It’s been an excellent year for us all here at PhishMe, and to celebrate the holidays and give thanks, we’re giving our followers a chance to earn money for charity through what we are calling the 12 Days of Phishless Christmas. Starting Friday, December 14, and continuing each day until Christmas Day, we’ll be tweeting every day with a new opportunity for our followers to win a donation to charity in their name.
If you’re like me, then the idea of fighting the midnight crowds on Black Friday holds limited appeal, even if it means getting an 80% discount on a big screen TV. But thanks to Cyber Monday, people can get ridiculous deals without peeling themselves away from their computers – or offices.
With emotions running high during election season, an email with the name Romney or Obama in the subject line could make even an experienced user click on a malicious link. Spammers are taking advantage of the Presidential election buzz and using malware-laden emails to target users. Many of these emails don’t have any visible consequences, so users may not even realize when malware is infiltrating their personal computers or mobile devices. But what about the potential danger this malware can bring into your workplace from these spear phishing scams?
Anatomy of a vulnerability based phishing attack
This week SC Magazine named the Chrome vulnerabilities the Threat of the month. So, how would an attacker use this vulnerability in a spear phishing scam you ask?
They know their audience
Advanced threats know who they want to target, it doesn’t matter that your Skype handle is @kukubunga998 – they know you work for the organization they are targeting. They also deduce (the same way a marketer does) that you are a Chrome user, or that you have it installed for some reason or another. They know that your organization is big on BYOD but still has IE 9 as it’s default browser (ie. they may not be paying attention to Chrome).
They set the trap
It could be “Critical Chrome Update required”, or “Click here to view the best new twitter app” or “best new home brew formulas” – again they know you, the email will be crafted to you, not to the person in the cube next to you.
You follow the link, phew you are using IE! Do you really think they didn’t think about this already? The page says “We’re sorry, our application only works with Google Chrome, please reopen this page in Google Chrome or click here to download it”. You do as instructed because it is Google Chrome, the best and most secure browser on the interwebs, right? Poof – you’re owned, best part is that you don’t know it – they follow through on the promise that the email made, you are none the wiser and now you, your personal data, and your organization’s data are at risk.
Seems a bit too easy, right? Protect yourself, protect your customers and protect your organization – knowledge is power (Sir Francis Bacon).
What is it about? Simple, the poison ivy trojan wrapped in a password protected ZIP file so it can get past filtering. Symantec has an excellent analysis of these attacks in a paper titled: The Nitro Attacks: Stealing Secrets from the Chemical Industry by Eric Chien and Gavin O’Gorman. You can read the entire paper here.
“The most recent attacks focusing on the chemical industry are using password-protected 7zip files which, when extracted, contain a self-extracting executable. The password to extract the 7zip file is included in the email. This extra stage is used to prevent automated systems from extracting the self-extracting archive.”
Packing malicious code into ZIP file and including the password in the body of the email is fairly common spear phishing technique that has been going on for quite some time. In fact, we have specific training about this tactic available at PhishMe. Here is a small snip from our training about password protected ZIP files:
Future customers: You could be using our award winning solution right now to train people about this exact tactic.
Like many high-profile events, the passing of Apple’s co-founder and former CEO, Steve Jobs, has initiated a slew of new phishing attacks that are designed to play on recipients’ emotions about the event. Steve Jobs and Apple themed phishing campaigns are in the wild but more concerning are the spear phishing attacks targeting iPhone users. PhishMe understands how these events can adversely affect our customers therefore we have released a new phishing simulation theme designed to train susceptible users on how to identify and avoid current event based attacks.
Phishing has always been a challenge for companies, but in recent months high profile breaches have cast a bright light on a more pressing aspect of the phishing threat – user awareness; or the lack there of! The reason phishing attacks are so effective is because most employees have a basic level of phishing awareness. Companies attending recent events such as Black Hat and SANSFIRE, reiterate a common theme; “we need more effective ways to increase our employees’ awareness to help minimize the success of phishing attacks.”
Once thought of as a threat that could be mitigated simply by an email filter solution, phishing (and now more importantly, spear phishing) has evolved to such a sophisticated level that technical controls are no longer effective in differentiating well-crafted and targeted emails from legitimate ones. This leaves employees as the last line of defense which is highlighting the need for improved education. The challenge for many security IT professionals is that they have little time to develop programs that provide effective education and reduce the risk to their organization. While many companies indicate they have an awareness program, they also indicate that they lack consistency and content. This awareness model does little to increasing their employees’ awareness or change their behavior.
Organizations with mature awareness programs attribute their success to a mix of periodic communications and structured training that provide immediate, informative and relevant awareness content to employees. The inline awareness saves both time and resources and targets training to those who need it most. At PhishMe we encourage our customers to conduct sanctioned simulated phishing exercises. This allows organizations to identify where targeted education should be directed and offers the ability to provide immediate education.
There are several different ways PhishMe works with our clients to improve overall employee awareness including online games, tutorials, custom training and awareness program consultation. In the end it comes down to striking the right balance between content and repetition for your enterprise. Having trained over 2 million users to date our customers have seen how consistent training can raise awareness and reduce the risk of employees falling victim to phishing attacks by up to 80 percent.
If we are in your area, we welcome you to come speak with us at an upcoming event!
The PhishMe Team
There is a common spear phishing tactic that we help our PhishMe customers combat, and that is attackers using familiar names with fake free webmail accounts.
The attacker wants to break into Widget, Inc. The first thing they do is research Widget, Inc., looking business units who may have access to the information assets they are targeting. Once they have picked their target, they need familiar names to make their spear phish more enticing to the eventual victim.
They will pick a real name inside of Widget, Inc, that will serve as the From: line of the spear phishing email. Sometimes the attacker is smart enough to choose a name in a different office or time zone. This increases the likelihood that the victim won’t pop their head over the cubical wall and ask “did you just send me an email from your Gmail account?”
Once the phisher is satisfied they have a good name to impersonate, (e.g. Bob Dobolina) they will register [email protected], (or hotmail, yahoo, etc…)
Armed with a new free email account that uses a familiar name, the phisher will send out their spear phish to the intended targets who may know or have heard of “Bob Dobolina.” This increases the chance that the victim will fall for the phish.
How does the attacker find the names needed to carry on this charade? Social networks and tools like Jigsaw and LinkedIn provide a wealth of information. (Head over to jigsaw.com right now and put your company name in.) You will see that piecing together the necessary information to effectively impersonate someone is quite easy.
Besides making your organization aware of this threat, what else can you do to protect yourself? How about creating fake personas? Ann Smith, Executive Assistant to the Director of Legal. But in this case, Ann Smith isn’t an executive assistant, instead, Ann Smith is an email alias that goes directly to your incident response and network monitoring team.
As the barrage of security breaches continues, Citigroup is the latest victim. This eWeek article: http://www.eweek.com/c/a/Security/Citigroup-Credit-Card-Portal-Breach-Compromises-200000-Customers-461930/ discusses the potential impact of this attack. One of the commentators brings up the topic of phishing. Hannigan, the CEO of Q1 labs, rightly points out that “Security trust means more than just making sure you’re in compliance with regulations,”. On the other hand, some of the quotes, like that from Anup Ghosh, co-founder of Invincea has a blatant technology solution vendor bias. He discounts human intelligence when referring to customers in this quote – “it’s not reasonable to expect them to differentiate spear phishing attacks”. So technology can differentiate these attacks but humans can’t? The claim is baseless.
Having trained in excess of 1.8 million people using PhishMe, I can confidently say that training works! It’s how you train people that matters. Invincea has a solution to protect against malicious PDFs and one to isolate the browser to protect against malware, I guess. Even if we assume that they provide 100% protection in these domains, what about malicious files in other formats – .docx, .xlsx, .chm (and the list goes on)? How long do you think it would take one of my Intrepidus Group consultants to craft an attachment that would squeak past Invincea’s solution? (hint: not very long)
What about targeted attacks that solicit sensitive information? Sweeping claims by vendors are a disservice to our industry. The false sense of security they create by offering a solution that relies on a single approach or technology do more harm than good. Their customers feel at ease and think that the targeted phishing problem is solved by that shiny box with blinky lights. There is no panacea – defending against spear phishing needs a multi-pronged approach – education/training, technology at the mail server, technology at the end point…and even then the bad guys may succeed; but you’ve raised the bar!