Last week I attended the Educause Security Professionals Conference 2012 in Indianapolis Indiana and was lucky enough to co-present with Emory University to discuss the phishing problems higher education face. This event had an entire track devoted to Awareness & Training and of course a major topic for discussion was phishing.
Anatomy of a vulnerability based phishing attack
This week SC Magazine named the Chrome vulnerabilities the Threat of the month. So, how would an attacker use this vulnerability in a spear phishing scam you ask?
They know their audience
Advanced threats know who they want to target, it doesn’t matter that your Skype handle is @kukubunga998 – they know you work for the organization they are targeting. They also deduce (the same way a marketer does) that you are a Chrome user, or that you have it installed for some reason or another. They know that your organization is big on BYOD but still has IE 9 as it’s default browser (ie. they may not be paying attention to Chrome).
They set the trap
It could be “Critical Chrome Update required”, or “Click here to view the best new twitter app” or “best new home brew formulas” – again they know you, the email will be crafted to you, not to the person in the cube next to you.
You follow the link, phew you are using IE! Do you really think they didn’t think about this already? The page says “We’re sorry, our application only works with Google Chrome, please reopen this page in Google Chrome or click here to download it”. You do as instructed because it is Google Chrome, the best and most secure browser on the interwebs, right? Poof – you’re owned, best part is that you don’t know it – they follow through on the promise that the email made, you are none the wiser and now you, your personal data, and your organization’s data are at risk.
Seems a bit too easy, right? Protect yourself, protect your customers and protect your organization – knowledge is power (Sir Francis Bacon).