Initial Disclosure Date: Aug 26, 2013

According to the National Police Agency (NPA), the number of reported spear phishing or APT-associated emails is decreasing. The number was 552 in the first half of 2012, 457 in the last half of 2012, and 201 in the first half of 2013. This is only because cyber-attackers changed their strategy from “one-size-fits-all” to “interactive” type of APTs. “One-size-fits-all” type means that the culprit uses the same message or malware to a large number of people. It is at high risk that targeted people feel suspicious about the email and find out the cyber-attack.

On the other hand, in "interactive" type, the culprit carefully chooses a small number of targets and tailors messages and malware. After the target started to trust the culprit and expect to receive an email with an attachment, the culprit finally sends out malware. This type of APTs was reported only twice last year but the reported number increased to 33 in the first half of 2013. 50 percent of these APTs were claimed as inquiries about job application and 30 percent was questions about a product or trouble with a product. Thus, most of attached documents were named "Resume," "Inquiry," or "Explanation of the Trouble." 70 percent of those first emails tried to confirm the right email address to contact.

The NPA encourages both the public and private sectors to separate computers, which receive a large number of emails from outside, from LAN to mitigate risks and take cybersecurity measures. About 80 percent of targeted email addresses were exposed to the public on the website of the cyber-attacked organizations.

It is noteworthy that cyber-attackers use more free email addresses than ever. The ratio was only 26 percent in the first half of 2012 but it increased to 49 percent in the last half of 2012 and 62 percent in the first half of 2013. All of reported "Interactive" type APTs used free email addresses. Thus, the NPA suggests the public and private sectors to change the set-up for their email server to display warning in the subject line or message when their employees receive any message from a free email address.

About a half of attached malware used ZIP, RAR, or LZH. LZH is used primarily in Japan. The ratio of LZH usage grew, compared to last year. Most of attached files which were not compressed were xls in the first half of 2013. Such EXCEL files were claimed as a list of school alumni or address book. Some of attached files used the RLO (Right-to-Left Override) function to change the file type to look like a WORD document.

Sources:

1. National Police Agency, "Koho Shiryo: Heisei 25 nen kamihanki no saiba kogeki josei nit suite [Press release: update on cyber-attacks in the first half of 2013]," August 22, 2013,
   http://www.npa.go.jp/keibi/biki3/250822kouhou.pdf

※ Each company name, an organization name, and a brand name are a trade name of each company and each organization, or a registered trademark.