During the past year, waves of attacks have risen from three or four a month to as many as 10 per month. What's more, the attacks seem to be coming from a small number of people colluding in just two international groups.
One of the two groups may be operating out of Romania, while the other seems to operate out of widely dispersed locations – so dispersed that some observers think that they may be making use of crimeware as a service. But from the outset, the waves of attacks have had similar characteristics, that is, they both employ fake government entities, malicious code, and social engineering.
The attacks typically work like this: a victim gets a targeted email that looks official, incorporating certificates from the IRS, a federal district court, or the Better Business Bureau. In the email, they're asked to open an attachment, such as a document purporting to contain the details of a subpoena. Once the link is clicked, malicious software is installed on the user's machines.
Said Matt Richard, director of iDefense's Rapid Response Team, “It's all social engineering. It's not like the attackers send rigged files. They're sending malicious code that enables them to acquire the victim's private information under the cover of being some kind of official communication.”
Moreover, the two groups have similar intentions, but differing techniques in gathering private information from victims.
“They both have the same ultimate goals, it's just that they go about it in different ways,” said Richard. “One group uses a keylogger, the other a form grabber, which only takes in data entered into web forms.”
Either way, the attacks are hard to defend against. One traditional measure, using anti-phishing filters, is almost ineffective. Filters are reactive – they only have information on attacks that have already occurred. The attackers only need a small window of opportunity – even if the information is updated a few hours after the first attack, the attackers by then have already got what they were looking for. What's more, the malefactors are nimble, if not downright clever.
“These guys make each attack just different enough so that any previous defense will not be effective,” said Richard. “The only real protection on an enterprise level is training and education -- these are attacks on humans, not technology.”