Friday, July 15, 2011

A Look inside Targeted Email Attacks

The number of targeted attacks has increased dramatically in recent years. Major companies, government agencies, and political organizations alike have reported being the target of attacks. The rule of the thumb is, the more sensitive the information that an organization handles, the higher the possibility of becoming a victim of such an attack.

Here, we’ll attempt to provide insight on a number of key questions related to targeted attacks, such as where did the malicious email come from, which particular organizations are being targeted, which domains (spoofed or not) sent the email, what kinds of malicious attachments did the emails contain, etc. Our analysis of the data showed that, on average, targeted email attacks are on the rise:


Figure 1. Targeted attacks trend
 
Origin
For this analysis, we first looked at the origin of the email messages. The emails were launched from 6,391 unique IPs across 91 different countries, spread throughout the world. Based on the representative set of data we have, below is a regional breakdown of email-based attacks:


Figure 2. Malicious email origin, by region
 
General Targets
Now, we ask ourselves, which sector is the most likely target of these attacks? Below are the top 10 most targeted types of organizations, derived from the domains that the emails were sent to:


Figure 3. Malicious email attack targets, by industry

Three out of the top 10 are governmental agencies. Among the remaining seven organizations, four have strong ties to either local or international governmental bodies. Two organizations (in sixth and tenth position) are not under governmental control; however, their business operations are heavily regulated and may be influenced by governmental organizations.

Governmental organizations are obviously targeted for their politically sensitive information. But why target NPOs and private companies? It’s a foot-in-the-door technique. By compromising those companies with strong ties to government agencies, attackers may acquire contact information for government personnel and craft their next attack around that stolen information.

In one particular organization, ranked 7th on our most targeted list, we observed the following:

•    Forty-one people received 10 or more emails, making up 98% of the total attack emails sent to that organization.
•    The remaining 2% of emails were targeted at 13 others, resulting in an average of less than two emails per person.

This clearly indicates that certain individuals are targeted more than others, probably because of their profile or particular status within the organization. In this organization, the President, Vice President, Directors, Managers, and Executive Secretary were all targeted. All of their profiles—including email addresses and job titles—are publicly available, which is most likely how malicious attackers got hold of their information in the first place.

Having said that, targeting the top-ranking personnel in an organization is not a “must” for attackers; often, targets are likely to include P.A.s as well as I.T. staff (who often have administrative rights on the target infrastructure). Once the attacker successfully infects or compromises one machine in the organization, they then have the potential to compromise other machines or devices on the same network. This may enable the attackers to harvest further contact information (belonging to other organizations) along the way, which leads to future attacks against different entities—the attackers just need that initial foot in the door.

Specific Targets
We’ve looked at the sectors that are the most targeted in our email collection, but what of the individuals themselves? The following graph shows the number of email messages that the top five targeted email addresses (not domains) received over the past two years:


Figure 4: Volume of email received by the top five targeted email addresses

All victims experienced regular spikes followed by a remission. This essentially means that if a user does not receive malicious emails at a particular point in time, he or she will probably receive them sometime in the near future. Perhaps the attacker is lulling the user into a false sense of security in an attempt to strike when his or her guard is down.

In the below graph, victims 3 and 4 belong to the same organization. We can see that they share a very similar trend regarding the timing and volume of emails received:


Figure 5: Victims 3 and 4 belong to the same organization

This suggests both victims were targeted by the same attacker, probably for the same reason. The next graph shows the distribution of the number of email messages versus the number of users:


Figure 6: Email distribution compared to number of recipients

There were 23,529 users who received 10 or less emails, but you would think that the majority of the emails were received by those recipients. Interestingly, the top 833 recipients who received 11 or more emails account for 30.55% of the total attack emails, while the bottom 23,529 recipients account for 69.44%. Again, this shows that a small fraction of the total recipients (3%) received a large portion (one third) of the total emails sent.

Filetype
We have identified the most targeted organizations and looked at some of the individuals in those organzations. Now, let’s identify the most common file types used for malicious attachments in email-based attacks.


Figure 7: Top 10 attachment file types

PDFs lead the way, followed by Microsoft Word’s .doc format. Somewhat surprisingly, executables (.exe) make up almost 10% of the volume. Most organizations block executable attachments at the gateway, for good reason, so this would seem to be a fairly poor choice by attackers. PDFs and MS Word attacks usually follow two distinct patterns of infection: by exploiting vulnerabilities in the application or by a malicious file embedded in the document. Both methods require the document to be opened by the recipient. The former can be prevented by applying patches as soon as they are released, and the latter can be avoided by education and awareness.

Looking at the top 10 malicious emails sent to the top 10 most targeted organizations shows:

•    Ninety-five percent of the time, 10 or more emails are sent to the same organization.
•    Approximately 60% of the emails sent to those organizations appeared to be tailored (more attractive) for each organization, hence increasing the chances of those emails being read and their attachments opened.

What this tells us is that attackers didn’t target specific individuals within an organization; rather, emails were dispersed to maximize the chances of infiltrating the organization. This is a clever move by attackers. As is repeatedly indicated throughout this blog, a foot in the door is all that is required to inflict further damage to the target.

Conclusion
So, now that we’ve looked at some of the trends apparent in this relatively large subset of phishing emails, it must be pointed out that none of the emails in question actually made it to the intended targets because they were, of course, blocked by Symantec.cloud technologies.
In summary:

•    On average, targeted email attacks increased during the two-year period we looked at.
•    The more sensitive the information that an organization handles, the higher the probability of becoming a victim of such an attack.
•    The government/public sector is the most targeted industry.
•    A small percentage of people receive the bulk of the emails.
•    The attachments of choice are .pdf and .doc, making up a combined 67% of all targeted email attachments.
•    Some targeted attacks can be extremely well crafted and quite convincing.
•    Certain organizations and companies make for more attractive targets than others.
•    The people who work for these “higher value targets” need to take extra special care when dealing with emails that contain attachments or links.

If you receive an email that you think is suspicious, err on the side of caution and ask your I.T. department for assistance before you click.

If you would like to obtain additional information on email trends and figures, Symantec Inteligence reports are freely availlable in PDF format at http://www.symanteccloud.com/globalthreats/overview/r_mli_reports.

By:  Shunichi Imano