Application security, Incident Response, Malware, Phishing, TDR

Phishing emails disguised as U.S. Department of Treasury complaints

A new round of targeted phishing is underway with attackers again trying to trick recipients into opening malware-laden attachments falsely claiming to originate from the federal government, researchers warned today.

This time, U.S. Department of Treasury is said to be behind the attack and – like similar attacks over the past several months – claim to contain a complaint against the recipient and his or her company, Dan Hubbard, vice president of security research at Websense, told today.

The campaign is similar to a number of recent spear phishing runs that targeted employees, particularly executives, he said. Those attacks used the Better Business Bureau,IRS and federal Department of Justice as lures.

The latest phishing emails arrive with .pif files attached that claim to contain a complaint against the recipient, whose name and employer are listed in the email to add legitimacy, Hubbard said. However, the executable attachment actually contains a downloader that, if clicked on, connects to a malicious website, where the user's machine is hit with an information-stealing backdoor trojan.

The messages use powerful social engineering tactics to attract victims, he said.

"It's the personalization," Hubbard said. "It's attaching a large government agency to something that makes you think, ‘Oh, maybe I'm in trouble here.' It's something that grabs you pretty quick."

The same tactics were used to compromise the Oak Ridge National Laboratory, a Knoxville, Tenn.-based center that conducts research for the Department of Energy. The lab's director admitted last week in a memo to staff that 11 employees fell victim to phishing emails, among them a message claiming to be a complaint on behalf of the Federal Trade Commission.

Hubbard said spear phishing assaults are becoming more common.

"The potential for more sensitive pieces of information is there," he said.

The attack reported today does not require vulnerability exploits and there were no signatures that defended against the trojan variant, Hubbard said.

But that does not mean its success rate was perfect. Many organizations block executables at the gateway, and if the messages do get through, machines must be running at administrative level.

For employees who do fall for the trick, administrators should be sure to retrain them on security awareness, Hubbard said.

A spokesperson from the Department of Treasury did not respond to a request for comment.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.