Spear Phishing is a targeted email attack and the message will typically come from someone you know.  We’ve been seeing this type of attack more frequently and the latest one had an interesting twist.  Using our domain, sevenlayers.com and changing the names to protect the innocent, the email was crafted as follows:

----------

From:  TrustedUser@sevenllayers.com
To:  Victim@sevenlayers.com

Subject:  Wire Transfer

Victim,

Did you get a copy of this wire transfer?

Regards,

TrustedUser

----------

If you notice in the From: line, the address is spelled incorrectly.  This was how it showed up for the recipient as well which got me to thinking.  How did this occur? 

After a few questions and answers, I learned that both addresses could appear in the same messages to and from their vendors.  My best guess is that a vendor sent a message to them and typed an incorrect address for the one user.  The vendor’s system was later compromised, the sent box harvested and the erroneous email address was captured in the process.

That’s my best guess but that’s the only way I could come up with the typo with the one address and not the other. 

In this case, it was a little more obvious but had the address been correctly typed, it would have appeared to be legitimate. 

Bottom line -- even if you receive a message from someone, someone you trust, be cautious opening attachments if you’re not expecting what you received.  In this example, a PDF was attached and my guess is that it was attempting to exploit an unpatched version of Acrobat to compromise the system.