By RIVA RICHMOND
The Wall Street Journal

October 10, 2007; Page B5C

During a two-hour period June 24, something unusual turned up in email-security company MessageLabs Inc.'s filters: 514 messages tailored to senior executives of corporate clients, containing programs designed to steal sensitive company data.

On Sept. 12 and 13, it happened again, and the company captured 1,100 messages in a 16-hour wave. The messages, which included executives' names and titles, were from a purported employment service and offered attachments supposedly containing information on potential job candidates. The attachments were Microsoft Word documents, a common type of office file erroneously believed to be safe by most computer users. If not intercepted, they would have deposited Trojan horses, or malicious programs disguised as benign ones, onto some high-powered people's computers.

The two email bursts point to a new and sophisticated take on an old-style attack with troubling implications for corporations, Messagelabs says. In the past, most email attacks of this kind were simple "phishing" scams sent to masses of consumers with the goal of inducing them to part with their financial-account information. A small number of targeted attacks were seen by security companies, but they typically targeted individuals in government or the military. These new attacks suggested that a fairly low-tech email scheme could create a high-class problem for companies, placing valuable data at risk and challenging companies to devise foolproof technical defenses.

MessageLabs says it has been intercepting targeted email attacks on corporate clients for at least three years, and the numbers began to rise significantly over the past year. The company was catching one message a day as of the end of 2006. That rose to about 10 a day by May and then jumped dramatically with the June and September attacks. Both of those incidents targeted executives in a wide range of industries.

Enter the Newcomers

"All of a sudden, somebody new hit the scene," said Mark Sunner, MessageLabs' chief security analyst. Who that is isn't clear because technical tricks disguised the emails' origins, he said. But it is likely the person or group responsible came from the digital underground centered in Eastern Europe, where malicious-program writers and organized crime have long worked hand-in-hand online to steal and sell data for use in fraud schemes.

The newcomers appear to be after corporate secrets, he said. They have sought, specifically, to infiltrate the computers of chief executives, chief financial officers, chief technology officers and other senior managers and, on occasion, their assistants. The Trojan horses are designed primarily to help the attacker gather Microsoft Office files from the My Documents directories of infiltrated PCs.

The people targeted "are the custodians of the company's secrets," Mr. Sunner said, and have computers full of spreadsheets, financial reports, merger details and trade secrets.

"Why would somebody be targeting a CEO?" Scott O'Neal, chief of the Federal Bureau of Investigation's cyber intrusion section, asked rhetorically. "It may be to steal intellectual property, it may be corporate espionage, it may be to get into the database."

Attacks of this kind have become much simpler, Mr. O'Neal said. "The how-to tutorials out there are getting better and better, and people need less and less technical skills," he said. Unfortunately, few are reported to law enforcement because companies fear investigations will disrupt their businesses and result in unwanted publicity. Such fears are unfounded, Mr. O'Neal said. The agency is careful not to be disruptive, and it maintains strict confidentiality.

In the recent attacks seen by MessageLabs, the perpetrators tried to improve the chances executives would open the attachments by referencing bogus business matters and including personal details, such as name and title, which suggests the attackers spent time researching their targets.

Web Search Reconnaissance

Using search engines from Google Inc. and others, "it's very easy to do a very extensive Web search to gather a lot of different information," such as email addresses, titles and work histories, said David Marcus, security research and communications manager at security-software maker McAfee Inc. MessageLabs said it was able to confirm that the details used in the emails were correct by consulting LinkedIn, a social-networking site that is popular among professionals.

The size of the June and September attacks may be significantly larger than what the MessageLabs email-catch suggests. While the company filters out spam, viruses and other unwanted messages from 2.5 billion emails headed for nearly 7 million corporate email accounts each day, that's a small sample of overall corporate email traffic.

"We're definitely dealing with intellectual-property theft of quite a high degree," Mr. Sunner said.

He said the messages look benign and may evade some antispam and antivirus security software. In that case, the only defense would be executives themselves choosing to exercise caution in opening email attachments.

If human weakness wins out and the attacker infiltrates that person's computer, what the intruder can do is virtually limitless, and corporate data may not be the only target or casualty.

In fact, some attackers could go after a target's personal information, as in a classic phishing scam. Jason Malo, senior manager in VeriSign Inc.'s anti-phishing group, said phishers are becoming more sophisticated and creative as they work harder to dupe increasingly cautious computer users and look for bigger scores. He thinks most targeted email attacks on executives are personal, not professional. Phishers know that "these are probably people with bigger paychecks, bigger houses and nicer cars," he said, which means they also have fatter bank and brokerage accounts and higher-limit credit cards. The underground economy rewards targeting these individuals. One underground Web site with stolen credit-card numbers for sale that VeriSign monitors recently offered platinum Visa numbers for $19 apiece, compared with $8 for regular Visa numbers.

"These folks have some greater risk from a financial perspective as well as the information they know," Mr. Malo said.