Computing systems utilized by the public sector, e.g., governments and government agencies, and elements of the private sector that are associated with the public sector, such as defense contractors, financial institutions, and various research facilities, have recently become targets of malware attacks specifically crafted to compromise specific public sector, and associated private sector, data.
This “targeted” or “bespoke” malware is often injected into the public sector, and associated private sector, computing systems via e-mails containing targeted Trojan, or other, malware that are highly researched, crafted, and customized to the intended recipient. Therefore, unlike more traditional “mass” malware attacks that use similar e-mails as the insertion vector for numerous attacks, these targeted malware attacks have very low levels of occurrence, and are often single occurrence attacks. Consequently, the traditional mechanisms of determining malware containing e-mail signatures and then blocking future e-mails having these signatures are relatively ineffective.
One mechanism that has been recently employed by some malware distributors is to create targeted malware containing e-mails that include a “From” address that includes a domain that appears to indicate the e-mail originated from a government or public sector organization, i.e., a government agency, that the recipient would typically automatically trust. This practice of providing a false “From” address is commonly referred to as “spoofing”.
In a typical instance where a targeted malware containing e-mail includes a spoofed government “From” address, the “From” address includes a government associated domain suffix such as, but not limited to, those ending in: “.gov”, indicating the e-mail is from a United States government agency source; “.gov.uk”, indicating the e-mail is from a United Kingdom government agency source; “.go.jp” indicating the e-mail is from a Japanese government agency source; or any one of numerous other “From” address domain suffixes that indicate a given country governmental agency source.
Since as noted, targeted malware attacks have very low levels of occurrence so traditional mechanisms of identifying malware containing e-mails are relatively ineffective, and many public sector, and associated private sector recipients, are likely to assume that an e-mail having a “From” address that indicates a governmental source is trustworthy, these types of targeted malware attacks with spoofed governmental agency “From” addresses are a significant problem.
In addition, since the public sector and associated private sector recipients are often dealing with computing systems that contain highly classified data, and in some cases data relating to national security, these targeted malware attacks with spoofed governmental agency “From” addresses can be extremely serious. Indeed, it is currently suspected that some of these targeted malware attacks with spoofed governmental agency “From” addresses are sponsored by foreign powers. However, current malware detection systems are largely unable to detect and block these types of malware attacks because of the bespoke nature of the malware and the very low volume of occurrence. Consequently, this serious threat to public sector data remains largely undetectable, and unopposed, using currently available malware detection systems.