Security Alert: Phishing Attack Aimed at ESPs
Below is a note we sent to our Email Service Provider (ESP) partners this morning alerting them to a spear phishing campaign targeting ESPs. Spear phishing attacks are targeted and effective, with tremendous potential to damage corporate security.
We have become aware of a serious phishing attack aimed specifically at ESPs, some direct mailers, and gambling sites.
Over the course of the past five weeks, spam campaigns have been aimed at the staff members of over 100 ESPs and gambling sites. These targets have received emails typically with content that mentions the staffer by name, and purports to be from a couple, presumably friends or co-workers.
The phish message has been sent numerous times, over several different systems, including using the facility of some ESPs, using online greeting card sites, and by way of a botnet. Sources confirm the list of addresses is very small (less than 3,000 addresses) and aimed 100% at staff responsible for email operations.
Here is an example of what we have seen here at Return Path:
Hey Neil, it’s Michelle here, it has been a long time huh ? how’re you doing ? how’s your work with Return Path ? Is everything ok there ? Hey, can you believe it! I got married to Brian ! Yes I did. I tried to call but you did not answer. You have changed your number, haven’t you? Just give meyour current telephone number if you read this mail. It’s really a pity that we did not see you in our wedding. I wanted to invite you so much. Well, here I’m sending you a few pics taken in our wedding:
Let’s keep in touch then.
Michelle & Brian
The URL above was in fact a fake, the target URL itself ended up at a different website hosting malware.
The specific malware associated with these campaigns is particularly bad:
1. Win32.BlkIC.IMG disables anti-virus software. Only two out of the 40 anti-virus programs at Virus Total detect this:
- Comodo Version 6822/20101123
- Norman Version 6.06.10/20101123
2. iStealer, which is a Trojan keylogger that steals passwords
3. CyberGate, a “remote administration tool” trojan that lets the criminals control the computer moving forward
This is an organized, deliberate, and destructive attack clearly intent on gaining access to industry-grade email deployment systems. Further, the potential consequences should ESP client mailing lists be compromised at this time of the year is unimaginable.
WHAT TO DO
- Contact your IT staff immediately and have them check your corporate server logs for any evidence of this spam having been sent to your systems. Even if you do not find evidence that you have been phished, assume you have. The subject line and content have changed many times over the course of the campaign.
- Have IT staff do a complete scan of all corporate desktop and laptop computers, with anti-virus software that is capable of finding these infections. Many software packages may pick up one, but not all of these viruses, so they may have to run several scans with different software. If a computer cannot be scanned, particularly those with access to client email lists, production systems, financial & accounting applications, Salesforce or other CRM systems shut it down until it can scanned. This may be a major inconvenience, however, the alternative could be far worse.
- If you find a compromise has happened, gather all data, including logs, into a safe place. Then, report the breach. Investigators are already involved with this situation, and we would be happy to broker an introduction between them and your Security/IT staff .
We are sorry to be reporting such bad news, but the sooner awareness is spread, the better. Together we can help mitigate this attack, and bring the perpetrators to justice.
Should you have any questions or need assistance in this regard, feel free to contact me; I will be checking email throughout the holidays and over the weekend.
Senior Director, Security Strategy – Email Intelligence Group
Return Path Inc.