Lindon, Utah – (The Hosting News) – October 7, 2005 – E-mail virus and software company, Avinti Inc., has issued a security alert to all IT
departments and e-mail hosting companies regarding a newly discovered Targeted
Destination E-Mail attack.
The Targeted Destination Attack uses a harvested,
specific destination IP address to bypass existing hosted messaging services
or internal gateways to deliver a malicious payload directly to a user. Avinti
security identified the threat in active use against a customer when a
significant number of desktops became infected with the Mytob virus, despite
the customer’s use of a leading secure messaging service.
Terry Dickson, Chief Executive Officer of Avinti explained, “As the dollar value of information such as digital identities, credit card numbers and intellectual property continues to increase on the black market, targeted destination attacks will increasingly become a preferred tool of the cyber criminal. All e-mail depends on a destination IP address, so virtually every e-mail user is at risk from a targeted destination attack. This attack is explicit and site-specific. Mass mailing Spam attacks are quickly stopped by today’s advanced messaging security products and services. Targeted destination attacks, while potentially time consuming for the cyber thief to develop, have a higher potential for success.”
Conventional email protection schemas anticipate that all arriving messages are processed through an anti-virus SMTP gateway. With the Targeted Destination Attack, messages are sent directly to harvested IP addresses and ultimately to recipients without the expected MX record lookup and subsequent screening. Unlike the random mass-mailing propagation methods used by viruses in the past, this attack aims for specific sites and users.
Harvested addresses could also include one or more servers (such as a test system) with open IP addresses. This may enable a perpetrator to target that specific server to receive incoming traffic. This unfiltered traffic is forwarded by the open system to the e-mail server for delivery and thus bypasses external or internal gateways.
Avinti security experts advised that the surest method of identifying this attack is to watch incoming traffic at the firewall to determine where the traffic is coming from and where it is directed to. A targeted attack will show incoming traffic from non-trusted or unknown IP addresses and e-mail sent to explicit IP addresses. Other indirect signs of such an attack include an increased number of discoveries by PC-based anti-virus scanning and an increase in the number of virus-laden e-mail that appear onsite.
Avinti advises IT departments to configure the firewall to accept incoming SMTP traffic only from the hosted service address. If necessary, add only those IP addresses from trusted partners as required. For sites with internal anti-virus gateways, the firewall should forward all Port 25 traffic only to the gateway.
For additional information, contact Avinti at 801-443-3200 or visit http://www.avinti.com.