It looked like an innocent e-mail Christmas card from the White House.
But the holiday greeting that surfaced just before Christmas was a ruse by cybercriminals to steal documents and other data from law enforcement, military and government workers — particularly those involved in computer crime investigations.
Analysts who have studied the malicious software said Tuesday that hackers were able to use the e-mail to collect sensitive law enforcement data.
But so far there has been no evidence that any classified information was compromised.
The targeted e-mail attack comes as the federal government is desperately trying to beef up its cybersecurity after the release of thousands of State Department cables and military documents by the WikiLeaks website.Story: U.S. tells agencies: Watch 'insiders' to prevent new WikiLeaks
Federal authorities want to improve technology systems and crack down on employees to prevent the theft or loss of classified and sensitive information.
'We're profoundly grateful'
The red holiday e-mail card, with its brightly decorated Christmas tree, prompted recipients to click on a link, which would then download the ZueS malware — a well-known malicious code that is often used to steal passwords and other online credentials, primarily to poach Internet banking information.
The blog Krebs on Security, run by former Washington Post staffer Brian Krebs, published the contents of the e-mail message and a picture of the card.It included the message "Wishing you a Merry Christmas and a very happy, prosperous New Year."
"As you and your families gather to celebrate the holidays, we wanted to take a moment to send you our greetings. Be sure that we’re profoundly grateful for your dedication to duty and wish you inspiration and success in fulfillment of our core mission," it said.
The e-mail, which purported to have been sent from the Executive Office of the President of the United States, included two links that people could click on.
Krebs, who was named a "cybercrime hero" by Cisco Systems in 2009 for his reporting on the issue, said he had been able to analyze the documents taken in the attack and said dozens of people had fallen for the scam.
He said was "reasonably confident" that he could identify several of the victims, saying they included:
- A Massachusetts State Police intelligence analyst, who "may have recently received top-secret clearance." Krebs said the documents obtained by the cyberattack "appear to be records of court-ordered cell phone intercepts."
- A worker with the Financial Action Task Force, a body set up to develop national and international policies against terrorist financing and money laundering.
- An employee of the National Science Foundation's Office of Cyber Infrastructure. Documents obtained, Krebs said, included hundreds of grant applications for new technologies and scientific projects.
Krebs included a screenshot of one of the stolen documents, a Homeland Security Department message entitled "The Fundamentals of OPSEC" (Operations Security).
The malware was created several years ago and is widely available for criminals to acquire and adapt. It has been used to steal millions of dollars.
In this case, however, the code downloaded a second payload that is designed to steal documents from the recipient's computer, accessing Microsoft Word and Excel files.
Don Jackson, director of threat intelligence for Atlanta-based SecureWorks, a computer security consulting company, said the attack was somewhat small and targeted to a limited number of groups with law enforcement, military and government affiliations.
It was small enough, he said, to suggest that is was sent out manually and not by a large network of infected computers.
He said it was not large enough to be picked up by cybersecurity spam traps or sensors.
Alex Cox, principle research analyst for NetWitness, a cybersecurity firm in northern Virginia, said the e-mail was sent out just a day or so before Christmas, delivered by a control server in Belarus.
He and Jackson said they believe this ZueS version was created by the same people who launched a similar but much larger attack last February.
Cox, who discovered the ZueS-infected malware last year when it infected at least 74,000 computers, said it's hard to determine how many people were affected or how many documents were stolen in this latest attack.
Jackson said at the hackers stole at least several gigabytes of data.
Analysts learned of the e-mail attack last week and have spoken with federal authorities about it.
Homeland Security Department spokeswoman Amy Kudwa said officials were aware of the ZueS e-mail and were monitoring it along with other similar malware attacks that have been tracked for some time.
Cox and Jackson would not disclose details on who was attacked or what documents may have been compromised, but agreed that the hackers probably were after the documents, rather than any banking or financial passwords.
One theory, said Jackson, is that the hackers were looking for information about law enforcement cases and investigative techniques related to cybercrime so that they could sell it to other criminals.
Only on NBCNews.com
- From belief to betrayal: How America fell for Armstrong
- US to Syria neighbors: Be ready to act on WMDs
- China: One-child policy is here to stay
- New 'Practice Range' shooter game says it’s from NRA
- 'Gifted' priest indicted in crystal meth case
- China's state media admits to air pollution crisis
- French to send 1,000 more troops to Mali
'Who is the end consumer?'
The e-mail attack, however, underscores the continuing vulnerability of government workers and their computer systems to versions of the ZueS malware.
Hackers can easily tweak the code each time so that it does not trigger antivirus software.
"Criminals have found that if they change the files in small ways it can slip past antivirus software," said Jackson.
While ZueS-related attacks are fairly common, this latest one stood out because of the use of the White House connection to lure recipients in and the targeted way it went after law enforcement, analysts said.
One U.S. official said that the code was rather poorly written. The hackers could only get easily accessible documents and not those filed deep within layers of folders on the hard drive, said the official, who spoke on condition of anonymity to discuss ongoing investigations.
However, Cox told Security News Daily it was an example of the "continuing convergence of cybercrime and cyberespionage activities."
"The question ... is: 'Who is the end consumer of this information?'" he added.
The Associated Press contributed to this report.