Security Advisor

New Spear-Phishing Campaign Infects 12,000 Worldwide

Security firm Trend Micro came out with a warning this week of a sophisticated cybercrime ring that has already targeted and infected over 12,000 unique IP addresses worldwide with malware.

The new targeted campaign, called "SafeNet," has been using an already-patched Office vulnerability (fixed in April's security update) in the attacks as the distribution method, and is finding success due to those lax on patching. Trend Micro also believes those responsible are located in Asia.

"While determining the intent and identity of the attackers remains difficult, we assessed that this campaign is targeted and uses malware developed by a professional software engineer who may be connected to the cybercriminal underground in China," said researchers at Trend Micro in a blog post. "However, the relationship between the malware developers and the campaign operators themselves remains unclear."

Even though Trend Micro has been vague about the intent of the operation, it is believed SafeNet's ultimate goal is to steal sensitive data.

While the number may seem high for those infected, Trend Micro said that only about an average of 71 IP addresses actually communicate with the cyber ring's command and control (C&C) servers on a daily basis.

According to a white paper going into an in-depth look at the operation, the campaign has been targeting government entities, research institutions, media organizations and technology corporations.

Unlike the typical, vague spear-phishing e-mail scams, the group has been sending personally specific-crafted e-mails to recipients with a malicious link embedded. One example given by Trend Micro was an e-mail to an anonymous media outlet that provided a fake link to a taped NBC interview with the Dalai Lama. And if the link is opened (and your Office isn't up-to-date), malware is then silently loaded on your system.

During its investigation, Trend Micro was able to identify a list of IPs infected through the two C&C servers being used in the operation, both believed to be located in China. According to the security firm's numbers, India was by far the most-targeted region, with 4,305 IP addresses attacked. The U.S. came in second with 709.

Because targets have been identified as high-profile organizations and groups (and not individual users), Trend Micro suggests the most important prevention steps should include both making sure a comprehensive plan to secure sensitive data is in place and informing employees on the important of being vigilant for potential attacks.

"Security-related policies and procedures combined with education and training programs are essential components of defense," said the white paper. "Traditional training methods can be fortified by simulations and exercises using real spear-phishing attempts sent to test employees. Employees trained to expect targeted attacks are better positioned to report potential threats and constitute an important source of threat intelligence."

About the Author

Chris Paoli is the site producer for and


  • Microsoft Offers More Help on Windows Server 2008 Upgrades

    Microsoft this week published additional help resources for organizations stuck on Windows Server 2008, which fell out of support on Jan. 14.

  • Microsoft Ups Its Carbon Reduction Goals

    Microsoft on Thursday announced a corporatewide carbon reduction effort that aims to make the company "carbon negative" by 2030.

  • How To Dynamically Lock Down an Unattended Windows 10 PC

    One of the biggest security risks in any organization happens when a user walks away from their PC without logging out. Microsoft has the solution (and it's not a password-protected screensaver).

  • First Stable Chromium-Based Microsoft Edge Browser Released

    Microsoft on Wednesday announced the first release of its Chromium-based Microsoft Edge browser at the "stable" commercial-release stage.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.