Spear phishing campaign could have “unimaginable” consequences

Written by John P Mello Jr on December 2, 2010

iStealer is part of nasty package unloaded on guppies by phishers.

A spear phishing campaign directed at email service providers could have far reaching consequences, including increased attacks on online shoppers.

The attacks are organized, deliberate, destructive and clearly aimed at grabbing access to industrial-grade email deployment systems. The potential consequences of the mailing lists of major email service providers being compromised at this time of year are “unimaginable,” according to one security executive.

The spam campaign is at least five weeks old, probably older, and targets less than 3000 email addresses. It’s the quality, though, not quantity, of those email addresses that matter. They belong to staff members of more than 100 email service providers and gambling sites.

Messages sent to the addresses appear to be from friends or co-workers and have been sent from a variety of systems including the ESP systems themselves, greeting card sites and a botnet. They can be very chatty, too, although the bane of all spammers–grammar, punctuation and typography–should raise the suspicions of anyone receiving one of them. Here’s a sample of one posted by the security executive.

“Hey [Name], it’s Michelle here, it has been a long time huh ? how’re you doing ? how’s your work with [company] ? Is everything ok there ? Hey, can you believe it! I got married to Brian ! Yes I did. I tried to call but you did not answer. You have changed your number, haven’t you? Just give meyour [sic] current telephone number if you read this mail. It’s really a pity that we did not see you in our wedding. I wanted to invite you so much. Well, here I’m sending you a few pics taken in our wedding…”

A target who follows the URL for the wedding pics is redirected to a rogue website that secretly plants some very nasty malware on his or her computer. The pernicious programs are these:

  • Win32.BlkIC.IMG–a malware program that disables anti-virus software. A test of the malicious software at Virus Total showed that only two of 40 anti-viral programs actually recognized the bad app.
  • iStealer–a Trojan keylogger that steals passwords. Once the malware infects a system, it immediately checks all the cache files and gathers all the usernames and passwords used from the system. It’s a very versatile application capable of nicking passwords from everything from instant messaging services–MSN Messenger, Google Talk, Trillian, Pidgin and Paltalk–and browsers–Firefox, Internet Explorer (including version 8), Opera and Google Chrome–to FTP programs–CuteFTP, FileZilla, SmartFTP and FlashFXP–and DNS providers–NO-IP and DynDNS.
  • CyberGate–an administration tool that allows an infected computer to be controlled remotely by  a hacker. According to the terms of use for CyberGate, it’s “in no way, shape or form be used to endanger public or to commit any kind of illegal activity.” Apparently, like many computer users, hackers don’t read terms of use agreements.

“The attacks are a textbook example of how organized thieves can abuse trust relationships between companies to access important resources that are then recycled in future attacks,” security expert Brian Krebs wrote in his blog.

Krebs spoke to a security manager whose organization, an ESP, had been compromised by the spear phishers.

The manager traced the attack to some Internet addresses in the Netherlands where he uncovered evidence that other ESPs had been compromised. It appeared that the hackers were gaining control of customer accounts and email addresses with the intent to use them later for spam and scam campaigns, he said.

Signs of the nefarious activity were detected by the manager in April when one of his company’s clients, a small church with some 200 members, began sending email to half a million to a million people.

“It took us until September to get the full visibility into what [and] how this was being done,” the manager told Krebs. “What we pieced together was a compromise through our image uploading [feature]…a .jpg file with malicious code in it.”

The manager noted that the spam messages sent to customers of his company’s clients were the same as those in a campaign described recently by the SANS Institute.  The messages in the campaign pretend to be from Adobe and invite their recipients to click on a link to download a new version of Adobe Reader for Windows and the Mac.

SANS advises administrators: “Consider letting users in your organization know about these Adobe spam activities, so that they don’t attempt to download and install software coming from an untrusted source.””

  • (required)
  • (required)