The messages claim to be a complaint from the federal Department of Justice against the recipient's company, according to a Websense Security Labs alert. The email says that a copy of the original complaint is attached in the email – but clicking on it infects the user's machine with a trojan downloader.
Around midday Monday, researchers at MessageLabs first detected the campaign, in which senior employees working in financial organizations, such as banks and credit unions, were targeted. The messages contain subjects with the recipient's full name.
Experts believe the same gang was involved in a similar scam in September.
Paul Wood, senior analyst for MessageLabs, told SCMagazineUS.com today that he is unsure why top executives are being targeted.
"It may be they want to try and find information on those computers that may be sensitive...such as information about mergers and acquisitions." he said. "There may be corporate intellectual property that they may be discussing."
Another possibility is that it is easier for cybercrooks to find information about these individuals than the average employee, therefore making them easier targets through social engineering, Wood said.
Monday's attack arrived in two waves, MessageLabs said. In the first one, the email subject line contained the full name of the recipient and a ZIP file attachment containing a .scr executable.
The second wave arrived several hours later and included a rich text format (RTF) file attachment with a .doc attachment, this time claiming to come from the Better Business Bureau. This attack contained an executable that was disguised as a PDF, according to MessageLabs.
None of the major anti-virus vendors could initially detect the attacks, Websense said.
The IRS and Federal Trade Commission also have been used in similar schemes.