Phishing and Spear-Phishing and APTs, oh my!

With all of the media coverage on the recent flurry of successful phishing attacks targeting RSA, Epsilon’s clients and their customers, and Oak Ridge, it’s come to our attention that the fire hose of terms might leave some people confused.  We thought it might be a good opportunity to explain what some of these terms are (and aren’t).

Phishing

Phishing essentially boils down to an adversary tricking a victim into doing something. Email is, by far, the most common medium used but others are certainly possible (snail mail, telephone calls, etc.).

A traditional consumer email phish is what most of us are familiar with. It will try to get the recipient to give-up their login credentials by displaying a fake login form that looks like a legitimate site. But sometimes the attacker only wants the user to click a link to exploit a security vulnerability in the recipient’s web browser or email client.  And in the case of the attack on Oak Ridge, recipients were asked to open a specially crafted attachment which exploited a security vulnerability in the program used to open it. If you’re not familiar with these, go check out PhishTank.

Spear-Phishing

Many people think that “spear-phishing” and “phishing” are interchangeable; not true!

A spear-phisher has done their homework to create a targeted attack. They’re sending baited emails to specific individuals (or, a very small group of individuals — like the accounting department, for example).

This could be as simple as including the targeted company’s logo in the email and fake login page.  Or it could be as sophisticated as sending an email that appears to come from an individual who actually works at the company about a topical subject (“Hi John – Please complete and return this form to enroll you and your family in the new health care program that President Smith talked about at last month’s all-hands.  Thanks!  –Sally Jones”).

The spear-phishing label had been mostly reserved for enterprises. But now with the Epsilon breach, consumers will likely start receiving more tailored and targeted phishing scams. So we won’t cringe as much when people confuse phishing and spear-phishing because the line is getting blurred.

Advanced Persistent Threat (APT)

This term is getting thrown around a lot lately. A lot.

There is quite a bit of disagreement in the information security community as to the “correct” definition of an APT. Some people feel it is a “who” (for example, China and/or Russia), some think it’s a “what” (a hacking incident that meets certain, sometimes subjective, criterion), while other people believe it’s a marketing gimmick or an excuse as to why an adversary was successful. When we think of APT at PhishMe, we focus on the “persistent” part:  the realization that an organization now has to do business despite the fact they have bad guys inside of their network, and there is a good chance they will NEVER be able to fully rid themselves of this threat.  Since the attackers are, by definition “advanced”, they are able to maintain a persistent foothold in an organization.

Unfortunately the misuse of the term APT presents a marketing challenge for us.   When people talk about APT, spear-phishing naturally enters into the conversation.  The reason is simple, attackers need to break in first before they can become a ” persistent threat”.  And it’s no surprise  that they are getting in via well-crafted spear-phishing emails. So while spear-phishing is the attack vector that leads to APT, APT is the ugly fact that you may never find a cure to get rid of your persistent threat.  People seem to agree with this part of the APT definition, but it seems most technology vendors have successfully been able to re-write the definition of APT to be a convenient scapegoat for anything that circumvented their “bullet proof” technology.

Post Sales Engineer: “Did you have it configured in super-duper-malware analyze mode? .. You did? and you still got owned? Well, it was an APT, what do you expect from [email protected]# – click”

If our message gets lost in the APT marketing noise, then accept our humble apology in advance for “can’t-beat-em-join-em” regarding the misuse of the term APT in future marketing initiatives.

Fortunately, it’s possible to thwart a spear phishing attack  …before it gets Advanced or Persistent.

Cheers!

Doug Hagen

RSA breach: Lessons Learnt

Most of you have probably heard about the “RSA hack” by now. It was hot news three weeks ago when an employee at RSA fell prey to a targeted phishing attack as explained in this blog post: http://blogs.rsa.com/rivner/anatomy-of-an-attack/ . A couple of issues highlighted in this article really caught my attention.

The article states – “These companies deploy any imaginable combination of state-of-the-art perimeter and end-point security controls, and use all imaginable combinations of security operations and security controls. Yet still the determined attackers find their way in. What does that tell you?“.  That tells me that technology by-itself is not the answer to combating spear phishing attacks, it’s also about training the end user to get better at how to be suspicious. Don’t get me wrong, I don’t think education is a silver bullet, but it’s more effective than filters and shiny, blinking boxes.  I like technologies that give the human another piece of trusted information they can use to evaluate the authenticity of an email. One example is Iconix’s SP Guard. We trained over 1.5 million (using PhishMe). The results show that perioidic training that immersed the subjects in the concept through mock phishing  was successful in bringing down susceptibility rates in excess of 60% on average within a few months.

The article aslo discussed how the attackers targeted employees that ” you wouldn’t consider…particularly high profile or high value targets.” There’s a lesson here; security awareness programs should not focus only on executives and systems administrators, but on the entire organization. “Low profile” employees can severely undermine the organization’s assets too, just through a couple of clicks.

Oh yes, and finally, the phishing email was caught by the email client’s junk filter; the victim went out of their way to retrieve the email into the inbox and act on it.

IMHO, end-point security technologies are to phishing attacks (or *APTs) what radars are to a stealth bomber.

Rohyt Belani

*APT term used facetiously 😉

Solve spear phishing with another appliance?

Have a spear phishing problem? You are not alone.  Spend some time at the excellent contagio malware dump blog: http://contagiodump.blogspot.com/

So how is the multiple racks of endpoint security malware detection equipment protecting you today?

If namelist.xls was emailed into your organization, how would you fare?

http://www.virustotal.com/file-scan/report.html?id=9071f0b9b1e428cf4703b1e8988abaff70a6fbd6c3e0df7aaf4d1b6741a5341c-1302813557

Education vs. Technology

Trusteer recently released a study containing the results of a spear phishing test against 100 LinkedIn users. Their findings had a 68% failure rate. While a 68% failure rate seems high, it is not an unusual number for a group that has received no prior education or training in how to spot phishing – or at least training that is meant to be effective. We know this based on having sent well over a million spear phishing emails to employees of corporations across multiple industry verticals. Trusteer, a company that specializes in the creation of information security software products, stated in this article that the only real solution is a technological one. We wholeheartedly disagree. These are numbers that we have seen time and again; Numbers that we consistently reduce through education via periodic training exercises that immerse the recipient in the experience.

There are many characteristics of this test done by Trusteer that would cause anyone with a basic understanding of testing methodologies and statistics to stand up and take notice. Firstly, the test was conducted with no real prior education to the users; this would make a good baseline, but only if you then provided training to the same users and ran the test again later to measure the difference the training made. Trusteer did not do this. In fact, Trusteer by their own admission hand-picked the recipients from a pool of friends and family. Their claims of vetting this list to ensure that it contained people who “it estimated to be fairly educated about security” must be taken at best with a grain of salt. Secondly, this test was conducted on a very small pool of people – we don’t believe the sample set is large enough or diverse enough to make a sweeping statement. While we can agree with their claims of Social Engineering making it “easy to drive corporate users to fake websites that could potentially download malware onto their computer”, it is the way they draw the conclusion, their methodology, and the claims that only a technological solution is the answer, that we take issue with.

Social engineering is a human issue that evolves around technical controls.  Convincing someone to click a link or download a piece of malware is just a twist on the same methods used by grifters and con men for hundreds of years. As long as someone is unaware, there will always be someone to take advantage of them.

It is time we face the simple truth –  there is no magic box that will solve spear phishing. We can’t continue to let the end-user believe that if something made it into their inbox, then it must be ok. We need to proactively teach people to be suspicious.

Mac McCrory

Rebirth

This is the official rebirth of our blog. For a while now, this blog lay dormant, while the team at PhishMe was anything but. Sales and Marketing has been trying to keep up with the interest while Dev, Operations, and support have consistently delivered the most cutting edge phishing awareness services on the market. It’s a pity the blog hasn’t kept up because we have a lot of interesting thoughts and statistics to share, better late than never. Stay tuned for the latest on phishing news, our lessons learnt from successfully training people to thwart targeted phishing, and anything else we feel like rambling about.

SCADA hacking? What if they used cofense.wpengine.com?

At this year’s RSA conference Ira Winkler went on to tell the audience about hacking into an energy company (via an authorized penetration test) using a targeted phishing email. Details are in this networkwold article: http://www.networkworld.com/news/2008/040908-rsa-hack-power-grid.html

“The penetration team started by tapping into distribution lists for SCADA user groups, where they harvested the e-mail addresses of people who worked for the target power company. They sent the workers an e-mail about a plan to cut their benefits and included a link to a Web site where they could find out more.”

Are we surprised they were successful? Absolutely not. We’ve been using this technique and responding to real incidents that that used spear phishing for quite some time now. But what if those same employees had already been “phished” through targeted awareness and then presented with the appropriate training material? What if you ran this exercise against all your employees regularly?

Phishme.com already has pre-built scenarios to make this training quick and easy. It has many generic domain names to choose from or you can register your own look-a-like domain.

There is no sense in paying a pentest company high dollar consulting fees to find out if your employees are vulnerable to phishing. I’m about to save your company a boat load of money.

Dear Magic Eight ball, I don’t currently conduct phishing attacks against my own employees as a means to train them. Am I vulnerable to spear-phishing attacks?

Phishing with Encoded IP Addresses

I was adding a little special sauce to Phishme.com this past week and thought this might be fun to share. We have a few different ways a user can craft their phishing links. If he/she chooses the IP address option, then there is also the choice of encoding options. This lets you mask the IP address in an attempt to trick the user into thinking part of the sub directory is perhaps the host name. Or as in the case with my mom… she thinks it is just the phone number so the computer knows where to call. And it’s hard to blame her when you see a decimal encoded IP address.

http://2130706433/somecompany.com

The team over at Marshal has put together a good walk through of the encoding so you can follow along. If you would like to view the javascript, you can find it here. This may not work on all browsers, but it holds up pretty well on your corporate windows boxes with IE or Firefox. Want to test it out? Just put in an IP address below and click on the link it generates.

-b3nn



 

If I was a hacker…err cracker…

  1. I would be very busy the week of Christmas, while IT security staff is probably operating at 20% normal strength. Not only is it the weakness in numbers, but also the holiday mood.  How many of you are actually working full days? IDS logs – thats probably the last thing on your mind now that you have Guitar Hero III in the breakroom.
  2. I would get busy if I heard that a company was being acquired. From my experience, most companies put a freeze on all discretionary spending from the time a deal is announced untill it closes. Unfortunately, security is often thrown into that discretionary spending budget, making it easy on the bad guys for several months!
  3. If I really wanted to spend Christmas with my family, I would just come back another time and phish employees…that works irrespective of season.

Wishing you all a very Happy New Year! Stay safe.

-Rohyt

Phishing joins the SANS Top 20

Phishing is now recognized as a 2007 SANS Top 20 risk, and rightly so. What I was even more excited to see is SANS calling out the countermeasure correctly. They didn’t recommend deploying millions of dollars worth of technology to “catch” phishing attacks, but said “user awareness is a key defense. The most promising method of stopping spear phishing is continuous periodic awareness training for all users; this may even involve mock phishing attempts to test awareness”.  As I said in a previous blog post , we are in total agreement with SANS on the efficacy of this countermeasure. In fact we are so in agreement that we have developed a solution (https://cofense.com/) to do exactly that – run mock phishing attacks to test and measure employee awareness.

Now for the gimmicksmen. Qualys just made an interesting announcement – “Free security scan available for the new SANS Top 20“. I wonder how they are going to scan for phishing vulnerabilities.

– Rohyt