Advanced persistent threats and targeted attacks often use socially engineered email as their point of entry into a target network.* Considering the volume of email traffic that an average business user sends (41) and receives (100) in a single working day and the relative ease by which social engineered emails are crafted and sent, enterprises need to reexamine how they secure this aspect of business communication.

Different social engineering techniques have been used in past targeted attacks. For instance:

• Attackers send these email via popular webmail accounts
• Attackers send these from previously compromised email accounts
• Attackers use spoofed email addresses that mimic departments or figures of authority

These email often carry exploit attachments that leverage vulnerabilities in popular software in order to compromise the victim’s computer. Upon compromise, the rest of the APT campaign folds out into the network.

Enterprises and especially the security groups that defend the network need to become more aware how simplistic it is for attackers to take advantage of email, seeing as email is the most common form of business communication. TrendLabs developed the primer Are Your Business Communications Secure? and the infographic Covert Arrivals: Targeted Attacks Via Employee Boxes, both of which tackle the dangers of email when it comes to advanced persistent threat campaigns. Click on the thumbnails below to download the materials:

Developing and utilizing external and local threat intelligence is a key enabler in any APT defense strategy. The Threat Intelligence Resources page is a reliable source of the latest in research and analysis on advanced persistent threats for IT, system and network administrators: the enterprise’s network defenders. Visit this page as it will be updated with new content to keep you posted on the latest developments in targeted attacks.

* This is not to say all APTs arrive via email, as there is definitely a wide range of entry points available to threat actors.

Do standard security solutions work against advanced persistent threats (APTs)? Are APTs crafted to extract specific files from an organization? Are data breaches caused by APTs? IT groups today face the challenge of protecting/shielding their networks against APTs—computer intrusions by threat actors that aggressively pursue and compromise targets. To help organizations formulate strategies against APTs, TrendLabs prepared an infographic that illustrates the different stages of intrusion.

By analyzing each stage of an attack, IT groups can gain insight on the tactics and operations of an active attack against their networks. This analysis helps build local threat intelligence—internal threat profiles developed through intimate knowledge and observation of attacks against a specific network. It is key to mitigate future attacks by the same threat actors. The stages our researchers have identified are intelligence gathering, point of entry, command-and-control (C&C) communication, lateral movement, asset/data discovery, and data exfiltration.

Certain realities make dealing with each stage of an APT attack more difficult than dealing with ordinary cybercrimes. For instance, in the asset discovery stage where the attacker is already inside the network enumerating which assets are valuable enough to extract, a data loss prevention (DLP) strategy can prevent access to confidential information. However, according to a survey, while company secrets comprise two-thirds of a company’s information portfolio, only half of security budgets are allocated to protecting these.

More of these realities are highlighted in the infographic, “Connecting the APT Dots.”

We regularly blog about how cybercriminals misuse newsworthy events in order to gain profit for themselves. In the past 24 hours, TrendLabs^SM has tracked multiple FAKEAV attacks that try and trick users searching for help following the recent McAfee update 5958 incident.  This determination by cybercriminals to cause further problems and inconvenience to innocent end users and businesses is, in many respects, not surprising.

We at Trend Micro are keen to help users identify these FAKEAV scams before they can be affected.

In a recent post on how blackhat SEO leads to FAKEAV, “Doorway Pages and Other FAKEAV Stealth Tactics,” advanced threats researcher Norman Ingal described important telltale signs of malicious search results, specifically that their URLs follow this pattern:

This can help users spot malicious results. Ingal further adds that the title of the page (the text that appears in bold heading style in search results lists) is generally the same as the keywords used. The same pattern has appeared time and again in our investigations related to blackhat SEO attacks.

Only this week, the search results to the following keywords were also found to carry redirections leading to rogue antivirus software:

• who got voted off american idol april 21
• dancing with the stars elimination april 2010
• goldman sachs sec filings
• boston marathon results
• april 20th weed day

The following is a demonstration of what our engineers found when they began to track search results leveraging the recent security incident:

These results lead to redirections that end up in now-usual extortion schemes where users are presented with fake infection signals to convince them to pay for software they do not actually need. Trend Micro detects variants and components of these attacks as FAKEAV.

Trend Micro™ Smart Protection Network™ already protects product users from blackhat SEO attacks of this kind by preventing access to malicious sites and domains via the Web reputation service.

Web reputation is a much faster option for blocking new threats than waiting for signatures. With this attack, we could be looking at thousands of new malicious files that have to be processed versus a single domain.

Users should, by now, be aware that trusting results from search engines is no longer as safe as previously thought. The clues we mentioned above can help users weed out legitimate results from suspicious ones.  For users who are concerned about being infected, Trend Micro HouseCall is a free tool that scans for malware infections and other security threats.

Other blackhat SEO attacks in the recent weeks from the Malware Blog include:

• Kids’ Choice Awards Used for FAKEAV
• Moscow Subway Explosions Result in FAKEAV
• Another Earthquake, Another FAKEAV

Research Manager Ivan Macalintal found a bogus profile in LinkedIn that appears as one of the search results when the keyword “obama” is used.

Cybercriminals riddled the profile page with links. The .cn links lead to a URL under the y0utybe domain (notice similarity with the legitimate video-sharing site), which in turn leads to a URL (under the .com domain localtubeonline). Finally, the links land the user on familiar malicious territory–an .EXE download (file name flash-plugin_update.40069.exe).

The said landing page is actually one of the landing pages used in the blackhat SEO attack leveraging 9/11 memorials.

Trend Micro detects the binary as TROJ_RENOS.BGI. The Trojan’s primary payload is to connect to other URLs to download other components for the attack’s completion. At the time of analysis, the URLs in the malware’s code are unavailable.

Users are advised to refrain from clicking on links coming from untrusted sources. Social networking sites–even a business/corporated-oriented one such as LinkedIn–can easily be used by cybercriminals to get into people’s circle of trust. We have seen this in the following attacks:

• Scammers Dive in to LinkedIn
• Bogus LinkedIn Profiles Harbor Malicious Content

The best protection is to make sure security applications are updated with the latest patterns to avoid the effects of these latest threats.

Today’s Patch Tuesday from Microsoft comes with 9 security advisories, 5 of which are tagged as critical, 4 as important. Collectively, 19 flaws are addressed in these advisories, 15 of which are critical. This set of advisories also includes the bulletin that addresses the previously exploited Microsoft Office Web Components bug.

The critical advisories include patches for vulnerabilities in Microsoft Office Web Components (MS09-043), Remote Desktop Connection (MS09-044), Internet Name Service (MS09-039), Windows Media File Processing (MS09-038), and Active Template library (MS09-037).

The other advisories are for vulnerabilities in ASP.NET (MS09-036), Message Queuing (MS09-040), Workstation Service (MS09-041) and Telnet (MS09-042).

Details about these vulnerabilities can be found at our Security Advisory for the August 2009 Patch Tuesday at the Threat Encyclopedia. The Microsoft blog says that five of the six critical patches are rated “1″ in their Exploitability Index. They are thus expecting there to be some in-the-wild exploits targeting these within 30 days from now.

Again, this is a reminder to make sure that all your applications and operating systems are up to date with the latest patches. Software vendors issue these patches to prevent cybercriminals from exploiting these vulnerabilities. Update now.

Trend Micro OfficeScan users with Intrusion Defense Firewall plugin installed should apply today’s update for the latest filters (IDF09024). This version contains protection from attacks exploiting the above and other vulnerabilities.