An e-mail attack that dresses itself up as a complaint filed with the Better Business Bureau has infected the computers of more than 1,400 executives, according to an analysis published by a security firm on Friday.
As reported previously by SecurityFocus, the phishing attack uses details apparently culled from public sources to tailor the e-mail message with a company's name, the name of a senior executive and the executive's e-mail address in an attempt to convince the person to open an attachment. There appears to be two variants of the Trojan horse program, one that uses a browser helper object to collect all information that passes through the victim's browser and another that uses a more traditional keylogger, according to an analysis written by SecureWorks' security researcher Joe Stewart.
Stewart found that the first variant had collected information on the online activities of more than 1,400 business executives, totaling more than 145 Mbytes of data.
"Most phishing/keylogger schemes we see are not targeted -- they aim to send millions of emails to random addresses in hopes that they will be able to collect the specific data they are looking for from that small percentage of users that a) uses that particular bank or service, and b) is unknowledgeable about phishing or malware," Stewart stated in the analysis. "In contrast, the BBB phishing Trojan attempts to collect all interactive data sent out from the web browsers of a small set, relatively speaking, of very high-value targets."
The BBB attack resembles previous targeted attacks against companies, even though those attacks typically targeted less than 10 people per attack. Such attacks are on the rise with most appearing to come from China.
The most recent attack, which sends personalized messages much more widely, matched a mass-mailed Trojan horse sent out in February from a hacked server of a Georgia firm. Several firms -- including Sunbelt Software, Websense and SecureWorks -- have analyzed the malicious code included in the latest version of the attack.
Posted by: Robert Lemos