Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Spear Phishing

  1. #1
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002

    Spear Phishing

    I am sure everyone has seen all of the year-end summaries declaring 2004 the year of the worm and what not. It was quite a ride at the beginning of the year with the Bagle / Netsky / Mydoom wars releasing multiple variants per day (and users dumb enough over and over again to open attachments called "details.txt" even on the 30th variant of the same damn worm).

    But, did anyone see MessageLabs stats for phishing? I used a chart from their 2004 summary report in an article I wrote for last week's Processor Magazine. They showed a ten-fold increase from June to July and it stayed that high and continued to increase through the rest of the year.

    At its root, phishing is just spam. if you block or filter the spam effectively the phishing bait never gets to the end user. Once the bait gets to the user's inbox though, phishing is 98% social engineering. There isn't much, if anything, you can do from a technology perspective to help users who are too ignorant or stubborn to understand not to click on links or open attachments in unknown messages. There are exceptions such as phishing attacks that automatically overwrite the HOSTS file or the fact that you can use technology to block access to known phishing web sites, but that is the 2% and blocking each phishing web site is about as effective as blocking each spam sender.

    That brings me to "spear phishing". I already think 2005 might be the year of the phishing scam, but now instead of casting a large net across the entire Internet and seeing what kind of phish bite, more sophisticated attackers are learning to use phishing techniques to gain access to networks.

    By sending an email designed to look as if it is from tech support or management or the human resources department or whatever of a given company to employees of that company, an attacker can get users to volunteer information that they should know better than to send via email. For instance, rather than sending an email to the whole world claiming to be Paypal and asking for usernames and passwords to "validate" the account database, an attacker can spear phish a single company by sending an email *only* to employees of that company, spoofed to appear as if it is from someone important or someone in support, and ask them for their username and password information to validate user accounts or something like that.

    A successful spear phishing expedition would eliminate a couple steps of hacking a network. You wouldn't need to do as much of the recoinnasance and footprinting because you would be granted the keys to enter and work from within.

    Any thoughts on the phishing epidemic in general or the concept of spear phishing? The problem with trying to defend against phishing is that the attack is social, not technical. It seems that the only thing that has any chance of working in the long run is user education.

  2. #2
    Senior Member
    Join Date
    Dec 2004
    Here's my two cents in contribution...that's one cent American by the way...


  3. #3
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    2005 the year of the Spear Phisher and the Parasite (read spyware/ Adware)

    2004 ended with some of the highest infections from parasites and the expectation of higher infestations in 2005

    Any thoughts on the phishing epidemic in general or the concept of spear phishing? The problem with trying to defend against phishing is that the attack is social, not technical. It seems that the only thing that has any chance of working in the long run is user education.
    user education and habit changes (forceable), every machine sold in our store is now getting a form stating where to get information on preventing thes problems and That Virus and Parasite(we do explain what this is) infections ARE NOT A WARRANTY ISSUE and the user should take precaution or pay the costs of the repair..
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me

  4. #4
    AO Senior Cow-beller
    zencoder's Avatar
    Join Date
    Dec 2004
    Mountain standard tribe.
    Any thoughts on the phishing epidemic in general or the concept of spear phishing? The problem with trying to defend against phishing is that the attack is social, not technical. It seems that the only thing that has any chance of working in the long run is user education.
    Tony, I think for many companies the most important step in the right direction would be training. I know it is costly and often deemed ineffective, but an all-hands mandatory session dealing specifically with Social Engineering in ALL it's forms and with an emphasis on Phishing and IT Support practices would save a lot of heartache.

    I hate to admit this, but as a security professional *I* was taken in by an excellent phishing ruse, and luckily I figured it out BEFORE I gave up any info. I'll admit I had no idea it was a ruse up until I was alerted by the strange behavior of my mouse...the email had legitimate looking links, the URL's (I viewed the source) were valid and everything...but I found a transparent image in a layer that redirected to a URI written in Hexadecimal, so no matter what link you clicked, the image hyperlink was followed. If anything should throw up red flags in your face, its when someone goes to those lengths to obscure a URL/IP address. I alerted the company and sure enough, they confirmed it was a phishing spam and they were currently investigating its source.

    I think training directed, in your face training about the risks, underscored by a company policy discussion and a review of the acceptable-use-policy is one of the best methods for helping curtail loss due to phishing. I also think that not even 1 company in 20 would currently consider this recommendation.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  5. #5
    In And Above Man Black Cluster's Avatar
    Join Date
    Feb 2005
    When it comes to Spear Phishing,

    I do think that companies have a lot to do...

    1- They have to enlight the way for its staff by some specialized and fast-track lectures and courses.
    2- Websites give hitherto undreamed amount of email address explicitly on thier websites "Fruitful unearnd booty" for email harvesters. which increases spamming and Spear Phishing.
    3- Enforcing legislations to restrict the business email account usage only for business purposes. As some "Careless and insouciant"staff members may use this emails in untrested websites. "Selling thier emails to third parties"
    4- Dedicating only one email address for the public uasge and other purposes, like answering questions and feedbcks.

  6. #6
    Senior Member
    Join Date
    Jan 2005

    By sending an email <-- avoid clicking the links!

    "By sending an email" &lt;-- the art of phishing or sort of

    So, it's safe to say that "one way to avoid it (phishing) is don't click the links from the e-mail message. To be sure, it's better to type the exact URL for the site you need to visit (especially when it concerns security).

    I hate to admit it, phishing is all over.. I received plenty everyday (both personal and company e-mails), so nobody's safe from it! I am trying to report most cases or block the source so it may not come again (for sure it will find ways...).

    Just be careful.

    \"Life without FREEDOM is no life at all\". - William Wallace
    MyhomE MyboX StealtH (loop n. see loop.)

  7. #7
    Junior Member
    Join Date
    May 2018
    I fully agree. But I also believe that most CEO's /especially in SMB space) would take immediate action if they read just a few of the posts in this threat. The problem is though, that even if they want to take action (and pay for it), they would have a hard time finding service companies working with effective all-organization education in this space in a cost-effective way.

  8. #8
    Junior Member
    Join Date
    Aug 2017
    There seems to be a new trend for phishing, where they checked the way communication is done in a company and send employees emails which look pretty decent attaching a bill which has a trojaner. They also call it dynamite phishing.

  9. #9
    Junior Member
    Join Date
    May 2004
    I am very familiar with the following scenario whereupon the attacker's goal is to compromise Company "A".

    What the attacker(s) will first do is review the website and Internet presence of Company "A", looking for information pertaining to any sort of business relationships with other companies Company "A" does business with.

    Next, the attacker will target one or more of the businesses discovered Company "A" has a relationship with and all it takes is for one of these companies to become compromised. Once a system within Company "B" becomes compromised, the attacker will use the compromised system as the source for sending email to one or more users in Company "A", containing content pertaining to the business relationship between the two.

    More than likely the email will be allowed through any sort of mail filtering employed by Company "A" because of the historical need of ensuring communication between the two companies. And when the recipient(s) at Company "A" opens email addressed to them from someone professing to be from Company "B", guess what? It's game over for Company "A".

    Often the attack involves an attachment sent with the email designed to exploit a vulnerability associated with a common application expected to be found on an end-user's system. Other times the attack involves the use of a hyperlink in the message body to determine connectivity to the Internet from the end-user's system, what web browser the user is running on their system, what type of applications/plug-ins are supported by the browser, etc. With this learned information the attacker can send a more targeted email to leverage a specific vulnerability.

    Either way, the end-user's system at Company "A" becomes compromised and despite the end user not being a specific target, their system provides the attacker with what's called a "pivot point" or "beach head" to perform information gathering against other systems in the same network. Worse, if other systems can be discovered, they can be targeted for potential exploitation of any vulnerabilities that might exist.

    In the scenario I have described above, this does in fact happen and it has resulted with many organizations becoming compromised because attackers are taking advantage of leveraging "trust relationships" at the company level.

    Additionally attackers are targeting specific users at Company "A" in the same manner. In other words, the attacker will spend a great deal of time reviewing the Internet presence of a target user, including information gleamed from their Facebook, Instagram, Twitter, LinkedIn, etc. With a level of personal details available, this provides the attacker with an opportunity to create and send emails that are highly personalized and often indistinguishable.

    All of a sudden an employee at Company "A" receives an email from a former co-worker, cousin, etc. and therein lies the challenge or dilemma. The employee lets their guard down and opens the attachment or clicks the link in the message body. BOOM! "It's game over man!" At this point, turn off the lights close the doors and go home because Company "A" is out of business.

    In all seriousness how do you stop this?

    Firstly, employ segment the network into subnets and use internal firewalls. End users with their desktops, laptops and workstations should NOT be in the same network subnet as that of servers. Period, end of story.

    Next, there should be an internal firewall separating the subnets with NO connectivity allowed between them. The only exception would be if connectivity is an absolute necessity, then the firewall is configured to allow connectivity between system "a" and system "b' for a specific port/protocol. The purpose of segmenting is that if an attacker compromises an end-user system, the likelihood of using the end-user's system to go after servers is greatly reduced.

    The same is true for wireless devices. Under NO circumstances should the network whereupon wireless enabled devices live have ANY sort of connectivity to any other part of the network. None. Period, end of story.

    I could go on, but I think the point is made.

  10. #10
    Junior Member
    Join Date
    Apr 2019
    So, we are not supposed to click on the links sent via email? and, how can we recognize whether it's a means of spear phishing or actually send by authorized destination?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts