "The vast majority of the Trojans mentioned in the NISCC paper are Trojans that are used to steal information."

But enterprises that follow long-established best practices related to e-mail security should not have a hard time dealing with these threats, Pete Lindstrom, an analyst at Spire Security LLC in Malvern, Pennsylvania, says.

"It doesn't surprise me at all that these sorts of attacks are possible," Lindstrom adds. Government agencies, especially, have lots of published e-mail addresses, he notes. "Because e-mail spoofing is so simple, there is no reason not to try these attacks using phishing and other techniques."

However, the trend toward targeted e-mail attacks shouldn't "bother any security professional worth his salt," Lindstrom says. Standard precautions such as updated antivirus signatures, attachment filtering, and antispam measures should be enough to identify and mitigate the risk, he and other experts say.