Symantec Finds New Wave of Impersonation Cyber Attacks

Symantec Corp. (Nasdaq: SYMC) announced the findings of its February Symantec Intelligence Report, which shows a new wave of cyber-attacks designed to impersonate a well-known business mediation and arbitration service in North America.

Businesses are being targeted with emails purporting to originate from the US Better Business Bureau, socially engineered to suggest that a complaint had been filed against the organization and the details of the complaint could be found in the file attachment, which would lead to a PDF file that contains an embedded executable or a URL that leads to the malware.

“These attacks are reminiscent of similar incidents that were first reported in 2007, when C-level business executives were being targeted with emails that purported to originate from the US Better Business Bureau (BBB). The new wave of attacks bear similar social engineering techniques to the 2007 attacks, although recently the attackers are using considerably more advanced techniques, including server-side polymorphism, making them especially protean in nature,” said Paul Wood, cyber security intelligence manager, Symantec.

“Server-side polymorphism enables the attacker to generate a unique strain of malware for each use, in order to evade detection by traditional anti-virus security software. Scripts such as PHP are commonly used on the attacker’s Web site to generate the malicious code on-the-fly. Like the Greek sea-god, Proteus, the continually transforming nature of these attacks makes them very difficult to recognize and detect using more traditional signature-based defenses,” Wood said.

This month’s report also reveals that cyber criminals tapping into the zeitgeist was particularly noticeable in the week running-up to St. Valentine’s Day, as the volume of spam messages referencing the event rose by as much as three and a half times the daily average for that week. The volume started falling off again after February 14, with a late spike occurring on February 16, when almost 6 times the daily average volume of emails referencing the special day was recorded.

Other Report Highlights:

Spam: In February 2012, the global ratio of spam in email traffic fell by 1.0 percentage points since January 2012, to 68.0 percent (1 in 1.47 emails). This follows the continuing trend of global spam levels diminishing gradually since the latter part of 2011.

Phishing: In February, the global phishing rate increased by 0.01 percentage points, taking the global average rate to one in 358.1 emails (0.28 percent) that comprised some form of phishing attack.

E-mail-borne Threats: The global ratio of email-borne viruses in email traffic was one in 274.0 emails (0.37 percent) in February, an increase of 0.03 percentage points since January 2012. In February, 27.4 percent of email-borne malware contained links to malicious Web sites, 1.6 percentage points lower than January 2012.

Web-based Malware Threats: In February, Symantec Intelligence identified an average of 2,305 Web sites each day harboring malware and other potentially unwanted programs including spyware and adware; an increase of 9.7 percent since January 2012.

Endpoint Threats: The most frequently blocked malware for the last month was WS.Trojan.H. WS.Trojan.H is generic cloud-based heuristic detection for files that posses characteristics of an as yet unclassified threat. Files detected by this heuristic are deemed by Symantec to pose a risk to users and are therefore blocked from accessing the computer.