Results 1 to 7 of 7

Thread: Spear Phishing

  1. #1
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002

    Spear Phishing

    I am sure everyone has seen all of the year-end summaries declaring 2004 the year of the worm and what not. It was quite a ride at the beginning of the year with the Bagle / Netsky / Mydoom wars releasing multiple variants per day (and users dumb enough over and over again to open attachments called "details.txt" even on the 30th variant of the same damn worm).

    But, did anyone see MessageLabs stats for phishing? I used a chart from their 2004 summary report in an article I wrote for last week's Processor Magazine. They showed a ten-fold increase from June to July and it stayed that high and continued to increase through the rest of the year.

    At its root, phishing is just spam. if you block or filter the spam effectively the phishing bait never gets to the end user. Once the bait gets to the user's inbox though, phishing is 98% social engineering. There isn't much, if anything, you can do from a technology perspective to help users who are too ignorant or stubborn to understand not to click on links or open attachments in unknown messages. There are exceptions such as phishing attacks that automatically overwrite the HOSTS file or the fact that you can use technology to block access to known phishing web sites, but that is the 2% and blocking each phishing web site is about as effective as blocking each spam sender.

    That brings me to "spear phishing". I already think 2005 might be the year of the phishing scam, but now instead of casting a large net across the entire Internet and seeing what kind of phish bite, more sophisticated attackers are learning to use phishing techniques to gain access to networks.

    By sending an email designed to look as if it is from tech support or management or the human resources department or whatever of a given company to employees of that company, an attacker can get users to volunteer information that they should know better than to send via email. For instance, rather than sending an email to the whole world claiming to be Paypal and asking for usernames and passwords to "validate" the account database, an attacker can spear phish a single company by sending an email *only* to employees of that company, spoofed to appear as if it is from someone important or someone in support, and ask them for their username and password information to validate user accounts or something like that.

    A successful spear phishing expedition would eliminate a couple steps of hacking a network. You wouldn't need to do as much of the recoinnasance and footprinting because you would be granted the keys to enter and work from within.

    Any thoughts on the phishing epidemic in general or the concept of spear phishing? The problem with trying to defend against phishing is that the attack is social, not technical. It seems that the only thing that has any chance of working in the long run is user education.

  2. #2
    T̙͓̞̣̯ͦͭͅͅȂͧͭͧ̏̈͏̖̖Z̿ ͆̎̄
    Join Date
    Dec 2004
    Here's my two cents in contribution...that's one cent American by the way...



  3. #3
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    2005 the year of the Spear Phisher and the Parasite (read spyware/ Adware)

    2004 ended with some of the highest infections from parasites and the expectation of higher infestations in 2005

    Any thoughts on the phishing epidemic in general or the concept of spear phishing? The problem with trying to defend against phishing is that the attack is social, not technical. It seems that the only thing that has any chance of working in the long run is user education.
    user education and habit changes (forceable), every machine sold in our store is now getting a form stating where to get information on preventing thes problems and That Virus and Parasite(we do explain what this is) infections ARE NOT A WARRANTY ISSUE and the user should take precaution or pay the costs of the repair..
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  4. #4
    AO Senior Cow-beller
    zencoder's Avatar
    Join Date
    Dec 2004
    Mountain standard tribe.
    Any thoughts on the phishing epidemic in general or the concept of spear phishing? The problem with trying to defend against phishing is that the attack is social, not technical. It seems that the only thing that has any chance of working in the long run is user education.
    Tony, I think for many companies the most important step in the right direction would be training. I know it is costly and often deemed ineffective, but an all-hands mandatory session dealing specifically with Social Engineering in ALL it's forms and with an emphasis on Phishing and IT Support practices would save a lot of heartache.

    I hate to admit this, but as a security professional *I* was taken in by an excellent phishing ruse, and luckily I figured it out BEFORE I gave up any info. I'll admit I had no idea it was a ruse up until I was alerted by the strange behavior of my mouse...the email had legitimate looking links, the URL's (I viewed the source) were valid and everything...but I found a transparent image in a layer that redirected to a URI written in Hexadecimal, so no matter what link you clicked, the image hyperlink was followed. If anything should throw up red flags in your face, its when someone goes to those lengths to obscure a URL/IP address. I alerted the company and sure enough, they confirmed it was a phishing spam and they were currently investigating its source.

    I think training directed, in your face training about the risks, underscored by a company policy discussion and a review of the acceptable-use-policy is one of the best methods for helping curtail loss due to phishing. I also think that not even 1 company in 20 would currently consider this recommendation.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  5. #5
    In And Above Man Black Cluster's Avatar
    Join Date
    Feb 2005
    When it comes to Spear Phishing,

    I do think that companies have a lot to do...

    1- They have to enlight the way for its staff by some specialized and fast-track lectures and courses.
    2- Websites give hitherto undreamed amount of email address explicitly on thier websites "Fruitful unearnd booty" for email harvesters. which increases spamming and Spear Phishing.
    3- Enforcing legislations to restrict the business email account usage only for business purposes. As some "Careless and insouciant"staff members may use this emails in untrested websites. "Selling thier emails to third parties"
    4- Dedicating only one email address for the public uasge and other purposes, like answering questions and feedbcks.

  6. #6
    Senior Member
    Join Date
    Jan 2005

    By sending an email <-- avoid clicking the links!

    "By sending an email" &lt;-- the art of phishing or sort of

    So, it's safe to say that "one way to avoid it (phishing) is don't click the links from the e-mail message. To be sure, it's better to type the exact URL for the site you need to visit (especially when it concerns security).

    I hate to admit it, phishing is all over.. I received plenty everyday (both personal and company e-mails), so nobody's safe from it! I am trying to report most cases or block the source so it may not come again (for sure it will find ways...).

    Just be careful.

    \"Life without FREEDOM is no life at all\". - William Wallace
    MyhomE MyboX StealtH (loop n. see loop.)

  7. #7
    Junior Member
    Join Date
    May 2018
    I fully agree. But I also believe that most CEO's /especially in SMB space) would take immediate action if they read just a few of the posts in this threat. The problem is though, that even if they want to take action (and pay for it), they would have a hard time finding service companies working with effective all-organization education in this space in a cost-effective way.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts