Symantec researchers have identified a new 2010 World Cup-based ‘targeted’ e-mail attack with a twist. Mailed from a free web-based e-mail service, the e-mail contains an Excel document, rare in such attacks.
Targeted attacks are rated among the most damaging of all Internet attacks.
According to Symantec’s Paul Wood, it is relatively uncommon to see such attacks using Excel docs. “Normally we see PDFs, straight executable files, or Word documents,” he says.
“Our stats show that since the beginning of April the attached files used in targeted attacks break down as PDF, 41%; .exe, 18%; .doc, 14%; .xls, 7%; .scr, 4%; and .ppt, 1%.”
The latest e-mail contains the line “Enclosed is the full match schedule of South Africa 2010 World Cup, in which American matches are highlighted”. This serves as the hook to lure recipients into opening the attached file – “2010_FIFA_WORLD_CUP.zip”, containing an Excel document, “2010_FIFA_WORLD_CUP.xls” (see screenshot).
Adds Wood: “Using webmail adds legitimacy to attacks and often makes it difficult to trace the location of the sender, depending on which webmail service is used. It’s also relatively uncommon to see malicious documents contained in a zip archive.”
The attack targeted a small number of users within a large, internationally known US-based manufacturing business.
When the Excel file is opened, a World Cup spreadsheet opens displaying the current groups, teams playing and when they are playing. The user can, ostensibly, then add in the results as games are concluded.
Says Wood: “All is not as it appears, however, as during the initial opening of the spreadsheet, a .exe file is planted in the user’s machine, which notifies the attackers the machine has been accessed.
“They can now help themselves to data on the victim’s PC and/or access other systems on the network.”
