HR, beware: Hackers are using “legitimate-looking e-mails from HR and IT staff of the targeted organization[s]” to send “malicious attachments,” according to the October 2010 Symantech MessageLabs Intelligence Report.
“Of the 516 attacks, only six organizations were the intended targets,” said MessageLabs Inteligence Senior Analyst Paul Wood, who said that two organizations were the main targets — and one of them “was the target of 63 percent” of the attacks.
“The spear phishing attacks [were] launched in three waves each one week apart,” he said.
According to Symantec, each wave was comprised of one or two different e-mail messages using different themes. The first wave of e-mails targeted 50 recipients and spoofed an e-mail address from the firm’s senior HR executive with subjects referring to confidential salary information. The attachment contained a malicious PDF.
The second wave also spoofed an HR executive and targeted 20 recipients with a subject line pertaining to new employment opportunities. The attachment there was an XLS file.
The third wave spoofed one of the organization’s senior IT security executives, targeted 70 employees and requested action with a critical security update. The malicious attachment was a password-protected zip file.
When any of the attachments were clicked on, a backdoor Trojan virus would be installed on the computer, providing access to any sensitive personal or corporate data.
Wood notes that when such e-mails are sent in low volumes, “they are one of the most damaging types of malicious attacks.”
In October, 1 in 1.26 million e-mails comprised a targeted attack, according to Symantec, which reported that the retail sector was hardest hit this month.
It probably wouldn’t hurt to send a message around to staff advising caution — no matter what industry you’re in.