Posted on behalf of Mathew Nisbet, Malware Data Analyst, Symantec Hosted Services As the next G20 summit approaches, businesses once again must be on guard for criminals looking to exploit this important political event. The G20 (and also G8) summits are occasions when anyone invested in the summits are more vulnerable to cyber attack, particularly those deploying social engineering tactics. It is a time when people are much more likely to be receiving unsolicited mail, often with attachments. The attackers know this and will exploit it if they can. Since the start of October MessageLabs Intelligence has seen an increase in the frequency of targeted attacks on the subject of the G20 summit and its host country, South Korea. Through July, August and September, there was an average of around one targeted attack per day. So far in October and November this has tripled to three attacks per day. This activity can be seen in the below chart of daily attacks. The frequency of attacks has increased through October.
Typically, these attacks claim to have some kind of invitation, or report attached. The attachment is usually a compressed archive that contains a document. The document may or may not contain relevant information, but it definitely contains an exploit that will be activated as soon as the recipient attempts to open it. Some sample subject lines: "G20 services" "Seoul Summit Development Issue Report" "Key info for G20 Seoul Summit" "[G20] Draft Communique of the FMM&CBG meeting in Gyeongju" The above are examples of what happens each time one of these summits occurs, any of these subject lines could be used for any G20 summit, by changing out the place names and dates. This time, there are a few extras which are unique to the upcoming summit which attempt to make use of the well known tensions between North and South Korea. One such malicious mail is this one:
This sender of the above communication has made up a persona, complete with email address and job title at a well known global news organisation, to give a more human and therefore more believable edge to the mail. At first glance it may seem quite genuine, but a little investigation is all that is needed to know something is not right. An attached pdf file is always a warning sign. It is a common file format, widely used in business, but also one that can be exploited by attackers. Always be wary of any unsolicited email that contains an attachment, whatever the attachment is. The bigger giveaway, however, is the name. A few seconds with a search engine reveals that there is no reporter with this name at the news organisation, and that this is in fact the name of a famous humanitarian who died more than 60 years ago. This just goes to show that a few seconds of high-level investigation could save valuable time, effort, and money by preventing infection. Don't forget that the best defence is an up to date security system and fully patched software, but also always be suspicious of any unsolicited emails, especially with attachments. Verify their source and prevent the attackers from getting into your machine.