Avinti Inc., a leading provider of e-mail outbreak protection, issued a security alert to all IT departments and e-mail hosting companies regarding a newly discovered Targeted Destination E-Mail attack. The Targeted Destination Attack uses a harvested, specific destination IP address to bypass existing hosted messaging services or internal gateways to deliver a malicious payload directly to a user. Avinti security identified the threat in active use against a customer when a significant number of desktops became infected with the Mytob virus, despite the customer’s use of a leading secure messaging service.
“As the dollar value of information such as digital identities, credit card numbers and intellectual property continues to increase on the black market, targeted destination attacks will increasingly become a preferred tool of the cyber criminal,” said Terry Dickson, chief executive officer of Avinti. “All e-mail depends on a destination IP address, so virtually every e-mail user is at risk from a targeted destination attack. This attack is explicit and site-specific. Mass mailing Spam attacks are quickly stopped by today’s advanced messaging security products and services. Targeted destination attacks, while potentially time consuming for the cyber thief to develop, have a higher potential for success.”
Targeted Destination Attack Overview
Conventional email protection schemas anticipate that all arriving messages are processed through an anti-virus SMTP gateway. With the Targeted Destination Attack, messages are sent directly to harvested IP addresses and ultimately to recipients without the expected MX record lookup and subsequent screening. Unlike the random mass-mailing propagation methods used by viruses in the past, this attack aims for specific sites and users. Harvested addresses could also include one or more servers (such as a test system) with open IP addresses. This may enable a perpetrator to target that specific server to receive incoming traffic. This unfiltered traffic is forwarded by the open system to the e-mail server for delivery and thus bypasses external or internal gateways.
Identifying Targeted Destination Attacks
Avinti security experts advised that the surest method of identifying this attack is to watch incoming traffic at the firewall to determine where the traffic is coming from and where it is directed to. A targeted attack will show incoming traffic from non-trusted or unknown IP addresses and e-mail sent to explicit IP addresses. Other indirect signs of such an attack include an increased number of discoveries by PC-based anti-virus scanning and an increase in the number of virus-laden e-mail that appear onsite.
Preventing Targeted Destination Attacks
Avinti advises IT departments to configure the firewall to accept incoming SMTP traffic only from the hosted service address. If necessary, add only those IP addresses from trusted partners as required. For sites with internal anti-virus gateways, the firewall should forward all Port 25 traffic only to the gateway.