SAN DIEGO, CA--(Marketwire - Jul 8, 2011) - EdgeWave, Inc. (
The body of the message starts with the salutation "Exclusively for [targeted individual]," (only, the recipient's full name appears where the bracketed text is). The message goes on to describe the tax forums, which seems like something only tax practitioners would be even remotely interested in. Apparently the IRS does host such events, and a quick look confirms that the IRS is aware of the malicious campaign. This kind of targeted attack is called spear phishing and it continues to be one of the most significant threats on the web today.
Attached to this message is a specially crafted Microsoft Word Document which contains an Adobe Flash based exploit. The document itself would just appear to be a blank document to the victim, or it might crash the program. Either way, opening the document (named application_form.doc) would initiate the attack against the user's system. This would result in code being executed which would then download other malicious software to be executed on the now compromised system. That malware is typically associated with root-kits which give attackers a backdoor into the system. This allows a remote attacker to monitor keystrokes, search the hard drive and even piggyback encrypted sessions with online banking systems.
The vulnerability is codified as CVE-2011-0611 which is listed as "Critical" by Adobe and was initially discovered back in April of this year, circulating in the wild as a zero day exploit. This vulnerability was also implicated in some of the high-profile targeted attacks earlier this year.
At the time of our detection, the malicious .doc was only recognized by two of the 43 antivirus engines at Virus Total. As of the time of this writing, nearly 24 hours later, the detection remains low with a paltry five engines -- or not quite 12% detecting the malware.
"The general trend in spam has shifted from a vehicle for advertising dubious products and services to one of being a vector used to target specific individuals as part of a larger, concerted attack," said Cameron Schmauch, Security Software Engineer at EdgeWave. "Protecting against these threats is nontrivial and there are vast differences among security providers in their ability to protect their clients from Advanced Persistent Threats (APTs) and spear phishing attacks. These kinds of spam campaigns serve as a sobering reminder that not all solutions are up to the task of contemporary email borne threats."
This campaign is a continuance of a string of Advanced Persistent Threats which security researchers are coming to know as the new face of spam. Over the past year spam has taken a turn towards low-volume, more specific targeting and rather innocuous seeming, or downright misleading content. A mere click could end up granting access to the machine (and the privileged access that machine enjoys in a larger network context) to cybercriminals potentially thousands of miles away. Spam volume may be down, but the threats are more sophisticated and dangerous than ever.
Visit EdgeWave's Security blog for more details on this campaign. Screen captures and images of the campaign are available upon request.
About EdgeWave, Inc.™
EdgeWave, Inc. (
Based in San Diego, California, EdgeWave markets its solutions through a network of value added resellers, ISPs and MSPs, distributors, system integrators, OEM partners and directly to end users. For more information about EdgeWave, visit www.edgewave.com
©2011 EdgeWave, Inc. All rights reserved. The EdgeWave logo, iPrism, iGuard, and the Red Condor Logo are trademarks of EdgeWave, Inc. All other trademarks and registered trademarks are hereby acknowledged
Contact Information:
Media contact:
Lorrie Hunsaker
EdgeWave
(858) 524-2041