In a targeted attack, cybercriminals go after only a few individuals within a particular company in the hopes of compromising the individual’s machine and gaining access to sensitive data, intellectual property, or confidential internal systems.

From mid- to late-September, Symantec’s MessageLabs analysts have identified a disproportionate increase in targeted attacks aimed at the retail sector.

“The number of attacks against the Retail sector jumped to 516 in just the last month alone, compared with the earlier monthly average of just seven attacks per month for much of 2010,” according to MessageLab’s monthly report for October [1](.pdf). “The Retail sector had not been the focus of such a major concentrated targeted attack campaign in previous years.”

Until the last month, targeted attacks against the retail sector only accounted for 0.5 percent of all targeted attacks. Now they account for a quarter of all attacks. Yet the 516 attacks targeted just six organizations, which they kept anonymous, and MessageLabs believes the true targets were just two organizations. The firm believes the motive behind the attacks were to obtain sensitive client records.

 “The spear phishing attacks, launched in three waves each one week apart, used social engineering techniques to distribute legitimate-looking emails from HR and IT staff of the targeted organization but in actuality contained malicious attachments,” said MessageLabs Intelligence Senior Analyst Paul Wood.

 

 

This is what makes spear phishing attacks so hard to defend against. In the case highlighted by MessageLabs, individuals received e-mails from senders they believed were high-level HR and IT staff in their own company. The e-mails either asked them to open the attachment for security reasons or enticed them to open it by naming it something interesting, like “new_salaries_2011.pdf” or “EmploymentOpportunities.xls,” along with language describing what’s inside them.  Once these attachments were opened, a malicious payload was delivered to the victim’s computer.

In the e-mail whose subject line read “securityupdate.zip,” the e-mail’s body further persuades the recipient that the e-mail is legitimate by deftly dissuading the individual from contacting their IT department.

“If you have any questions please don’t hesitate to contact IT Security personnel by replying to this email,” the e-mail read, “but bear in mind that it might take some time to answer your questions since we are currently applying the fix to all the affected servers to minimize the company’s risk and exposure.”

Overall, MessageLabs also finds that more and more cybercriminals are turning to targeted attacks. Since their discovery five years ago, MessageLabs tracked only one or two targeted attacks per week. In October 2010, the security vendor blocked about 77 targeted attacks per day.

“While targeted emails by nature are sent in low volumes, they are one of the most damaging types of malicious attacks,” said Wood. “We have seen a constant influx of targeted attacks over the past six months with the type of organization targeted changing on a monthly basis and the number of targeted users increasing each month.

♦ Graphs courtesy of Symantec's "MessageLabs Intelligence October 2010" report