Social engineering gone bad

The prospect of company executives becoming targets raises IT managers' blood pressure for two reasons:

• The perpetrators often deploy sophisticated Trojans against company systems.

• They require a disturbing amount of inside corporate knowledge to work successfully.

"If I'm an attacker, I can always find some technical hole and use that, but I also need social engineering," says Zulfikar Ramzan, senior principal researcher for Symantec's Security Response team.

"To be believable, if I want to target the CEO of a company, I might look up the company record at the Better Business Bureau, find contacts and craft an e-mail saying maybe there's a problem with their BBB ranking," Ramzan says. Chances are a CEO would at least look at such a message if it appears to be legitimate.

On Sept. 12 and 13, 2007, MessageLabs detected 1,100 e-mails to senior executives at companies around the world. The messages, ostensibly from an employment recruiter, used a Microsoft error message to lure victims into clicking on an enclosed RTF attachment. That attachment contained an executable file that installed two files on the target computer that would then pass information back to the perpetrator.

F-Secure Corp., a Helsinki-based security company, has followed similar threats for two years. "It's obvious in these cases that the attackers have taken effort and time finding and researching the target," says Mikko Hyppanen, F-Secure's chief research officer.

In designing such messages and deciding on recipients, criminals use not only relatively sophisticated software tools, but the reams of publicly available information about corporate executives.

The latter data comes from US Securities and Exchange Commission documents and corporate Web sites and also from social networking sites, including LinkedIn, ZoomInfo, Facebook and even MySpace, where executives post information about themselves that can be seen by anyone who cares to look. Information about past jobs, college affiliations and major projects can all be used by social engineers to create messages that the recipients are likely to open.

"It is serious because they [send] an e-mail from outside but make it look like it's coming from inside the company, from someone who is in contact with the target. Maybe it's someone who works two floors up," HyppA¶nen says.

In such cases, the vehicle for the Trojan is a Word or Excel file containing the exploit. "It really is a document, but it's corrupted, and it will crash your version of Word and run the exploit."

F-Secure has seen cases where the exploit code is modified just enough to go undetected by the particular antivirus program the target company is running -- and the hackers have done the work of finding out just what those programs are. The lack of massive coding changes makes exploit code harder to detect.