Data theft scam targets CEOs

Senior execs such as CIOs and CEOs are being singled out by increasingly sophisticated email attacks which one expert predicts could drive a wave of corporate data theft.

According to MessageLabs, emails carrying executable code and targeting high-level execs, or even their PAs in some instances, are circulating in very small numbers. However it is the level of detail, rather than the pure numbers, that MessageLabs claims gives the greatest cause for concern.

On the afternoon of 26 June, MessageLabs intercepted 514 emails in one hour which included the name and job title of specific named recipients in the subject line. Further research revealed all named recipients were correctly addressed, except where their PA or assistant was being targeted.

Security from A to Z

Click on the links below to find out more...

A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day

Once launched the executable code, embedded in a Word document, would install a Trojan and could relay sensitive information from Windows' folders on the recipient's PC, said Mark Sunner, chief security analyst at MessageLabs.

Sunner told silicon.com: "Although the numbers are tiny compared to major spam campaigns or the more common emails carrying viruses, in context this is very dramatic.

"This is about intellectual property theft of the highest order."

While most email users are familiar with high levels of very generic spam, such specific targeting may increase the risk of recipients opening the email and in these instances, given the seniority of those recipients, the returns for criminals could be considerable.

Data theft is increasingly regarded as the greatest security threat companies face and a high value crime for the bad guys.

Sunner added these latest attacks are more sophisticated than other targeted attacks but said the development is in line with a move away from blanket bombing spam campaigns to more tailored attacks, such as spear-phishing.

Information about many senior execs is widely available online as well as through Companies House in the UK. Sunner said increased business use of social networking sites such as Facebook is also increasing the amount of information available about individuals, allowing more targeted attacks.

As such, companies are warned to remain wary of any unsolicited emails whether the content appears generic or highly tailored and genuine.