Tran Thi Thanh, Binh (Ms.)
Country SMB & Channel Manager
Tel: +84-437186424 | Mobile: +84-918305821
【Taipei, June, 13, 2013】Trend Micro (TYO: 4704; TSE: 4704) successfully co-work with the Taiwan Criminal Investigation Bureau to solve a targeted attack of personal data theft case. This is a crime which occurred to the Taiwan Bureau of National Health Insurance at the end of April. With the world leading cloud security vendor, Trend Micro’s customized analytics technology, the Taiwan Criminal Investigation Bureau (CIB) has successfully detected over 10 thousands of Trojen malware TROJ_GHOST.ZZXX and backdoor malware BKDR_GHOST.ZZXX. It was a great success for both CIB and Trend Micro.
Trend Micro has discovered the pattern of this case; the hackers impersonated themselves as the Taiwan Bureau of National Health Insurance, and initiated a customized social email attack, by sending a huge amount of emails under the name of the Bureau, with a link indicated a certain document for the public to download. Once users click on the link, they will be transferred to another site, and automatically be downloading a RAR file with a title looks totally official to the users.
Graphic 1. The hackers initiates targeted attacks toward specific SMB
Once the users click on and download the file, they will see a .DOC file, however it is an .EXE file, while this file been clicked open, the trojen and and backdoor malwares will be implemented right away. Users’ PC would be enforced to reset in order to unblock the gateway. From then on, the hackers will be able to navigate on the attacked desktop, copy the file in the PC, and find next victims by using the contact list in the current victim’s computer. This pattern had successfully stolen over 10 thousands of personal data.
Graphic 2. After unzipping the file, there will be a .exe file which looks like a .doc one.
Once the file is open, it will make the user’s computer as a public space.
Trend Micro also did an advanced analysis, and found out the above mentioned backdoor malware belongs to the GHOST family. The criminal has written the ATP attack based on the Ghost malware developed by the hacker in 2009; with several times testing, the malware succeed to hide itself from the detection of the security software. It has caused the leak and the damage to the financial and accounting information of the SMB users. As an ATP attack, the criminal was targeting the financial critical information of an important amount of SMB users. In the mean time, there is the hidden danger of fraud related.
Furthermore, this targeted attack uses not only familiar social engineering tactics, nevertheless, it’s customized email title and recipients title makes users to click on easily. This kind of attacks happens all the time. The links embedded lead the users to the websites on untraceable IP, so that the hackers would not be detected by the security software. It should be kept in mind that these kinds of attacks normally target to the financial and human resources personnel’s in SMBs, who have the access to the sensitive information of the companies. These employees need to pay more attention to the emails come from unknown senders, and be extremely cautious toward the files attached.
When facing the social engineering email attacks, Trend Micro suggests the SMBs and users to notice:
Trend Micro works with entrepreneurs to defend the enterprise information security. For SMB security, Trend Micro Worry-Free™SMB provides cross-platform and easy managing security solution: http://apac.trendmicro.com/apac/small-business/product-security/worry-free-services/index.html