informa
/
News

Criminal Ring Continues Exploits

MessageLabs revealed new data on the levels, victims and sources of targeted email attacks in April 2007

NEW YORK -- MessageLabs, a leading provider of integrated messaging and web security services to businesses worldwide, today revealed new data on the levels, victims and sources of targeted email attacks in April 2007. Last month MessageLabs intercepted 595 emails in 249 separate targeted attacks aimed at 192 different organizations. Of these, 180 were one-on-one targeted attacks. These numbers represent a decrease compared to last month largely due to a drop in attacks by a Taiwanese criminal ring, “Task Briefing,” using the CVE-2006-0022 PowerPoint exploit. There was also a decline in attacks using .exe files. Ninety-five percent of targeted attacks in April 2007 used Microsoft Office suite exploits.

Microsoft Word has once again become the most common exploit vector, with an increase in attacks using Word documents that contain SmartTag exploit, CVE-2006-2492. These attacks increased dramatically since March 2007 from four attacks going to four single recipients to 66 attacks going to 273 recipients in April.

Although PowerPoint attacks decreased in April, those attacks that were made using exploit CVE-2006-0022 were made by Taiwanese criminal gang, “Task Briefing,” named for the subject line in the emails they use. The ring made six attacks this month, sending 61 emails accounting for 10 percent of all targeted emails in April, the longest of which lasted 45 hours. In March, the same gang sent 151 emails accounting for more than 20 percent of targeted attacks.

“This month we saw a significant surge in documents using the CVE-2006-2492 exploit,” said Alex Shipp, Senior Anti-virus Technologist, MessageLabs. “On first sight, it appears that more than one hacker ring is using this Microsoft Word exploit, and so an exploit generator kit might exist, although this has not yet been found.”

One additional attack using the same PowerPoint exploit but originating from an IP address in China targeting 14 Japanese email addresses suggests that there may be a second criminal ring in operation.

MessageLabs Ltd.