In the race to protect enterprise data and systems, IT may find that current desktop antivirus protection methods aren’t sufficient. Hackers are using targeted malware attacks and social engineering schemes such as whaling to gain the upper hand.
Predicting the future of malware is no easy task, but it’s safe to say that desktop admins will have their hands full. Hackers around the world are starting to focus on specific organizations to gain access to sensitive data and destroy critical systems. Targeted malware attacks currently represent only a small portion of the attacks on corporate systems. But malware and phishing attacks are growing in sophistication, and cybercriminals are increasingly able to target certain users. Add to this a flourishing reservoir of professional hackers, their shared access to complex malware code and the fact that they're becoming better funded, and you have a formula for disaster.
The move toward targeted malware attacks
In 2010, hackers with reported ties to China broke through the computer defenses of the U.S. Chamber of Commerce and obtained details about the organization's operations and its 3 million members. The information included confidential documents and emails, as well as schedules, trip reports and meeting notes. Whoever carried out the operation knew which people to target and used advanced tools to gather intelligence. The Chamber of Commerce breach is only one of numerous targeted malware attacks that have been making news lately.
The key to carrying out this type of malware attack rests not only on malware that takes advantage of a system's vulnerabilities, but also on efficient social engineering schemes. Insiders can unwittingly provide malicious parties entry to enterprise systems through means such as phishing emails or exploited social networking vulnerabilities. End-user actions can circumvent normal desktop antimalware protections.
According to a 2011 Check Point Software Technologies survey, 48% of companies with more than 5,000 employees have been the victims of 25 or more social engineering schemes, with the costs of such attacks averaging $100,000 per incident. The attacks were carried out to gain competitive advantage, access proprietary information or seek financial gain.
But targeted malware attacks take the social engineering strategy a step further by targeting specific individuals in order to introduce malware into a user’s system. The goal of attacks such as spear phishing is to get victims to reveal information or take specific actions so malware can be uploaded to their computers. Once uploaded, the malware resides on the computer and collects sensitive information or spreads to the network in order to access secure data or do damage.
Going after the big fish with social engineering schemes
In a growing number of cases, attackers are using "whaling" to gain access to secure systems. Whaling refers to the process of going after an organization's "big fish" -- the high-level personnel with access to critical data. For instance, attackers will obtain information about an executive and use that data to create erroneous messages from "trusted" individuals. When the executive responds to the message, the door is opened to Trojan horses, spyware or other types of malware.
The social engineering component of targeted malware attacks can be as sophisticated as a Robert Ludlum novel. In one recently reported incident, hackers went after the spouses of a company's executives to try to uncover vulnerabilities in home PCs that would provide access to corporate resources.
More on malware attacks and phishing:
Software prevents online bank fraud, blocks phishing attacks
Ten most common enterprise security mistakes that admins still make
Is your enterprise protected from advanced persistent threats?
Preparing for Windows workstation security breaches
Discovering details about executives and their organizations has become a fairly easy task, thanks to the Internet. Executive bios can be found on a variety of websites, including corporate, alumni and social networking sites. And a few calls to corporate headquarters can often glean additional details, depending on how you pitch your story.
A cybercriminal might, for instance, suggest that he is writing an article about a particular corporation and is looking for information about the people who run in. By using online information and digging around for additional material, criminals can learn very personal details about the executives themselves as well as their co-workers, family members and closest friends.
With this information, cybercriminals can craft communications that specifically target high-level personnel. For instance, a criminal might fake an email from a co-worker to an executive requesting that the executive visit a website that “has some great tools on it.” The criminal -- or hired hacker -- will have set up the website to introduce malware into the enterprise’s network via the executive’s computer. The executive’s browser might display a prompt that an add-on is being installed, but the executive will let it be installed because the email seemed so authentic.
Once the malware infects the executive’s computer, it can reside on that computer or potentially infiltrate the enterprise’s network. In either case, the malware can collect sensitive data and periodically send it to the cybercriminal.
The malware can linger in supposedly secure desktops for months or even years. The attacker can download sensitive data and create back doors through which he can continue to access network resources and introduce other types of malware.
Who's behind the malware attacks?
When it comes to exploiting an organization's sensitive data, there's big money to be had. No longer is hacking merely the hobby of high-school whiz kids and wannabe geeks. Breaking through security walls has moved into the realm of cybercriminals, governments and organized activists.
Cyberespionage of this magnitude requires extensive intelligence and deep pockets. According to a Symantec report, in 2010, 431 million adults worldwide were victims of cybercrimes that amounted to $114 billion in losses. A report by the Ponemon Institute stated that cybercrime is costing large companies on average $5.9 million per company each year, a 56% increase over the previous year.
The future of targeted malware attacks is here
We're already seeing the consequences of targeted malware attacks, but the fallout so far has been relatively minor compared with what may lie ahead. That's not to say that other forms of malware won't play a critical role. For instance, platform-agnostic viruses and malware will no doubt emerge as major players in the next couple of years.
Targeted malware is growing into the tool of choice for cybercriminals, cyberterrorists and cyber-savvy governments, all of whom willing to commit significant resources to finding and exploiting enterprise security flaws. And because targeted malware attacks can be difficult to detect and even more difficult to protect against, full knowledge of these malware attacks is often late in coming, usually well after the damage has been done.
ABOUT THE AUTHOR:
R.H. Sheldon is a technical consultant and freelance technology writer. He has authored numerous books, articles and training material related to Microsoft Windows, relational database management systems, and business intelligence design and implementation. You can find more information at his website, http://rhsheldon.com.
This was first published in February 2012