Spring. For some it signals rejuvenation, rebirth, everything blooming… but for security administrators it can mean new security risk. Spring means that the next round of college seniors will be entering the workforce soon, which for phishers means a fresh group of targets. Hopefully their college educations have prepared them for the majority of challenges they will face, but when it comes to phishing that is unlikely. The types of phishing emails students and consumers receive are quite different from what employees receive, and without training, young employees can’t be expected to avoid tactics they haven’t seen.
This email sent to Kansas State students attempts to elicit login and password information.
In the higher-education arena, hackers want to infiltrate universities for the purpose of stealing credentials, to gain access to user accounts to send spam from the accounts or use university resources. (Here is a recap of the phishing problems higher education faces: http://blog.phishme.com/2012/05/educause-2012-spc-quick-review/ ) Take this recent attack on the University of Illinois as an example. Consequently, the most common phishing tactics college students face is a simple solicitation of login credentials in the body of the email. Kansas State provides examples of phishing attacks sent to its users (see the image to the left). Slightly more capable attackers may provide a URL taking recipients to a phony landing page that appears to be from the IT department.
University-focused spear phishing attacks typically don’t employ a high level of sophistication. Attackers are not packing malware or setting up masked command and control to go after students and faculty. (At least we should say the incidents that are publicized. That doesn’t mean that there are not advanced threat actors targeting university grant based R&D, hospitals, fundraising and endowment investments.)
Enterprises face much more varied and dangerous risks, as cyber criminals, nation-states, and hacktivists are all targeting their intellectual property and sensitive information. In addition to the data entry tactics, employees at large organizations receive highly targeted and customized spear phishing emails containing malicious links and attachments. Adversaries use a variety of continually evolving social engineering techniques, such as conversational phishing, to trick recipients. A young employee who has never received a targeted phishing email may not realize how adversaries gather details to write emails tailored to the recipient and organization, nor understand the implications of clicking on a malicious link or attachment. They may think they know what spear phishing is based on university security awareness campaigns. Furthermore, this generation of new workers is extremely connected through social media, providing attackers with ample information to use in targeted emails.
Graduating students may think they know what spear phishing is based on university security awareness campaigns.
New employees – whether young or experienced – may also think their role is not significant enough to merit receiving a targeted email, or that security isn’t their responsibility. Last fall, PhishMe commissioned a poll that revealed almost half of all respondents were more concerned about being phished at home than at work. There is definitely a prevailing notion in the workforce that security is the IT department’s concern, a view some in our industry recklessly share. As they begin their jobs, this year’s graduating seniors will undergo a great deal of training, both formal and informal, so why shouldn’t security be part of that?
This post isn’t intended to pick on graduating seniors, as they are no different than any new employee in many respects. For instance, if you are defense contractor that is constantly bombarded with phishing emails, any new employee may require training, regardless of experience. This is why it’s important for security awareness to be a continuous process throughout the year. When security awareness is part of your organization’s culture, the security risk posed by new employees can be more easily mitigated.
One of the many pre-built training modules included in PhishMe focuses on educating new employees about the differences between the consumer focused phishing they are used to receiving, and the enterprise-focused spear phishes targeting employees. Typically this content is reserved for PhishMe customers, but we wanted to share an example in this case:
If a user is tricked into revealing login credentials to a false landing page, 2-factor authentication will only limit the time the hacker has access to the account. Attackers would need to collect the 2nd factor of authentication, but the underlying tactics would remain the same. Even if a session cookie expires every few hours (which for Twitter would be days – not hours or minutes), then the attackers would still be able to cause the kind of mayhem we saw today. As we saw, it only took minutes for a tweet to make stock trading algorithms go bonkers. The following graphic provides a visual of the process a hacker would follow to get past 2-factor authentication (note that this isn’t how the AP was hacked, it’s how a hacker would attack Twitter ifit had 2-factor authentication):
For an organization like the AP, which likely has multiple users accessing its Twitter account, security measures would have to extend to whatever platform it uses to perform group tweeting. At PhishMe, we have struggled to find an effective way to share tweeting privileges, as Twitter itself doesn’t offer a way to do this; we’ve been forced to use 3rd party platforms. Any additional security Twitter implements won’t be very valuable for organizations if it doesn’t also roll out an ability to have multiple users tweet from an account.
This is not to say Twitter shouldn’t implement a more robust layer of authentication, but it also begs the question of how far should it go? Twitter wasn’t designed for group use. If it adds layers of security, will it solve the group use problem?
The fact is, if the AP employees had recognized the phishing email, and never surrendered login information in the first place, this all may have been avoided. As long as users fall for these tactics, adversaries will develop tactics to trick users into leading them around technical security layers.
A report from ProofPoint released at the RSA conference discussed what is supposedly a new phishing technique dubbed “longline” phishing. The report touts “longlining” as the newest way criminals are sending phishing emails in efforts to bypass technical controls. Mass customization of emails allows criminals to fly under the radar of most email filters and successfully deliver spear-phishing emails to a larger number of email users at a single organization. This tactic combines the best of both worlds from the criminal’s standpoint, but it doesn’t really change the game in terms of defending against phishing attacks, as your users still provide the most effective line of defense against the phishing threat.
Whether “longline” phishing is actually a new type of attack or not, Security Officers should focus on the fact that adversaries will continue to modify their attack strategies to circumvent or evade technical controls in an attempt to directly exploit humans. This is why it’s increasingly critical for organizations to invest in proven and effective behavioral change programs that educate users about the attacks that target them.
If you have trained your entire user base on the variety of techniques used in spear phishing emails, they will be able to recognize and respond to attacks, even highly personalized and targeted ones. Basically, a well-trained user base that knows how to properly react to phishing emails will keep your enterprise prepared as cyber criminals, nation states, and hacktivists continue to refine their tactics to get past technologies designed to stop them. Regardless of what kind of tactics they use, the core goal of a phishing email is to trick the human – getting past technology is just a roadblock. This fits in with the points Aaron made about “sophisticated” attacks in our last post. A savvier user base makes “longlining” not quite as scary as it’s made out to be.
In addition to dramatically decreasing the attack surface, increasing employee awareness increases user-reported incidents, which provides incident responders with near real-time information about attacks. This additional source of information can have a significant impact on mitigation and containment strategies and allows responders to focus on proactive measures.
A thriving user reporting program could be especially useful when an enterprise is hit by longlining attack. According to ProofPoint, “longlining” means that in a matter of hours, adversaries “can cost-effectively send 10,000 or even 100,000 individual spear phishing messages, all capable of bypassing traditional security.” If security administrators are aware of phishing attacks, they can react faster and limit the damage of an attack.
This doesn’t dismiss the need for technology solutions (as we’ve discussed before), but highlights the never ending cat and mouse game that has become email security. In the end an aware workforce is still the best way to fill technology gaps exploited by “new” phishing techniques like “longlining” and will continue to be a CSOs most pervasive and effective weapon again advanced threats.
What do nearly all of the recent high-profile data breaches have in common? They have all been traced to sophisticated threats and cyber criminals. While there are many disagreements in the security industry, after every significant breach nearly everyone agrees that it was sophisticated (Twitter, Apple, and the Department of Energy are some of the unfortunate organizations to be compromised by a sophisticated attack recently).
On the surface, it isn’t hard to see why. First, technology vendors need attackers to be super sophisticated, because simple tactics couldn’t circumvent their products, right? For victims of a breach, it is advantageous for it to seem as though it took a sophisticated actor to penetrate its network. And from the incident response standpoint, it behooves IR consultants to describe these breaches as ultra-sophisticated to help their customers save face.
All of this has created the impression that we are constantly under attack by some spooky, mysterious, sophisticated adversary. And while everyone seems to agree that the attacks are sophisticated, we still don’t have a real definition of what it actually means to be sophisticated.
The recent APT1 report from Mandiant® provided us with a wealth of information to process (discussed in our blog post here) and it could help us pin a definition on the elusive meaning of sophisticated.
According to the report, APT1 is a well-organized group that has most likely operated with significant financial backing from the Chinese government. The scale of APT1’s operations, Mandiant said, would require the backing of a sophisticated organization. Suffice it to say that being backed by the government of the most populous country in the world means there is a pretty high level of sophistication in the organization of APT1, but when it comes to their tactics, their level of sophistication is more cheap yellow mustard than Grey Poupon. (Anybody else notice that APT1 was using tools right out of Hacking Exposed books? You have to wonder…) Mandiant has been clear on this position, APT1 wasn’t the most capable in terms of technical showmanship. And they didn’t have to be.
First, as the Mandiant report noted, APT1 (and most cyber criminals and nation states) uses spear phishing as its preferred method of entry. Carrying out the phishing tactics described in the report doesn’t require a CS degree from MIT. Packed executable malware in zip files? Not Sriracha, but total Weak Sauce. Would anyone consider registering a free webmail account under the name of a company’s executive and sending out fake emails to be sophisticated? Furthermore, this has been a common tactic for years, so even if it were highly sophisticated, users should be made aware of it.
The conversational phishing tactics discussed by APT1 and in our previous blog posts is another effective, yet minimally sophisticated tactic. Is it highly sophisticated to respond, “It’s legit” when a recipient questions the email’s authenticity? It would be pretty difficult to craft a more simplistic response than that. In this case, it’s not difficult to educate employees to verify an email via phone or in-person rather than through email if they question the authenticity.
Phishing tactics are constantly evolving, but there are ever-present characteristics that identify them. A user base that questions unexpected emails, verifies suspicious emails through alternate means, is wary of attachments and links in emails, and knows to avoid giving out login credentials is going to be resilient to the attack vector preferred by the “sophisticated” adversaries we keep hearing about.
All phishing emails, regardless of the techniques they employ, are trying to exploit human nature, meaning a continually educating a user base that is vigilant can prevent a majority of attacks from succeeding. Technology may change, but human nature has remained constant. This is why so many phishing emails appeal to greed or fear.
So maybe phishing itself isn’t highly sophisticated, but shouldn’t anti-virus protect against the simple threats? Not necessarily. With the current state of AV, a hacker merely needs to mildly tweak their code packer to avoid detection. These aren’t ultra-complicated techniques, as AV will only protect you against yesterday’s threat.
One thing I have always wondered is why is the “sophisticated” malware linked to a public breach isn’t released to the public? If this stuff is indeed so complex and difficult to defend against, shouldn’t we share it with the best and brightest in the industry, so they can analyze the malware? Could the payloads be less sophisticated than we’ve all been made to believe? It would be very instructive for the security community if we could have access to the malware and decide for ourselves what constitutes a sophisticated capability.
In summary, these sophisticated threats are sophisticated in the sense that they are highly organized and have significant resources at their disposal, but the tactics they employ to breach networks are not anything mysterious or too hard for us to defend against. Sure, a zero day exploit might be scary, but, even the best zero day in an email or booby trapped URL can be avoided by an educated user base.
I’m not sure how long organizations are going to be able to wave the “way-too-Sophisticated” flag and get a pass. Maybe one day we will have an open review and create a Sophistication Rating System.
I propose a Sophistication Rating System… the SRS
Scale from 1 to 10:
10: New,-custom stuff with zero days
5-6: Average well known Trojan packed with new packing method
3: Just your average Zeus Trojan packed easily or with known packing tools
1: a simple unpacked Trojan…
I wasn’t sure if I even wanted to blog about this. Shouldn’t I just be grateful that these breached organizations are brave enough to publicly disclose? Am I nitpicking about the use of the word sophisticated or are others feeling the same way?
–Aaron Higbee @higbee
p.s. I’m a big fan of the Contgio Malware Dump. Thank you for the good work you do.
“It’s legit,” an APT1 hacker wrote in response to a recipient who questioned the validity of a spear phishing email sent by the now notorious Chinese hacking group. This recipient had the awareness to initially question the authenticity of the phishing email, but when APT1 responded, it added an element of trustworthiness to its communication, one that could trip up even a savvy employee.
This is one of the tactics Mandiant® described in its report about APT1, and is something we at PhishMe® have observed as well from both our customers and our contacts in the industry. To address this issue, we rolled out the Double Barrel, a new scenario type that will simulate the conversational phishing techniques used by advanced adversaries like APT1. This has been in development for months, and it was a happy coincidence that we rolled this out the same week that Mandiant provided the world with a concrete example.
One important thing to note about this feature is that it is intended for our veteran customers who already have mature PhishMe programs in place. This is for a user base that is already resilient to basic phishing tactics. At PhishMe, we’re proud to not only provide our customers with new features, but to have a customer base mature enough to demand them. Just as the “P” in APT stands for persistent, our customers need to be persistent in training their user base, and the Double Barrel will allow our customers to enhance their already successful programs in a meaningful way that addresses a real world problem.
Just as the name suggests, the Double Barrel allows our customers to send not one but two phishing emails in each campaign. A Double Barrel scenario sends one benign email (the lure) that contains nothing harmful and doesn’t solicit any response from the recipient. It could be a friendly introduction such as, “Hello, we met at XX Conference last week, I have a report I’d like you to review, I will send it over shortly.” An hour or so later, the aforementioned report arrives, just as promised.
Double Barrel scenarios can be customized to swap delivery order (sending the lure after the malicious email), stagger the delay between emails, and flag one or both emails as “Urgent.”
As with all other PhishMe scenarios, Double Barrel features a bevy of content developed by our team and based on our real world experience:
There’s no shortage of interesting points to take away from the Mandiant® report about the Chinese hacking group APT1 released Tuesday, with many of Mandiant’s findings confirming the threat organized attacker teams pose to enterprises.
First and foremost, the report states, “the most commonly observed method of initial compromise is spear phishing.” This backs up our main message for organizations – to remain focused on the core problem of people being the main vulnerability. Organizations need to proactively address this by developing a user base that is resilient to spear phishing attacks. This doesn’t discount the importance of technology (see our blog post about the NY Times breach), but security behavior management can’t be ignored.
Prior to co-founding PhishMe®, I served as the Managing Director of Mandiant’s New York office; and our Executive Vice President, Jim Hansen, served as the Chief Operating Officer at Mandiant. The trends we observed during our time at Mandiant and in the field helped form the basis for PhishMe, and have positioned us to offer numerous features that address many of the tactics discussed in Mandiant’s report.
The report notes that spear phishing emails often deliver malware in the form of zip files attached to the email. This echoes the TrendMicro® report from late 2012, which concluded that 94% of targeted emails use malicious file attachments. Applying our experience in the field, PhishMe has provided our customers the ability to send employees mock phishing emails with zip attachments for years.
Another phishing tactic PhishMe simulates is luring users to enter sensitive data through seemingly genuine webpages. The bottom of page 48 of Mandiant’s report described an example of APT1 creating a false domain designed to mimic a Yahoo! site, with the goal of collecting user login credentials. Traditionally, this type of phishing has been more of a problem for colleges and universities, but clearly the use of stolen credentials is part of the APT game plan and remains a threat to enterprise security. It took our development team quite a bit of engineering to safely simulate this attack vector without executing code and ensuring that we don’t collect the sensitive data.
While PhishMe has offered the above-mentioned features to our customers for some time, we continue to roll out new features based on patent-pending technologies to address tactics used by groups such as APT1. Page 29 of the Mandiant report cited an example of the recipient of a phishing email interacting with APT1 in a conversational manner, with the APT1 attackers establishing both authenticity and trustworthiness by sending a benign email encouraging the recipient to interact with another email containing the malware. PhishMe recently rolled out a feature, called Double Barrel, which allows our customers to immerse their employees in this experience; something we’ll discuss in greater detail in an upcoming blog post.
In describing the nature of phishing emails, Mandiant noted that they often contain information relevant to the recipient found via Internet searches, such as a name of a colleague (the report described an email sent to Mandiant employees under CEO Kevin Mandia’s name, but from a free webmail account, a tactic we discussed in a previous blog). TrendMicro’s report echoed this finding. With PhishMe’s new Highly Visible Target Identifier, customers can scour such data with the click of a few buttons to find which of their employees have highly visible online presences, and are thus more likely to be sent targeted phishing emails.
Mandiant’s report also described the high costs of launching a phishing campaign, noting that APT1 controlled a large infrastructure of physical systems and hundreds of domains. The large investment required to carry out attacks means that attackers are trying to maximize the use of those resources by sending large batches of emails rather than targeting 1 or 2 users. This is consistent with trends our customers have reported to us, and underscores the need to train your entire user base, as hundreds of employees may receive a phishing email at once.
Mandiant’s findings are fascinating, and can’t be addressed in one blog post. However, from the spear phishing standpoint, the report provides confirmation of what PhishMe has known for a while: APT will try to gain a foothold in enterprise systems through the employees. By focusing on improving employee resilience to spear phishing attacks, enterprises can greatly reduce susceptibility to a breach. In fact, attack detection windows can be reduced when trained employees call these attacks in. Our history in this space helped make PhishMe an industry-leading, world-class product; and we will continue to rely on our industry connections and reports from our customers to make sure we stay ahead of the curve.
PhishMe (along with our giant bowl of Swedish Fish) will be attending the RSA conference this month for the second time, and we’re pretty excited to be returning to the City by the Bay. We’ve grown a lot since last year’s conference, and this year provides us with a chance to show off how PhishMe has evolved – both as a product and company.
Who better to help us preview our first big event of the year than our founders, CEO Rohyt Belani and CTO Aaron Higbee? I conducted short interviews with each outlining what they are looking forward to, not only about returning to the conference but also about visiting San Fran itself.
Some highlights:
Rohyt and Aaron didn’t have a love at first sight experience with the RSA conference. How have their impressions of this conference changed?
Rohyt previews his panel discussion, to be held Tuesday, February 27 at 2:30 PM.
Both provide advice for first-time attendees
What are the best food and drink spots near the Moscone Center?
See San Francisco through the eyes of a New Yorker, and what to watch out for on the mean streets of the city
If you’ll be in San Francisco for the conference, make sure to stop by our booth #2727 to learn about PhishMe’s new features, chat about your own experiences with phishing, win prizes in our daily raffle; and yes, eat some Swedish Fish!
Most of you are probably aware of the breach that occurred at the New York Times. Employee passwords and sensitive information related to an investigative news story covering the finances of Wen Jiabao, China’s Prime Minister, were compromised. The New York Times’research helps give them a competitive advantage in their industry, it is their proprietary information. It is the equivalent to the theft of financial reports, blueprints and customer data.
The headlines roll in… The NYTimes breached by spear-phishing! Symantec AV fails to detect attackers! In an official press release, Symantec says, “Anti-virus software alone is not enough.” Later, the CEO of the incident response firm hired to respond to the NYtimes news goes to Bloomberg TV to say that these attacks are rampant and that the group responsible for the breach has been active in nearly 100 other organizations. In that same interview he says that the attack (spear-phishing) is not unique.
This sounds like the type of story PhishMe would pounce on and twist into an obvious sales pitch right? Security Technology Fail; Spear Phishing is “rampant” ergo you need the PhishMe training method to change employee behavior regarding email safety.
Well, brace yourselves. Abandoning technical controls and substituting it with just awareness training isn’t our message. Organizations shouldn’t and can’t give up security technologies. In fact, based on some of the good work security technology vendors have been doing, we have witnessed firsthand spearphishers changing their methods to cope with the ever-improving technologies that are doing their best to prevent breaches. (More about this later).
The NY Times had AV and it failed to prevent the breach. Does this mean that technical controls are worthless? Absolutely not. Technical controls like anti-virus, firewalls and intrusion prevention/detection all help tune out the noise we see with known problems. If the network defender spends their entire day chasing down nuisance attacks by lesser adversaries, how can they begin to focus on the more sophisticated problems?
To be clear, the PhishMe message isn’t to abandon traditional network defense and security technology. Our message is that even the best tech will have gaps, and the role your human assets play in defending the network cannot be dismissed. An educated user base is the best choice you can make when it comes to filling these gaps. With consistent and relevant training, the vulnerabilities that technical controls cannot patch will be protected by another layer of security. The real problem is that too many programs are designed to only rely on technical controls and feed useless information to users. Holistic information security is a balance between technical controls (both tried and true and bleeding edge) and IT consumers who understand their role in security. The latter has either been neglected for too long or inundated with information that is too technical or focused on items that don’t matter.
Would the NY Times be making headlines today if one of their staffers reported suspicious email based on training they received? We’ll never know.
With 2013 upon us, it will be a busy year at PhishMe, as we are already scheduled to appear at around 70 events. That means another year of heavy traveling for our sales and marketing team. While it’s definitely exciting to visit new places and introduce new people to PhishMe, as with anything else in life, there are risks involved. Does your organization have employees that travel frequently? If so, they are probably being targeted by phishers.
Employees that are constantly on-the-go receive a slew of emails confirming reservations and itineraries (we speak from experience), and are thus easy targets for phishers. For example, a busy employee has an upcoming flight and receives an email warning of a schedule change. A change could throw off the schedule for a critical meeting, so this email has appealed to emotion by threatening to disrupt important plans. From reading Twitter posts, the criminal knows what airline an employee is traveling on, and that the flight leaves early in the morning. From the airline’s website, the criminal can deduce the exact number of the flight the employee is taking. Perhaps this criminal even knows which conferences your employees are traveling to and which hotel chains your company uses, and can tweak an email to be very specific and accurate.
This threat is real, and major airlines have been warning customers. Delta Air Lines issued a warning to customers about a new phishing attack that claims the recipient has purchased a Delta ticket, a credit card has been charged, an invoice/receipt is attached to an email, or a website may offer free flights for following or liking an account.
US Airways has issued similar warnings, and American Airlines maintains a page with phishing warnings and tips for its customers, including examples of recent phishing emails (many of them appearing quite genuine) that customers had received. American’s page in particular, offers a great resource, but is skimming that page as effective as an immersive training exercise delivered to your employees’ inboxes?
By implementing a PhishMe program at your organization, you’ll empower your employees to recognize the signs of a phishing email, giving them the knowledge to properly react to those emails without slowing down their travel schedule or compromising your organization’s network.
Happy Day After Christmas everyone! Thankfully the world didn’t end last Friday, and we were able to finish the 12 Days of Phishless Christmas campaign. Hopefully you are spending today on the couch nursing your eggnog and Christmas cookie hangover, out at the mall returning that Cosby sweater your Aunt gave you, or getting ready to watch the Little Caesar’s Bowl.
At PhishMe, however, we are open for business, and today is a chance for us to recap our Phishless Christmas campaign, which, by all accounts was a smashing success. We’ve announced our 12 winners, and in all, we raised $600 for a variety of awesome charities.
Our winners from Day 7-12:
Day 7 @AbeNP
Day 8 @JaredMillertime
Day 9 @fiftypercent3s
Day 10 @AbeNP
Day 11 @sandybeachgirl
Day 12 @fiftypercent3s
Thanks to everyone for participating in the 12 Days of Phishless Christmas!
Stay tuned to PhishMe’s Twitter account for upcoming campaigns, and as always, insights into the ever-evolving nature of phishing and the security industry.
Scale from 1 to 10:
