Spear Phishing

[tonybradley]

I am sure everyone has seen all of the year-end summaries declaring 2004 the year of the worm and what not. It was quite a ride at the beginning of the year with the Bagle / Netsky / Mydoom wars releasing multiple variants per day (and users dumb enough over and over again to open attachments called "details.txt" even on the 30th variant of the same damn worm).

But, did anyone see MessageLabs stats for phishing? I used a chart from their 2004 summary report in an article I wrote for last week's Processor Magazine. They showed a ten-fold increase from June to July and it stayed that high and continued to increase through the rest of the year.

At its root, phishing is just spam. if you block or filter the spam effectively the phishing bait never gets to the end user. Once the bait gets to the user's inbox though, phishing is 98% social engineering. There isn't much, if anything, you can do from a technology perspective to help users who are too ignorant or stubborn to understand not to click on links or open attachments in unknown messages. There are exceptions such as phishing attacks that automatically overwrite the HOSTS file or the fact that you can use technology to block access to known phishing web sites, but that is the 2% and blocking each phishing web site is about as effective as blocking each spam sender.

That brings me to "spear phishing". I already think 2005 might be the year of the phishing scam, but now instead of casting a large net across the entire Internet and seeing what kind of phish bite, more sophisticated attackers are learning to use phishing techniques to gain access to networks.

By sending an email designed to look as if it is from tech support or management or the human resources department or whatever of a given company to employees of that company, an attacker can get users to volunteer information that they should know better than to send via email. For instance, rather than sending an email to the whole world claiming to be Paypal and asking for usernames and passwords to "validate" the account database, an attacker can spear phish a single company by sending an email *only* to employees of that company, spoofed to appear as if it is from someone important or someone in support, and ask them for their username and password information to validate user accounts or something like that.

A successful spear phishing expedition would eliminate a couple steps of hacking a network. You wouldn't need to do as much of the recoinnasance and footprinting because you would be granted the keys to enter and work from within.

Any thoughts on the phishing epidemic in general or the concept of spear phishing? The problem with trying to defend against phishing is that the attack is social, not technical. It seems that the only thing that has any chance of working in the long run is user education.

[EriTay]

There seems to be a new trend for phishing, where they checked the way communication is done in a company and send employees emails which look pretty decent attaching a bill which has a trojaner. They also call it dynamite phishing.

[commodon]

I am very familiar with the following scenario whereupon the attacker's goal is to compromise Company "A".

What the attacker(s) will first do is review the website and Internet presence of Company "A", looking for information pertaining to any sort of business relationships with other companies Company "A" does business with.

Next, the attacker will target one or more of the businesses discovered Company "A" has a relationship with and all it takes is for one of these companies to become compromised. Once a system within Company "B" becomes compromised, the attacker will use the compromised system as the source for sending email to one or more users in Company "A", containing content pertaining to the business relationship between the two.

More than likely the email will be allowed through any sort of mail filtering employed by Company "A" because of the historical need of ensuring communication between the two companies. And when the recipient(s) at Company "A" opens email addressed to them from someone professing to be from Company "B", guess what? It's game over for Company "A".

Often the attack involves an attachment sent with the email designed to exploit a vulnerability associated with a common application expected to be found on an end-user's system. Other times the attack involves the use of a hyperlink in the message body to determine connectivity to the Internet from the end-user's system, what web browser the user is running on their system, what type of applications/plug-ins are supported by the browser, etc. With this learned information the attacker can send a more targeted email to leverage a specific vulnerability.

Either way, the end-user's system at Company "A" becomes compromised and despite the end user not being a specific target, their system provides the attacker with what's called a "pivot point" or "beach head" to perform information gathering against other systems in the same network. Worse, if other systems can be discovered, they can be targeted for potential exploitation of any vulnerabilities that might exist.

In the scenario I have described above, this does in fact happen and it has resulted with many organizations becoming compromised because attackers are taking advantage of leveraging "trust relationships" at the company level.

Additionally attackers are targeting specific users at Company "A" in the same manner. In other words, the attacker will spend a great deal of time reviewing the Internet presence of a target user, including information gleamed from their Facebook, Instagram, Twitter, LinkedIn, etc. With a level of personal details available, this provides the attacker with an opportunity to create and send emails that are highly personalized and often indistinguishable.

All of a sudden an employee at Company "A" receives an email from a former co-worker, cousin, etc. and therein lies the challenge or dilemma. The employee lets their guard down and opens the attachment or clicks the link in the message body. BOOM! "It's game over man!" At this point, turn off the lights close the doors and go home because Company "A" is out of business.

In all seriousness how do you stop this?

Firstly, employ segment the network into subnets and use internal firewalls. End users with their desktops, laptops and workstations should NOT be in the same network subnet as that of servers. Period, end of story.

Next, there should be an internal firewall separating the subnets with NO connectivity allowed between them. The only exception would be if connectivity is an absolute necessity, then the firewall is configured to allow connectivity between system "a" and system "b' for a specific port/protocol. The purpose of segmenting is that if an attacker compromises an end-user system, the likelihood of using the end-user's system to go after servers is greatly reduced.

The same is true for wireless devices. Under NO circumstances should the network whereupon wireless enabled devices live have ANY sort of connectivity to any other part of the network. None. Period, end of story.

I could go on, but I think the point is made.

[Carlos Martin]

So, we are not supposed to click on the links sent via email? and, how can we recognize whether it's a means of spear phishing or actually send by authorized destination?

[Mizzy_miz]

So, we are not supposed to click on the links sent via email? and, how can we recognize whether it's a means of spear phishing or actually send by authorized destination?

There's a few ways you can check whether its spear phishing or an authorized email!

- First, without clicking the email you can verify the sender's email to see if they are who they claim to be. I use gmail on my Mac and I can hover over the name of an unopened email and see the sender's email.
- Then you'll want to verify the sender's email is who they are claiming to be (ie. make sure the email matches up exactly to your executive or your bank's email). Sometimes spear phishing email addresses can have slight differences in spelling or punctuation from the authorized email address.
- If you do open the email, you can also hover over the links in the email to see a preview of the URL (mine shows up on the bottom left of my screen). If the links do not look exactly what they claim to be (again checking spelling and punctuation), it's def not safe.