Last year (and continuing into this year) it was “recruitment” emails with a malicious .rtf attachment addressed personally to top executives. (Even security managers eager to advance their prospects are falling for the scam and laying bare all of their security plans!) When the .rtf file is opened the data on the target computer is compromised. And it needn't be an .rtf file; similar attacks have been seen using .doc files. For more on this click on the link below:
http://www.news.com/Trojan-attack-targets-top-executives/2100-7349_3-6209930.html
Then early last week CEOs were targeted with fictitious subpoenas. The targeted executives are directed in an email to an authentic-looking US Government website. Executives who click on the link in the email are then told that they need to download a plug-in in order to read the subpoena. That plug-in is actually malicious software. About 2,000 executive were tricked into compromising their computers.
For more on this attack click below:
http://www.pcadvisor.co.uk/news/index.cfm?newsid=12753
Then on Thursday of last week CERT reported that a large number of legitimate websites have been compromised with malicious code. The hackers injected malicious code into hundreds of thousands of reputable web pages, turning them into launchpads for attacks that silently install malware on the machines of those who visit them. The UK's Civil Service, the United Nations and websites of city firms were among those who had been hacked.
The compromised websites contain injected JavaScript that attempts to exploit multiple, known vulnerabilities. Users who visit a compromised website may unknowingly execute malicious code.
While it is clearly the remit of IT Departments to take action to protect their corporate sites against attack, it is imperative that somebody in every organisation is appointed to take responsibility for educating corporate computer users about the fast growing range of sophisticated scams and frauds that now pose an unprecedented threat to sensitive corporate data.