Most Targeted Attacks Sourced From China: Symantec


The finding was revealed Thursday in Symantec's March 2010 MessageLabs Intelligence Report, which in particular focused on the growing trend of targeted phishing attacks and malware.

Researchers who analyzed targeted attacks -- phishing e-mails sent to specific individuals in low volumes in an effort to access sensitive corporate data by sender location -- discovered that the majority of targeted attacks initially appeared to come from the U.S., based on analysis of mail server location. However, researchers discovered that a larger number of targeted attacks actually originated in China (28.2 percent) and Romania (21.1 percent) than the U.S. (13.8 percent), when researchers analyzed them by sender location.

However, security experts said that the analysis couldn't distinguish between a message sent by an individual spammer or as part of a botnet.

"That doesn't necessarily put the spotlight on China. When the bad guys conduct some of their spam runs, they use botnets that are globally distributed," said Paul Wood, MessageLabs Intelligence senior analyst. "It could be there are people within China sending those messages, or a population of computers under someone else's control used to send those messages."

Sponsored post

Additionally, the report revealed that the top five roles targeted by hackers are director, senior official, vice president, manager and executive director. Meanwhile, the report found that the professionals most often targeted with malware hold jobs in foreign trade and defense policy, especially in relation to Asian countries.

Wood said that most of the information regarding job title and contact information could be found online, thanks in part, to the abundance of social networks.

"We found it surprisingly easy to find information on individuals just using the Internet alone," he said. "That can be used to compile enough information presumably in advance of an attack to make it more convincing."

A significant amount of targeted attacks were conducted with malicious files attached to e-mails, the most common files being .XLS, .DOC, .ZIP and .PDF, Wood said. Meanwhile, the most dangerous files were the encrypted .RAR files, which accounted for approximately 1 in 312 malicious attachments in March, but were compromised 96.8 percent of the time when attached to an e-mail.

Finally, the MessageLabs Intelligence report observed that the Rustock botnet has experienced a revival, sending out more spam using the Transport Layer Security, which encrypts the channel between the mail service to prevent people from eavesdropping on communications. Wood said that using TLS layer added an additional one to two kilobytes to the transaction.

Altogether, 77 percent of spam sent this month from the Rustock botnet was sent using the secure TLS connection, Wood added.

Wood also added that spam using TLS, which accounted for about 20 percent of all spam sent in March, was a particular nuisance for businesses due to the fact that it put an unnecessary burden on the mail server, consumed enormous bandwidth and drained energy resources.

'The question is, why is it doing this?" Wood said. "The challenge for business is, if you have a large volume of spam messages bombarding your mail server, it's still a drain on your resources. Now it's becoming an even bigger drain."