This week SC Magazine named  the Chrome vulnerabilities the Threat of the month.  So, how would an attacker use this vulnerability in a spear phishing scam you ask?

They know their audience

Advanced threats know who they want to target, it doesn’t matter that your Skype handle is @kukubunga998 – they know you work for the organization they are targeting.  They also deduce (the same way a marketer does) that you are a Chrome user, or that you have it installed for some reason or another.  They know that your organization is big on BYOD but still has IE 9 as it’s default browser (ie. they may not be paying attention to Chrome).

They set the trap

It could be “Critical Chrome Update required”, or “Click here to view the best new twitter app” or “best new home brew formulas” – again they know you, the email will be crafted to you, not to the person in the cube next to you.

You respond

You follow the link, phew you are using IE!  Do you really think they didn’t think about this already?  The page says “We’re sorry, our application only works with Google Chrome, please reopen this page in Google Chrome or click here to download it”.  You do as instructed because it is Google Chrome, the best and most secure browser on the interwebs, right?  Poof – you’re owned, best part is that you don’t know it – they follow through on the promise that the email made, you are none the wiser and now you, your personal data, and your organization’s data are at risk.

Seems a bit too easy, right?  Protect yourself, protect your customers and protect your organization – knowledge is power (Sir Francis Bacon).

spear phish vs. spear phish

An odd title for a blog post but something that has been on my mind for a while now. We get a fair amount media requests for comments or perspective on phishing stories.  This is a good thing. It’s nice to have recognition in your field. Of course 2011 was no shortage of phishing related news. (What’s up RSA, I’m looking at you. I’ve noticed you frequent our website a lot. How about a demo. Couldn’t hurt?)

In 2011, the term “spear-phishing” shifted gears a bit. Once reserved to define highly targeted and personalized  email attacks against organizations, the taxonomy of phishing is changing again.  The term spear-phishing being applied to consumer/fraud/ based phishing.

First, some of the defacto high profile spear-phishing events in 2011:

• RSA
• Nitro spear phishing
• Mitsubishi Heavy Industries

But something new has been brewing. Massive data breaches of big consumer organizations with millions of users became more common place. It first started with the Epsilon compromise, then we had Sony, and now the Steam breach putting 35 million gamers at risk.

As the trade journalists made the rounds, the security experts commenting talked about how these data breaches will lead to more spear-phishing incidents of consumers. What they mean by that is instead of the consumer Bob receiving a generic phish:

“Dear Citibank Member,

There is something wrong with your account. Please read the attached statement to verify charges.”

Attackers can now cobble a bit of personal information into the phishing email to make the bait look more believable: (See Pretexting: Wikipedia )

“Dear Bob Dobolina,

I ran into a mutual friend of ours in Charleston SC,. He said you were into video games. Check this out …..”

Ok, I’ll tip my hat to the use of some personalized information somewhat resembling what we’ve been calling a spear phish.  But this is in no way resembles the effort and sophistication used by advanced threats against our most trusted institutions.  They are facing attackers armed with department names, locations, org charts, contract names,  names of sub-contractors, and whatever else they can scrape together to increase the chances of a successful mission.

I chose the word mission for a reason. The  first of its kind DARPA meeting last week a stone’s throw away from the PhishMe offices started to cast light in not-so-vague terms about what organizations have been dealing with for quite some time.

Spear Phishing v.s Spear Phishing. There is a difference.

Aaron Higbee

p.s. Don’t even get me started on whaling.

What is it about? Simple, the poison ivy trojan wrapped in a password protected ZIP file so it can get past filtering.  Symantec has an excellent analysis of these attacks in a paper titled: The Nitro Attacks: Stealing Secrets from the Chemical Industry by Eric Chien and Gavin O’Gorman.  You can read the entire paper here.

“The most recent attacks focusing on the chemical industry are using password-protected 7zip files which, when extracted, contain a self-extracting executable. The password to extract the 7zip file is included in the email. This extra stage is used to prevent automated systems from extracting the self-extracting archive.”

By now you may be aware of spear-phishing emails that contain malicious attachments.  We have technology in place that scans email looking for malicious attachments, but it’s not foolproof.  In this cat-and-mouse game, the bad guys are always looking for new ways to get past our safeguards.

  

One technique they use is placing the malicious attachment inside of a password protected ZIP file. It works like this:  the attacker zips the malicious file, then puts the password for the ZIP file in the body of the email. They do this because they know our email security tools can’t see what is inside the protected ZIP file.

 

Existing PhishMe customers:  If you haven’t gotten the message out to your people about spear phishing using password protected ZIP files, login to you account and check it out.

 

Future customers:  You could be using our award winning solution right now to train people about this exact tactic.

stay safe,

Aaron Higbee

Like many high-profile events, the passing of Apple’s co-founder and former CEO, Steve Jobs, has initiated a slew of new phishing attacks that are designed to play on recipients’ emotions about the event.  Steve Jobs and Apple themed phishing campaigns are in the wild but more concerning are the spear phishing attacks targeting iPhone users.  PhishMe understands how these events can adversely affect our customers therefore we have released a new phishing simulation theme designed to train susceptible users on how to identify and avoid current event based attacks.

-Scott

Once thought of as a threat that could be mitigated simply by an email filter solution, phishing (and now more importantly, spear phishing) has evolved to such a sophisticated level that technical controls are no longer effective in differentiating well-crafted and targeted emails from legitimate ones.  This leaves employees as the last line of defense which is highlighting the need for improved education. The challenge for many security IT professionals is that they have little time to develop programs that provide effective education and reduce the risk to their organization. While many companies indicate they have an awareness program, they also indicate that they lack consistency and content.  This awareness model does little to increasing their employees’ awareness or change their behavior.

Organizations with mature awareness programs attribute their success to a mix of periodic communications and structured training that provide immediate, informative and relevant awareness content to employees. The inline awareness saves both time and resources and targets training to those who need it most. At PhishMe we encourage our customers to conduct sanctioned simulated phishing exercises. This allows organizations to identify where targeted education should be directed and offers the ability to provide immediate education.

There are several different ways PhishMe works with our clients to improve overall employee awareness including online games, tutorials, custom training and awareness program consultation.  In the end it comes down to striking the right balance between content and repetition for your enterprise.  Having trained over 2 million users to date our customers have seen how consistent training can raise awareness and reduce the risk of employees falling victim to phishing attacks by up to 80 percent.

If we are in your area, we welcome you to come speak with us at an upcoming event!

The PhishMe Team

The attacker wants to break into Widget, Inc.  The first thing they do is research Widget, Inc., looking business units who may have access to the information assets they are targeting.  Once they have picked their target, they need familiar names to make their spear phish more enticing to the eventual victim.

They will pick a real name inside of Widget, Inc, that will serve as the From: line of the spear phishing email. Sometimes the attacker is smart enough to choose a name in a different office or time zone. This increases the likelihood that the victim won’t pop their head over the cubical wall and ask “did you just send me an email from your Gmail account?”

Once the phisher is satisfied they have a good name to impersonate, (e.g. Bob Dobolina) they will register bob.dobolina@gmail.com, (or hotmail, yahoo, etc…)

Armed with a new free email account that uses a familiar name, the phisher will send out their spear phish to the intended targets who may know or have heard of “Bob Dobolina.” This increases the chance that the victim will fall for the phish.

How does the attacker find the names needed to carry on this charade?  Social networks and tools like Jigsaw and LinkedIn provide a wealth of information. (Head over to jigsaw.com right now and put your company name in.) You will see that piecing together the necessary information to effectively impersonate someone is quite easy.

Besides making your organization aware of this threat, what else can you do to protect yourself? How about creating fake personas?  Ann Smith, Executive Assistant to the Director of Legal.  But in this case, Ann Smith isn’t an executive assistant, instead, Ann Smith is an email alias that goes directly to your incident response and network monitoring team.

Stay Safe!

-Vanessa Bush

To help companies better understand the importance of spear phishing penetration testing and the valuable education opportunities they provide an organization, PhishMe is hosting a webinar on July 7, 2011, Spear Phishing Pentests: A Wasted Opportunity. As PhishMe co-founder and CTO, I will be conducting the webinar and drawing on my years of experience to address the misconceptions of ethical-hacking focused penetration testing, while outlining the best practices for conducting and assessing mock spear phishing attacks.



At PhishMe we focus on educating users on the best ways to protect themselves from the latest scams – helping them understand that regardless of how good an anti-virus solution or firewall is, phishing attacks are designed to get around them. Online criminals understand that the best way into a network is to get invited in, not scanning thousands of ports hoping for a crack in the armor. With nearly 2 million users trained, we have proven that proper use of mock phishing and targeted education campaigns can reduce an employee’s susceptibility to an attack by over 80percent. This number increases even further with continued training.

If you are an organization who is thinking about performing a spear phishing penetration test, join me on July 7, 2011 to learn just how easily you can ensure your organization’s safety against the growing threat of spear phishing attacks. To register for the free webinar, please click here: Spear Phishing Pentests: A Wasted Opportunity.

Kindly,

Aaron Higbee, Co-Founder and CTO, PhishMe

Having trained in excess of 1.8 million people using PhishMe, I can confidently say that training works! It’s how you train people that matters. Invincea has a solution to protect against malicious PDFs and one to isolate the browser to protect against malware, I guess. Even if we assume that they provide 100% protection in these domains, what about malicious files in other formats – .docx, .xlsx, .chm (and the list goes on)?  How long do you think it would take one of my Intrepidus Group consultants to craft an attachment that would squeak past Invincea’s solution? (hint: not very long)

What about targeted attacks that solicit sensitive information? Sweeping claims by vendors are a disservice to our industry. The false sense of security they create by offering a solution that relies on a single approach or technology do more harm than good. Their customers feel at ease and think that the targeted phishing problem is solved by that shiny box with blinky lights. There is no panacea – defending against spear phishing needs a multi-pronged approach – education/training, technology at the mail server, technology at the end point…and even then the bad guys may succeed; but you’ve raised the bar!

Phishing

Phishing essentially boils down to an adversary tricking a victim into doing something. Email is, by far, the most common medium used but others are certainly possible (snail mail, telephone calls, etc.).

A traditional consumer email phish is what most of us are familiar with. It will try to get the recipient to give-up their login credentials by displaying a fake login form that looks like a legitimate site. But sometimes the attacker only wants the user to click a link to exploit a security vulnerability in the recipient’s web browser or email client.  And in the case of the attack on Oak Ridge, recipients were asked to open a specially crafted attachment which exploited a security vulnerability in the program used to open it. If you’re not familiar with these, go check out PhishTank.

Spear-Phishing

Many people think that “spear-phishing” and “phishing” are interchangeable; not true!

A spear-phisher has done their homework to create a targeted attack. They’re sending baited emails to specific individuals (or, a very small group of individuals — like the accounting department, for example).

This could be as simple as including the targeted company’s logo in the email and fake login page.  Or it could be as sophisticated as sending an email that appears to come from an individual who actually works at the company about a topical subject (“Hi John – Please complete and return this form to enroll you and your family in the new health care program that President Smith talked about at last month’s all-hands.  Thanks!  –Sally Jones”).

The spear-phishing label had been mostly reserved for enterprises. But now with the Epsilon breach, consumers will likely start receiving more tailored and targeted phishing scams. So we won’t cringe as much when people confuse phishing and spear-phishing because the line is getting blurred.

Advanced Persistent Threat (APT)

This term is getting thrown around a lot lately. A lot.

There is quite a bit of disagreement in the information security community as to the “correct” definition of an APT. Some people feel it is a “who” (for example, China and/or Russia), some think it’s a “what” (a hacking incident that meets certain, sometimes subjective, criterion), while other people believe it’s a marketing gimmick or an excuse as to why an adversary was successful. When we think of APT at PhishMe, we focus on the “persistent” part:  the realization that an organization now has to do business despite the fact they have bad guys inside of their network, and there is a good chance they will NEVER be able to fully rid themselves of this threat.  Since the attackers are, by definition “advanced”, they are able to maintain a persistent foothold in an organization.

Unfortunately the misuse of the term APT presents a marketing challenge for us.   When people talk about APT, spear-phishing naturally enters into the conversation.  The reason is simple, attackers need to break in first before they can become a “ persistent threat”.  And it’s no surprise  that they are getting in via well-crafted spear-phishing emails. So while spear-phishing is the attack vector that leads to APT, APT is the ugly fact that you may never find a cure to get rid of your persistent threat.  People seem to agree with this part of the APT definition, but it seems most technology vendors have successfully been able to re-write the definition of APT to be a convenient scapegoat for anything that circumvented their “bullet proof” technology.

Post Sales Engineer: “Did you have it configured in super-duper-malware analyze mode? .. You did? and you still got owned? Well, it was an APT, what do you expect from us!@# – click”

If our message gets lost in the APT marketing noise, then accept our humble apology in advance for “can’t-beat-em-join-em” regarding the misuse of the term APT in future marketing initiatives.

Fortunately, it’s possible to thwart a spear phishing attack  …before it gets Advanced or Persistent.

Cheers!

Doug Hagen

The article states – “These companies deploy any imaginable combination of state-of-the-art perimeter and end-point security controls, and use all imaginable combinations of security operations and security controls. Yet still the determined attackers find their way in. What does that tell you?“.  That tells me that technology by-itself is not the answer to combating spear phishing attacks, it’s also about training the end user to get better at how to be suspicious. Don’t get me wrong, I don’t think education is a silver bullet, but it’s more effective than filters and shiny, blinking boxes.  I like technologies that give the human another piece of trusted information they can use to evaluate the authenticity of an email. One example is Iconix’s SP Guard. We trained over 1.5 million (using PhishMe). The results show that perioidic training that immersed the subjects in the concept through mock phishing  was successful in bringing down susceptibility rates in excess of 60% on average within a few months.

The article aslo discussed how the attackers targeted employees that “ you wouldn’t consider…particularly high profile or high value targets.” There’s a lesson here; security awareness programs should not focus only on executives and systems administrators, but on the entire organization. “Low profile” employees can severely undermine the organization’s assets too, just through a couple of clicks.

Oh yes, and finally, the phishing email was caught by the email client’s junk filter; the victim went out of their way to retrieve the email into the inbox and act on it.

IMHO, end-point security technologies are to phishing attacks (or *APTs) what radars are to a stealth bomber.

Rohyt Belani

*APT term used facetiously