|
|
 |
|
 |
|
Archive for the ‘Phishing’ Category
|
|
 |
|
 |
|
|
|
|
Tuesday, November 1st, 2011
What is it about? Simple, the poison ivy trojan wrapped in a password protected ZIP file so it can get past filtering. Symantec has an excellent analysis of these attacks in a paper titled: The Nitro Attacks: Stealing Secrets from the Chemical Industry by Eric Chien and Gavin O’Gorman. You can read the entire paper here.
“The most recent attacks focusing on the chemical industry are using password-protected 7zip files which, when extracted, contain a self-extracting executable. The password to extract the 7zip file is included in the email. This extra stage is used to prevent automated systems from extracting the self-extracting archive.”
Packing malicious code into ZIP file and including the password in the body of the email is fairly common spear phishing technique that has been going on for quite some time. In fact, we have specific training about this tactic available at PhishMe. Here is a small snip from our training about password protected ZIP files:
By now you may be aware of spear-phishing emails that contain malicious attachments. We have technology in place that scans email looking for malicious attachments, but it’s not foolproof. In this cat-and-mouse game, the bad guys are always looking for new ways to get past our safeguards.
 
One technique they use is placing the malicious attachment inside of a password protected ZIP file. It works like this: the attacker zips the malicious file, then puts the password for the ZIP file in the body of the email. They do this because they know our email security tools can’t see what is inside the protected ZIP file.
Existing PhishMe customers: If you haven’t gotten the message out to your people about spear phishing using password protected ZIP files, login to you account and check it out.
Future customers: You could be using our award winning solution right now to train people about this exact tactic.
stay safe,
Aaron Higbee
|
|
|
|
|
|
|
|
|
Friday, July 29th, 2011
There is a common spear phishing tactic that we help our PhishMe customers combat, and that is attackers using familiar names with fake free webmail accounts.
The attacker wants to break into Widget, Inc. The first thing they do is research Widget, Inc., looking business units who may have access to the information assets they are targeting. Once they have picked their target, they need familiar names to make their spear phish more enticing to the eventual victim.
They will pick a real name inside of Widget, Inc, that will serve as the From: line of the spear phishing email. Sometimes the attacker is smart enough to choose a name in a different office or time zone. This increases the likelihood that the victim won’t pop their head over the cubical wall and ask “did you just send me an email from your Gmail account?”
Once the phisher is satisfied they have a good name to impersonate, (e.g. Bob Dobolina) they will register bob.dobolina@gmail.com, (or hotmail, yahoo, etc…)
Armed with a new free email account that uses a familiar name, the phisher will send out their spear phish to the intended targets who may know or have heard of “Bob Dobolina.” This increases the chance that the victim will fall for the phish.
How does the attacker find the names needed to carry on this charade? Social networks and tools like Jigsaw and LinkedIn provide a wealth of information. (Head over to jigsaw.com right now and put your company name in.) You will see that piecing together the necessary information to effectively impersonate someone is quite easy.
Besides making your organization aware of this threat, what else can you do to protect yourself? How about creating fake personas? Ann Smith, Executive Assistant to the Director of Legal. But in this case, Ann Smith isn’t an executive assistant, instead, Ann Smith is an email alias that goes directly to your incident response and network monitoring team.
Stay Safe!
-Vanessa Bush
|
|
|
|
|
|
|
|
|
Thursday, June 9th, 2011
As the barrage of security breaches continues, Citigroup is the latest victim. This eWeek article: http://www.eweek.com/c/a/Security/Citigroup-Credit-Card-Portal-Breach-Compromises-200000-Customers-461930/ discusses the potential impact of this attack. One of the commentators brings up the topic of phishing Hannigan, the CEO of Q1 labs, rightly points out that “Security trust means more than just making sure you’re in compliance with regulations,”. On the other hand, some of the quotes, like that from Anup Ghosh, co-founder of Invincea has a blatant technology solution vendor bias. He discounts human intelligence when referring to customers in this quote – “it’s not reasonable to expect them to differentiate spear phishing attacks”. So technology can differentiate these attacks but humans can’t? The claim is baseless.
Having trained in excess of 1.8 million people using PhishMe, I can confidently say that training works! It’s how you train people that matters. Invincea has a solution to protect against malicious PDFs and one to isolate the browser to protect against malware, I guess. Even if we assume that they provide 100% protection in these domains, what about malicious files in other formats – .docx, .xlsx, .chm (and the list goes on)? How long do you think it would take one of my Intrepidus Group consultants to craft an attachment that would squeak past Invincea’s solution? (hint: not very long)
What about targeted attacks that solicit sensitive information? Sweeping claims by vendors are a disservice to our industry. The false sense of security they create by offering a solution that relies on a single approach or technology do more harm than good. Their customers feel at ease and think that the targeted phishing problem is solved by that shiny box with blinky lights. There is no panacea – defending against spear phishing needs a multi-pronged approach – education/training, technology at the mail server, technology at the end point…and even then the bad guys may succeed; but you’ve raised the bar!
|
|
|
|
|
|
|
|
|
Friday, April 22nd, 2011
With all of the media coverage on the recent flurry of successful phishing attacks targeting RSA, Epsilon’s clients and their customers, and Oak Ridge, it’s come to our attention that the fire hose of terms might leave some people confused. We thought it might be a good opportunity to explain what some of these terms are (and aren’t).
Phishing
Phishing essentially boils down to an adversary tricking a victim into doing something. Email is, by far, the most common medium used but others are certainly possible (snail mail, telephone calls, etc.).
A traditional consumer email phish is what most of us are familiar with. It will try to get the recipient to give-up their login credentials by displaying a fake login form that looks like a legitimate site. But sometimes the attacker only wants the user to click a link to exploit a security vulnerability in the recipient’s web browser or email client. And in the case of the attack on Oak Ridge, recipients were asked to open a specially crafted attachment which exploited a security vulnerability in the program used to open it. If you’re not familiar with these, go check out PhishTank.
Spear-Phishing
Many people think that “spear-phishing” and “phishing” are interchangeable; not true!
A spear-phisher has done their homework to create a targeted attack. They’re sending baited emails to specific individuals (or, a very small group of individuals — like the accounting department, for example).
This could be as simple as including the targeted company’s logo in the email and fake login page. Or it could be as sophisticated as sending an email that appears to come from an individual who actually works at the company about a topical subject (“Hi John – Please complete and return this form to enroll you and your family in the new health care program that President Smith talked about at last month’s all-hands. Thanks! –Sally Jones”).
The spear-phishing label had been mostly reserved for enterprises. But now with the Epsilon breach, consumers will likely start receiving more tailored and targeted phishing scams. So we won’t cringe as much when people confuse phishing and spear-phishing because the line is getting blurred.
Advanced Persistent Threat (APT)
This term is getting thrown around a lot lately. A lot.
There is quite a bit of disagreement in the information security community as to the “correct” definition of an APT. Some people feel it is a “who” (for example, China and/or Russia), some think it’s a “what” (a hacking incident that meets certain, sometimes subjective, criterion), while other people believe it’s a marketing gimmick or an excuse as to why an adversary was successful. When we think of APT at PhishMe, we focus on the “persistent” part: the realization that an organization now has to do business despite the fact they have bad guys inside of their network, and there is a good chance they will NEVER be able to fully rid themselves of this threat. Since the attackers are, by definition “advanced”, they are able to maintain a persistent foothold in an organization.
Unfortunately the misuse of the term APT presents a marketing challenge for us. When people talk about APT, spear-phishing naturally enters into the conversation. The reason is simple, attackers need to break in first before they can become a “ persistent threat”. And it’s no surprise that they are getting in via well-crafted spear-phishing emails. So while spear-phishing is the attack vector that leads to APT, APT is the ugly fact that you may never find a cure to get rid of your persistent threat. People seem to agree with this part of the APT definition, but it seems most technology vendors have successfully been able to re-write the definition of APT to be a convenient scapegoat for anything that circumvented their “bullet proof” technology.
Post Sales Engineer: “Did you have it configured in super-duper-malware analyze mode? .. You did? and you still got owned? Well, it was an APT, what do you expect from us!@# – click”
If our message gets lost in the APT marketing noise, then accept our humble apology in advance for “can’t-beat-em-join-em” regarding the misuse of the term APT in future marketing initiatives.
Fortunately, it’s possible to thwart a spear phishing attack …before it gets Advanced or Persistent.
Cheers!
Doug Hagen
|
|
|
|
|
|
|
|
|
Monday, April 18th, 2011
Most of you have probably heard about the “RSA hack” by now. It was hot news three weeks ago when an employee at RSA fell prey to a targeted phishing attack as explained in this blog post: http://blogs.rsa.com/rivner/anatomy-of-an-attack/ . A couple of issues highlighted in this article really caught my attention.
The article states – “These companies deploy any imaginable combination of state-of-the-art perimeter and end-point security controls, and use all imaginable combinations of security operations and security controls. Yet still the determined attackers find their way in. What does that tell you?“. That tells me that technology by-itself is not the answer to combating spear phishing attacks, it’s also about training the end user to get better at how to be suspicious. Don’t get me wrong, I don’t think education is a silver bullet, but it’s more effective than filters and shiny, blinking boxes. I like technologies that give the human another piece of trusted information they can use to evaluate the authenticity of an email. One example is Iconix’s SP Guard. We trained over 1.5 million (using PhishMe). The results show that perioidic training that immersed the subjects in the concept through mock phishing was successful in bringing down susceptibility rates in excess of 60% on average within a few months.
The article aslo discussed how the attackers targeted employees that “ you wouldn’t consider…particularly high profile or high value targets.” There’s a lesson here; security awareness programs should not focus only on executives and systems administrators, but on the entire organization. “Low profile” employees can severely undermine the organization’s assets too, just through a couple of clicks.
Oh yes, and finally, the phishing email was caught by the email client’s junk filter; the victim went out of their way to retrieve the email into the inbox and act on it.
IMHO, end-point security technologies are to phishing attacks (or *APTs) what radars are to a stealth bomber.
Rohyt Belani
*APT term used facetiously 
|
|
|
|
|
|
|
|
|
Thursday, April 14th, 2011
Q: When did it start?
A: We started building early prototypes of PhishMe in 2007, had beta customers in the first part of 2008 and paying customers later that year.
Q: What is it?
A: PhishMe is a subscription to use the PhishMe infrastructure to facilitate the most effective and memorable spear phishing awareness training around.
Organizations pay for a one year license based on the number of people to be trained, to send as many spear phishing training campaigns as they see fit. It replicates Click-Only, Data Entry, and Attachment based spear phishing attacks. We provide stories and themes to get people started, but subscribers are welcome to craft their own. Subscribers manage recipient groups, pick their phishing themes, and customize the education message that is presented to anybody that falls for the phish. It also helps them keep track of who reported the spear phishing email and reward staff for reporting suspicious emails. Detailed reports show how effective the training is. Subscribers can then select multiple campaigns to build trend reports. Using PhishMe allows organizations to see real measurable results in awareness improving, using the trend reporting that is provided.
Spear phishing awareness training isn’t a one-and-done event. There are different types of spear phishing attacks and humans need reminders that it doesn’t matter what position they hold in the organization, everyone is a valuable target for a spear phisher.
Q: Who buys PhishMe subscriptions?
A: Organizations that have been Phished multiple times.
It’s extremely frustrating for organizations that own every type of end-point-security product and appliance and have rigorous proactive patching and anti-virus to still get compromised via a spear phishing email. Their vendors tell them if you buy magic heuristic -cloud-malware appliance X, it will solve their phishing problem. How does one write a signature for an email that sends a user to a website that simply asks the victim for their username and password? The truth that the security product vendors don’t want to admit: they can’t. When an organization has an 8 person IR team onsite billing $300hr, looking over at that rack of failed security products is demoralizing. Faced with these circumstances, sending spear phishing emails to the workforce as a means to deliver awareness education about spear phishing stops sounding like a crazy idea.
Q: Who else buys PhishMe?
A: Organizations replacing their own homegrown solution.
Organizations who know they need to do this and have made attempts to build their own solution, but have learned through experience conducting these exercises in a safe controlled manner isn’t as simple as it sounds. What if the recipient is on IE6? Will your page render? What if they open it from a BlackBerry or iPhone? Will their scripts still be able to record the results? What if the end user forwards the training exercise on to digg, slasldot, redditt? You don’t want to be headline news like the Air Force was with their uncontrolled attempt: http://www.networkworld.com/news/2010/043010-us-air-force-phishing-test.html Many PhishMe customers transition from their own solution to PhishMe because it’s easier, safer, and has better reporting.
Q: Anybody else?
A: Consulting organizations buy professional services licenses to conduct training exercises on behalf of their clients.
Q: Any changes over time?
A: In 2009 and 2010 we saw a shift in our inbound sales.
The word “Phishing” often conjures thoughts about consumer related phishing scams aimed at getting financial information or information that could facilitate identity theft. In the past two years, the differentiation between spear phishing targeting specific actors in an organization vs. consumer phishing is more well-known. We began getting inbounds by customers who were aware they needed to proactively address spear phishing, if not from their own experience, from reading about it in trade publications or talking with industry colleagues who were combating the problem. Still, to this day, the majority of inbound sales leads come from companies who have been compromised via spear phishing. Stories like the RSA breach just help make it more acceptable to disclose “yes, we were compromised by hilarious pictures of cats”.
Organizations don’t need to sit around and wonder if they have a spear phishing problem. They can find out how bad the problem is and do something about it.
Aaron Higbee
|
|
|
|
|
|
|
|
|
Thursday, April 14th, 2011
Trusteer recently released a study containing the results of a spear phishing test against 100 LinkedIn users. Their findings had a 68% failure rate. While a 68% failure rate seems high, it is not an unusual number for a group that has received no prior education or training in how to spot phishing – or at least training that is meant to be effective. We know this based on having sent well over a million spear phishing emails to employees of corporations across multiple industry verticals. Trusteer, a company that specializes in the creation of information security software products, stated in this article that the only real solution is a technological one. We wholeheartedly disagree. These are numbers that we have seen time and again; Numbers that we consistently reduce through education via periodic training exercises that immerse the recipient in the experience.
There are many characteristics of this test done by Trusteer that would cause anyone with a basic understanding of testing methodologies and statistics to stand up and take notice. Firstly, the test was conducted with no real prior education to the users; this would make a good baseline, but only if you then provided training to the same users and ran the test again later to measure the difference the training made. Trusteer did not do this. In fact, Trusteer by their own admission hand-picked the recipients from a pool of friends and family. Their claims of vetting this list to ensure that it contained people who “it estimated to be fairly educated about security” must be taken at best with a grain of salt. Secondly, this test was conducted on a very small pool of people – we don’t believe the sample set is large enough or diverse enough to make a sweeping statement. While we can agree with their claims of Social Engineering making it “easy to drive corporate users to fake websites that could potentially download malware onto their computer”, it is the way they draw the conclusion, their methodology, and the claims that only a technological solution is the answer, that we take issue with.
Social engineering is a human issue that evolves around technical controls. Convincing someone to click a link or download a piece of malware is just a twist on the same methods used by grifters and con men for hundreds of years. As long as someone is unaware, there will always be someone to take advantage of them.
It is time we face the simple truth – there is no magic box that will solve spear phishing. We can’t continue to let the end-user believe that if something made it into their inbox, then it must be ok. We need to proactively teach people to be suspicious.
Mac McCrory
|
|
|
|
|
|
|
|
|
Wednesday, March 24th, 2010
We currently don’t have this blog indexed on our www.phishme.com website but will at a future date when we give it a bit of an overhaul. Late last year we decided to split our post activity into two blogs.
From now on, posts about general infosec, mobile security, and our consulting practice will be kept at http://intrepidusgroup.com/insight 
This blog, when we resurrect it, will stick to phishing related posts.
Some other new additions include:
An Intrepidus Group managed delicious bookmark feed: http://delicious.com/intrepidusgroup
A PhishMe youtube channel: http://www.youtube.com/phishme
A PhishMe Twitter account: http://twitter.com/phishme
A IntrepidusGroup Twitter account: http://twitter.com/intrepidusgroup
That’s it for now! Sorry about the long lapse in posts here… but I promise you, PhishMe has been busy. We’ve helped organizations send over 1 million phishing training emails to date. Whew!
Aaron Higbee
CTO
|
|
|
|
|
|
