According to security researcher Brian Krebs, employees at more than 100 email service providers are now being targetted by the spear phishing hackers, in order to gain access to the mail service providers' master account credentials.
The aim of the strategy, he says, is to target staff at specific companies, and so plunder their resources.
"The attacks are a textbook example of how organised thieves can abuse trust relationships between companies to access important resources that are then recycled in future attacks", he said in his security blog.
Citing multiple sources, Krebs says that the resultant attacks arrived as malware-laded messages addressing service provider employees by name, and many cases included the name of the mail service provider in the body of the message.
The poisoned messages, he says, use a variety of ruses, but generally include an invitation to view images at a URL – included in the message – and purporting to be a wedding photo or e-greetings card.
Recipients who click on the links, he adds, are redirected to sites that attempt to silently install software designed to steal passwords and give the hackers remote control to infected systems.
Krebs quotes Neil Schwartzman, a senior director of security strategy at Return Path as saying that the spear-phishing attacks have targetted email marketing companies that manage opt-in campaigns for some of the biggest corporate brands in existence.
"This is an organised, deliberate, and destructive attack clearly intent on gaining access to industry-grade email deployment systems", he said.
"Further, the potential consequences should ESP client mailing lists be compromised at this time of the year is unimaginable", he added.
According to Schwartzman, the malware that the hackers are trying to get users to download install a commercial password-stealing program called iStealer.
Krebs says that he grabbed a copy of the programme from one of the malicious links included in a phishing email and scanned the software on the VirusTotal service.
The result, he says, is that only two of the anti-virus products on the service – out of more than three dozen – actually detected it as malicious or even suspicious.