Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

The IT Agenda: Battling Targeted Trojan Spoofing

How do I know? I performed a proof-of-concept test on some spam-protected targets to see how easily I could invade them by sending malicious HTML, and it worked well, even at reasonably security-paranoid corporate networks, like a Manhattan-based international law firm and a Georgia bank. Here's my five-step process (for technical details and the script, see

1. Procure targeted e-mail addresses by the type of "negative acknowledgement" spammers use. Once you know the names of VIPs, send probe messages to all permutations of those names (jfeldman, feldmanj, jonathan. feldman and so on) until you no longer get a bounce message; no bounce means it's a valid address.

2. Identify an article of interest to the targeted business. In my bank test, for instance, I used one from Forbes.

3. Craft a message with a spoofed but correct user e-mail address in the "From" field--the CEO's a good choice. Address the "To" field to other correct e-mail addresses, one at a time, so each user thinks the message is personal.

4. Put a spoofed URL in the body of the message, just as the Wallon virus or Osama Trojan did. This fake URL appears to point to the article but may point to a page containing the latest "day 0" IE exploit with the power to take over the user's machine.

  • 1