Below is a note we sent to our Email Service Provider (ESP) partners this morning alerting them to a spear phishing campaign targeting ESPs. Spear phishing attacks are targeted and effective, with tremendous potential to damage corporate security.
We have become aware of a serious phishing attack aimed specifically at ESPs, some direct mailers, and gambling sites.
Over the course of the past five weeks, spam campaigns have been aimed at the staff members of over 100 ESPs and gambling sites. These targets have received emails typically with content that mentions the staffer by name, and purports to be from a couple, presumably friends or co-workers.
The phish message has been sent numerous times, over several different systems, including using the facility of some ESPs, using online greeting card sites, and by way of a botnet. Sources confirm the list of addresses is very small (less than 3,000 addresses) and aimed 100% at staff responsible for email operations.
Here is an example of what we have seen here at Return Path:
Hey Neil, it’s Michelle here, it has been a long time huh ? how’re you doing ? how’s your work with Return Path ? Is everything ok there ? Hey, can you believe it! I got married to Brian ! Yes I did. I tried to call but you did not answer. You have changed your number, haven’t you? Just give meyour current telephone number if you read this mail. It’s really a pity that we did not see you in our wedding. I wanted to invite you so much. Well, here I’m sending you a few pics taken in our wedding:
Let’s keep in touch then.
Michelle & Brian
The URL above was in fact a fake, the target URL itself ended up at a different website hosting malware.
The specific malware associated with these campaigns is particularly bad:
1. Win32.BlkIC.IMG disables anti-virus software. Only two out of the 40 anti-virus programs at Virus Total detect this:
2. iStealer, which is a Trojan keylogger that steals passwords
3. CyberGate, a “remote administration tool” trojan that lets the criminals control the computer moving forward
This is an organized, deliberate, and destructive attack clearly intent on gaining access to industry-grade email deployment systems. Further, the potential consequences should ESP client mailing lists be compromised at this time of the year is unimaginable.
WHAT TO DO
We are sorry to be reporting such bad news, but the sooner awareness is spread, the better. Together we can help mitigate this attack, and bring the perpetrators to justice.
Should you have any questions or need assistance in this regard, feel free to contact me; I will be checking email throughout the holidays and over the weekend.
Senior Director, Security Strategy – Email Intelligence Group
Return Path Inc.