Given the popularity of the technology, and ease of blending in...those things can be a real bitch to spot. And as a card carrying BOFH, it truly pains me to say it ... But it's damn hard to blame the user for missing one of these.
Agree. This particular client isn't a fool. I've worked with her for about 10 years now. She's actually one of those responsible types who made sure she was tech-saavy above and beyond the requirements of her job. And she was devastated when this thing hit. Especially once she realized just how serious it was. Being a remote-located employee made her especially vulnerable. And being a non-dork, the very first thing she did was assume she herself had done something stupid. (She didn't btw.)
To make it even more interesting, the odds are pretty good that if it actually did come in via an infected attachment (as I suspect it did), the person who sent it to her didn't know it was loaded either. Her company passes a lot of attachments back and forth for follow-up work, processing, client contact, etc. Some of it originates in-house. But the rest (60-70%) is generated by their clients. So it could have come from anywhere.
What's disturbing is that their e-mail provider's security didn't twig on it either. Can hardly blame the desktop when it's not showing a blip on the server's scanners, right? Her only warnings were that (a) her machine seemed ever so slightly slower starting up roughly three mornings before everything went south (she manually reboots each morning just to make sure it's "tidy" as she puts it) - and (b) that her scheduled Windows Update check (running daily at midnight and 6:00am) failed to complete two times in a row the day it happened.
This ain't script-kiddie stuff she got hit with. This is definitely the work of pros.
Scary! And just the tip of the iceberg I'm afraid.