Spammers looking to pilfer sensitive corporate data are going straight to the top. Last week, MessageLabs Inc., a security firm, revealed that senior executives of its corporate clients received a combined 1,600-plus messages during a two-hour span in June and a 16-hour span in September. Clearly, e-mail attackers are selecting their targets more carefully.
The attacks were deemed “Trojan horses” — messages carrying mild-looking attachments that turn malicious when opened. In September, messages supposedly coming from a recruiting firm used a Microsoft error message to persuade victims to unleash a file that retrieved sensitive information for the spammers.
“We’re seeing an evolved spam economy,” said Matt Sergeant, chief anti-spam technologist at MessageLabs. “Targeting at that level has become cheaper and much easier.”
Experts say the most sophisticated attacks entail capturing seemingly innocuous bits of information and then using that to elicit more data. Such a strategy is less dependent on technical savvy and relies more on basic deception — often fooling even the best minds in finance.
In January, NCC, a securities services vendor, sent 500 finance chiefs of London-listed companies a cryptic invitation to “the party of a lifetime.” The only information offered, apart from the date of the purported party, was an “RSVP” etched onto a memory stick. Deviously, NCC also slipped a bit of code onto the sticks that triggered security software, forcing users to choose whether to allow the program to run. A whopping 47 percent of recipients clicked “yes.” The program was benign and only notified a server back at NCC of which CFOs were duped.
“They use personal information to gain trust and gain more sensitive information,” said Rob Scott, managing partner of Scott and Scott LLP, a Dallas-based privacy and information firm.
Traditional spam attacks offering drugs, physical enhancements, or stock tips appear to be declining for finance firms. In fact, MessagLabs finds that the finance sector is one of the least spammed because companies take tough preventive measures and keep the e-mail addresses of their employees’ websites. But “malware” attacks such as the ones this summer are increasingly targeting executives, who hold the most precious corporate data.
“We’re seeing individual corporate espionage attacks where an employee, often of CEO or CFO level, will get a customized piece of malware designed to remove information from his machine,” said Sergeant.
The frequency of such attacks is rising, with two per week in 2005, one per day in 2006, 10 per day in May 2007, 514 in two hours this June, and 1,100 in 16 hours last month. The subject of data breaches has been especially sensitive in light of the recent loss of 45.6 million credit card numbers by TJX Companies Inc., an owner of retail brands. In that case, hackers used poorly protected wireless Internet connections in retail stores. The company is believed to be facing settlement charges of $139 million.
Data breaches are a risk to all companies. Scott and Scott performed a survey with the Ponemon Institute, a managment research firm, of 700 companies in the United States and found that more than 85 percent have experienced a data breach event. Of the companies polled, 59 percent face potential litigation, 33 percent are subject to fines, and 32 percent face a decline in share value because of the breach.