The report's authors say spear-phishing techniques have been used successfully against at least one federal agency, which had its network compromised by attackers who stole data and exported it to computers in China.
The annual survey of the "Top 20" Internet security risks for 2007 was released Tuesday by the SANS Institute, an industry non-profit that does research and education on computer security.
"Facing real improvements in system and network security," the survey says hackers and other cyber-criminals are turning increasingly to two new kinds of targets "that allow them to evade firewalls, anti-virus (programs), and even intrusion prevention tools." The new targets are "users who are easily misled and custom-built applications" such as company Web sites.
The authors note: "This is a major shift from prior years when attackers limited most of their targets to flaws in commonly used software."
SANS Institute research head Alan Paller told United Press International that targeting users is done through sophisticated attacks combining so-called phishing e-mails with social engineering techniques.
Classic phishing e-mail messages purport to come from a bank or other e-commerce operation with whom the target has an account. Recipients are told they have to visit a Web site to "confirm" their account information, but the sites are set up to steal passwords and user names.
Social-engineering techniques aim to exploit known facts about the target to improve the efficacy of attacks -- for instance by "spoofing" or faking the sender of the e-mail, so that it appears to come from a manager within the target's own firm.
Targeted phishing attacks, known as "spear phishing" or "whaling," aim to compromise the computers used by top executives. Rather than trying to steal passwords for a single account, the e-mail will contain an attachment or Web link that, when activated, will install special software that logs every keystroke typed on the computer, and reports it back, enabling hackers to get password and account information for secure systems.
"Spear phishing has become one of the most damaging forms of attacks on military organizations in the United States and other developed countries," says the report. "Attackers gain user-name and password information and then break in to exfiltrate sensitive military information."
Paller said the technique had been used successfully to hack into computers at one sensitive U.S. federal agency and export data on their system to China. He declined to give further details.
He said a favorite technique for military and government targets was to make the e-mail look as though it came from a security manager, urging users to download a patch to fix a new vulnerability.
"This is just starting to be recognized as an issue in the commercial area," Paller said, "We are just now starting to learn how widespread it is."
He said companies were often loathe to report such penetrations. "It's like head lice," he said, "It's very embarrassing. No one likes to admit they've got it."
Paller said a recent example of the growing problem was an e-mail that purported to come from the U.S. Equal Employment Opportunity Commission.
The phony e-mail, sent to executives with the subject line "Harassment Complaint Update For," contains links to a Web site where the recipient is told he can download details of a discrimination claim against the company.
"The bogus e-mail contains (malicious software) that is likely to harm a recipient's computer if the user clicks on the referenced Web link and/or downloads the attached file," said an advisory last month from the real commission.
Paller said would-be spear phishers could cull information about potential targets from a multitude of sources including social networking sites, business information services and directories of federal and military employees.
From the hacker's point of view, he said, "It's worth spending the time to find the right target."
Paller said the other major target class being exploited by cyber-criminals was vulnerabilities in custom-built software like Web sites.
"Many Web sites are active," he said, meaning that they have so-called back-end databases that can be accessed from password-protected areas of the site. For instance, a hospital Web site might have a section where its billing system or patients' medical records can be accessed.
The problem, he said, was that the applications that ran such sites were generally written by people "who've never been taught to write secure software."
Of the million or so people worldwide writing such programs, Paller said, "I would estimate fewer than 300 have any in-depth knowledge of how to write secure applications."
He said that number would "skyrocket" in the next two years. "Big companies are starting to insist" that the programmers writing their applications are properly trained in producing secure software, he said.