2011 – The year of spear phishing And spear phishing

spearphish vs spearphish

spear phish vs. spear phish

An odd title for a blog post but something that has been on my mind for a while now. We get a fair amount media requests for comments or perspective on phishing stories.  This is a good thing. It’s nice to have recognition in your field. Of course 2011 was no shortage of phishing related news. (What’s up RSA, I’m looking at you. I’ve noticed you frequent our website a lot. How about a demo. Couldn’t hurt?) [Read more...]

Spear Phishing with Password Protected Zip Files

The Slashdot headline this morning reads: Spear Phishing Campaign Hits Dozens of Chemical, Defense Firms

What is it about? Simple, the poison ivy trojan wrapped in a password protected ZIP file so it can get past filtering.  Symantec has an excellent analysis of these attacks in a paper titled: The Nitro Attacks: Stealing Secrets from the Chemical Industry by Eric Chien and Gavin O’Gorman.  You can read the entire paper here.

The most recent attacks focusing on the chemical industry are using password-protected 7zip files which, when extracted, contain a self-extracting executable. The password to extract the 7zip file is included in the email. This extra stage is used to prevent automated systems from extracting the self-extracting archive.”

Packing malicious code into ZIP file and including the password in the body of the email is fairly common spear phishing technique that has been going on for quite some time.  In fact, we have specific training about this tactic available at PhishMe. Here is a small snip from our training about password protected ZIP files:

By now you may be aware of spear-phishing emails that contain malicious attachments.  We have technology in place that scans email looking for malicious attachments, but it’s not foolproof.  In this cat-and-mouse game, the bad guys are always looking for new ways to get past our safeguards.
One technique they use is placing the malicious attachment inside of a password protected ZIP file. It works like this:  the attacker zips the malicious file, then puts the password for the ZIP file in the body of the email. They do this because they know our email security tools can’t see what is inside the protected ZIP file.
 
Existing PhishMe customers:  If you haven’t gotten the message out to your people about spear phishing using password protected ZIP files, login to you account and check it out.
 

Future customers:  You could be using our award winning solution right now to train people about this exact tactic.

stay safe,

Aaron Higbee