Phishing and Spear-Phishing and APTs, oh my!

With all of the media coverage on the recent flurry of successful phishing attacks targeting RSA, Epsilon’s clients and their customers, and Oak Ridge, it’s come to our attention that the fire hose of terms might leave some people confused.  We thought it might be a good opportunity to explain what some of these terms are (and aren’t).

Phishing

Phishing essentially boils down to an adversary tricking a victim into doing something. Email is, by far, the most common medium used but others are certainly possible (snail mail, telephone calls, etc.).

A traditional consumer email phish is what most of us are familiar with. It will try to get the recipient to give-up their login credentials by displaying a fake login form that looks like a legitimate site. But sometimes the attacker only wants the user to click a link to exploit a security vulnerability in the recipient’s web browser or email client.  And in the case of the attack on Oak Ridge, recipients were asked to open a specially crafted attachment which exploited a security vulnerability in the program used to open it. If you’re not familiar with these, go check out PhishTank.

Spear-Phishing

Many people think that “spear-phishing” and “phishing” are interchangeable; not true!

A spear-phisher has done their homework to create a targeted attack. They’re sending baited emails to specific individuals (or, a very small group of individuals — like the accounting department, for example).

This could be as simple as including the targeted company’s logo in the email and fake login page.  Or it could be as sophisticated as sending an email that appears to come from an individual who actually works at the company about a topical subject (“Hi John – Please complete and return this form to enroll you and your family in the new health care program that President Smith talked about at last month’s all-hands.  Thanks!  –Sally Jones”).

The spear-phishing label had been mostly reserved for enterprises. But now with the Epsilon breach, consumers will likely start receiving more tailored and targeted phishing scams. So we won’t cringe as much when people confuse phishing and spear-phishing because the line is getting blurred.

Advanced Persistent Threat (APT)

This term is getting thrown around a lot lately. A lot.

There is quite a bit of disagreement in the information security community as to the “correct” definition of an APT. Some people feel it is a “who” (for example, China and/or Russia), some think it’s a “what” (a hacking incident that meets certain, sometimes subjective, criterion), while other people believe it’s a marketing gimmick or an excuse as to why an adversary was successful. When we think of APT at PhishMe, we focus on the “persistent” part:  the realization that an organization now has to do business despite the fact they have bad guys inside of their network, and there is a good chance they will NEVER be able to fully rid themselves of this threat.  Since the attackers are, by definition “advanced”, they are able to maintain a persistent foothold in an organization.

Unfortunately the misuse of the term APT presents a marketing challenge for us.   When people talk about APT, spear-phishing naturally enters into the conversation.  The reason is simple, attackers need to break in first before they can become a “ persistent threat”.  And it’s no surprise  that they are getting in via well-crafted spear-phishing emails. So while spear-phishing is the attack vector that leads to APT, APT is the ugly fact that you may never find a cure to get rid of your persistent threat.  People seem to agree with this part of the APT definition, but it seems most technology vendors have successfully been able to re-write the definition of APT to be a convenient scapegoat for anything that circumvented their “bullet proof” technology.

Post Sales Engineer: “Did you have it configured in super-duper-malware analyze mode? .. You did? and you still got owned? Well, it was an APT, what do you expect from us!@# – click”

If our message gets lost in the APT marketing noise, then accept our humble apology in advance for “can’t-beat-em-join-em” regarding the misuse of the term APT in future marketing initiatives.

Fortunately, it’s possible to thwart a spear phishing attack  …before it gets Advanced or Persistent.

Cheers!

Doug Hagen

RSA breach: Lessons Learnt

Most of you have probably heard about the “RSA hack” by now. It was hot news three weeks ago when an employee at RSA fell prey to a targeted phishing attack as explained in this blog post: http://blogs.rsa.com/rivner/anatomy-of-an-attack/ . A couple of issues highlighted in this article really caught my attention.

The article states – “These companies deploy any imaginable combination of state-of-the-art perimeter and end-point security controls, and use all imaginable combinations of security operations and security controls. Yet still the determined attackers find their way in. What does that tell you?“.  That tells me that technology by-itself is not the answer to combating spear phishing attacks, it’s also about training the end user to get better at how to be suspicious. Don’t get me wrong, I don’t think education is a silver bullet, but it’s more effective than filters and shiny, blinking boxes.  I like technologies that give the human another piece of trusted information they can use to evaluate the authenticity of an email. One example is Iconix’s SP Guard. We trained over 1.5 million (using PhishMe). The results show that perioidic training that immersed the subjects in the concept through mock phishing  was successful in bringing down susceptibility rates in excess of 60% on average within a few months.

The article aslo discussed how the attackers targeted employees that ” you wouldn’t consider…particularly high profile or high value targets.” There’s a lesson here; security awareness programs should not focus only on executives and systems administrators, but on the entire organization. “Low profile” employees can severely undermine the organization’s assets too, just through a couple of clicks.

Oh yes, and finally, the phishing email was caught by the email client’s junk filter; the victim went out of their way to retrieve the email into the inbox and act on it.

IMHO, end-point security technologies are to phishing attacks (or *APTs) what radars are to a stealth bomber.

Rohyt Belani

*APT term used facetiously 😉

Solve spear phishing with another appliance?

Have a spear phishing problem? You are not alone.  Spend some time at the excellent contagio malware dump blog: http://contagiodump.blogspot.com/

So how is the multiple racks of endpoint security malware detection equipment protecting you today?

If namelist.xls was emailed into your organization, how would you fare?

http://www.virustotal.com/file-scan/report.html?id=9071f0b9b1e428cf4703b1e8988abaff70a6fbd6c3e0df7aaf4d1b6741a5341c-1302813557

RSA Conference: Circus of Vendors

In past years I never attended the RSA conference; it always came across as too much of a vendor show to me. This year I didn’t think I would go, until rsnake convinced me otherwise. So I bought myself an Expo Only pass. I had a lot of fun, meeting old time buddies from Foundstone and Mandiant, a bunch of clients, and partners. But I had the most fun just watching the show on the Expo floor. Must have been 300 booths and a gazillion sales people swarming them with those annoying mics trying to outspeak each other like barkers outside a souvenir store at a tourist destination. Companies doing raffles at their booths – I’ve seen that, but arcade car racing games like those at Dave & Busters, security “Jeopardy” shows every hour being hosted by “slick” sales people, cheesy whack-a-fraudster, wannabe Houdinis showing off card tricks and free beer made the cut too. I wondered, do clients actually walk the floor to learn about new products? I think not. They do so for the free entertainment, adulation, and giveaways.  Makes one wonder, are the RSA booths worth their price tag? The smallest, and furthest ones, which you would see if you were really looking for, are worth an arm and leg. VC money well spent? Oh what a circus it was!

– Rohyt

Phishing with Encoded IP Addresses

I was adding a little special sauce to Phishme.com this past week and thought this might be fun to share. We have a few different ways a user can craft their phishing links. If he/she chooses the IP address option, then there is also the choice of encoding options. This lets you mask the IP address in an attempt to trick the user into thinking part of the sub directory is perhaps the host name. Or as in the case with my mom… she thinks it is just the phone number so the computer knows where to call. And it’s hard to blame her when you see a decimal encoded IP address.

http://2130706433/somecompany.com

The team over at Marshal has put together a good walk through of the encoding so you can follow along. If you would like to view the javascript, you can find it here. This may not work on all browsers, but it holds up pretty well on your corporate windows boxes with IE or Firefox. Want to test it out? Just put in an IP address below and click on the link it generates.

-b3nn



 

Baiting the Hook, Sneak Peek at PhishMe.com

If you’ve been noticing a little silence on the blog recently, it’s been because a lot of the ranting has been going into developing what we think is a great anti-phishing user awareness tool. Take a peek at our main site at www.PhishMe.com

Conducting ethical phishing attacks has never been easier. User awareness will be improved, enforced, and for the first time for many users, easy to measure and trend over time. You can sign up for the mailing list right now that will let you know when the full blown service is launched. We will be offering free trial accounts that will allow you to get a taste of the features and test out if a few of your users will bite.

Another key feature of PhishMe is the built in templates to make your job of crafting phishing attacks simple yet effective and modern. How do you think your employees would respond to a message about a “virus outbreak”. Will they just follow the instruction in an email without verifying any of the information? What about a message to update their HealthCare information on a new third party site? The number of people that fall victim to these types of attacks will make you wonder why hackers even bother with anything that isn’t social engineering.

There is more to come in the future but for now, check out www.PhishMe.com

-b3nn

Time to Phish your Customers?

Building employee awareness to social engineering attacks, like Phishing, is clawing its way up the CISO’s priority ladder; and rightly so. But, what good are aware employees if your customers can be directly targeted by such attacks?

A month ago, monster.com had to deal with a phishing attack that targeted their clients and did so with some success. Security experts commented in this USAtoday article urging job seekers to expose minimal data and blaming monster.com for not enforcing strong passwords. I don’t want to undermine the soundness of those suggestions. However, I don’t believe they will solve the issue at hand. How about educating your clients and users about such threats? Now some of you may argue that these educational campaigns that include informative blurbs on the website don’t really work. Agreed. Is it time we adopted an innovative approach of emulating a phishing attack against our clients and instantly educating those that succumb by explaining what the exercise entailed and the do’s and dont’s? Such exercises have worked effectively when educating employees; that should be proof enough of their efficacy. And yes, I’m sure your legal counsel would shed a few drops of sweat if you suggested this exercise. But then there were a few who reacted in similar fashion when the concept of network pen testing was introduced.

Monster.com was not a one-off target. Here’s another company responding to a phishing attack against its clients:


From: ADPSecurity@adp.com [mailto:ADPSecurity@adp.com]
Sent: Friday, September 14, 2007 4:45 PM
To:
Subject: Fraudulent Emails
Beginning yesterday, certain ADP clients and other parties started receiving fraudulent e-mails that appear to be sent from ADP. They were not. If you receive these e-mails DO NOT OPEN, FORWARD, LAUNCH OR RESPOND TO THEM. IMMEDIATELY DELETE THEM. The e-mails and their attachments are malicious and could harm your computer. We believe they are attempting to compromise your data. WHAT YOU NEED TO KNOW: Here is what you should be on the lookout for:

  • The “from:” address in these e-mails may have been spoofed to look like it is coming from ADP such as “emplservices292823@adp.com” or “adpcomplaintcenter@adp.com“.
  • The subject line may read: “Agreement Update for [Your Company Name (Case id: ______)]” or “Complaint Update for [Company Name (Case id. #)]”.
  • The e-mail may have an attachment named either Agreement.rtf or Agree.rtf or may instruct you to “download a copy of your complaint.”
  • These attacks are sophisticated and you may receive other fraudulent e-mails. Please be careful not to open any suspicious attachments or to download any files.

ADP will continually update the information on its website to help you identify and avoid problems from these suspicious e-mails. You will be able to visit http://www.adp.com/about_fraudulentemail.asp for the latest information.

WHAT YOU NEED TO DO: If you received one of these suspicious e-mails do not open the attachment and do not provide any information of any kind. Delete the e-mail and any attachment immediately.

WHAT IS ADP DOING ABOUT THIS: ADP’s security team is working with law enforcement as well as outside experts to identify those responsible for this attack. If we identify any further steps needed to protect your computer, ADP will immediately post this information on our website.We appreciate your understanding as we work with law enforcement and you to resolve this matter.


Corporations have invested millions in security processes and technology. It’s time we focussed on the “people” factor. – Rohyt

Phishing for User Awareness

A recent survey of over 279 IT Executives indicated that the greatest security challenge they faced was building an effective security awareness program and encouraging their employees to embrace it.  Employees, albeit unaware, oblivious or unconcerned, continue to fall prey to conniving social engineers compromising sensitive data protected by millions of dollars worth of technology. The return on investment on building user awareness is apparent and no longer a hard sell for IT security staff. The real problem lies in building an effective program that actually changes the mindset of the employees.  In a society where 90% of recovering coronary bypass patients do not change their dietary and lifestyle habits, will an awareness program really change their attitude towards information security?

This year we conducted numerous social engineering exercises for Fortune 500 companies, whose success relies heavily on the protection of intellectual property. These exercises involved scripted telephone calls to the organization’s customer service departments and mass phishing emails targeting a randomly selected set of employees. The objective was to collect sensitive data; the results were astounding. At one organization, 627 of the 1000 people targeted by phishing emails (aimed at pilfering the employees’ corporate VPN credentials) succumbed to the attack and only 4 of the 373 that did not respond reported the issue to information security staff. It’s not so much those statistics that made the results astounding, but the fact that the organization had recently conducted user awareness workshops that addressed the threats posed by social engineers. So where did they go wrong? Are the information security personnel to blame for developing ineffective programs or the employees for their lack of following direction? I believe it’s a combination of both; but the information security staff must assume the onus of taking the initiative of developing innovative user awareness programs that make a lasting impression. The majority of the security awareness sessions I’ve attended whave been unstimulating affairs couching the do’s and don’ts of security. Another approach used involves mandatory computer based training (CBT) programs for employees.  At the end of the CBT session the employees had only improved their mouse-click speed. On the other hand, an approach I’ve found to be very successful entails sending out email to all employees (or to a representative sample of them) that mimics a true phishing attack aimed at garnering personal information. If the employees yield, they are immediately presented an informative message explaining the attack and redirected to the corporate awareness materials. This approach has proven to be very effective as the people who are most vulnerable are educated right away, and the next time a real phishing attack comes through, the emulation exercise will probably be the first thing that comes to the employee’s mind. One of our clients experienced a drop in the “hit rate” for such attacks from 67% to 4% over the course of three such phishing exercises!

-Rohyt

Dirty Dirty Wi-Fi: AT&T Wi-Fi Service Phishing?

I’m sitting at Dulles airport right now, at gate C19, on my way to Vegas. I’m excited to catch up with friends and colleagues at BlackHat this year.  I realized a few days ago that my 81 slide presentation for DefCon isn’t for a 75 minute slot.. instead I’ll be trying to fit it into a 50 minute slot! Wish me luck!

Public Wifi is so dicey… I would never use it for anything other than entertainment during delays.  If I need to get work done I hop on EVDO.  Captive portals are everywhere… and if you pay much attention to security you probably know how easy it is to MAC change and steal wireless services.  These captive portals are interesting to me because the service is so dangerous to use. One bad guy with Cain and Abel can really wreck havoc.

T-mobile hot spots are no longer the only targets – ATTWIFI, pcswifi, and others are all fighting over this precious spectrum.   I decided to check out the other captive portals to see if they are doing anything better then MAC address authorization.  Look what I ran into:

What is “Other Provider”? Intrigued I put in some bogus credentials to see if the next screen would prompt for a non-listed hot-spot service provider like Boingo. Nope… I just got an authentication failure screen. I wonder how many users will supply AT&T with non-AT&T credentials.  Not good AT&T. You shouldn’t have an “Other Provider” category.

–higB

Harry Potter Phishing Attack: Fact or Fiction?

On June 19th a spoiler for the next Rowling book Harry Potter and the Deathly Hallows was posted to the full disclosure mailing list:
http://seclists.org/misc/harrypotterspoilers.html
(WARNING: If you’re a Harry Potter fan you may want to hold off reading it.) The spoiler was nothing more than a summary of which main characters allegedly die in battle with Voldemort and other rivals.
What is more interesting is how this book was allegedly obtained. The author of the messages claims he launched a phishing attack against Bloomsbury Publishing.

“The attack strategy was the easiest one. The usual milw0rm downloaded exploit delivered by email/click-on-the-link/open-browser/click-on-this-animated-icon/back-connect to some employee of Bloomsbury Publishing, the company that’s behind the Harry crap.”

The claim is that a spear phishing attack was executed against Bloomsbury Publishing staff. Was Bloomsbury Publishing really phished? This telegraph.co.uk story: “Harry Potter ‘hacker’ posts plot on internet” has a quote from a Bloomsbury spokeswoman, “There are lots and lots of rumoured versions of the book (on the internet). We don’t confirm or deny any rumours.”

Did the Bloomsburg phishing attack really happen or was it a hoax? https://cofense.com/ doesn’t know but one would think that if this hack really did happen over a month ago, that the Harry Potter and the Deathly Hallows would be all over bittorrent. I checked a few tracker sites before starting this blog post. All the claims on Demonoid were that the 5 available Deathly Hallows books were either hoaxes or ……..

********** BREAKING NEWS **********
Demonoid has removed all of the hoax torrents and only this one remains:
http://www.demonoid.com/files/details/1252898/13924344/

“I found this on another site, for those of you who simply can’t wait. It only includes the book up to pg.495.
But at least now we can compare the fakes to the real thing.
Enjoy and remember to seed!! ”

This one appears to be someone who has taken digital photos of 495 pages. Now that is someone dedicated to their piracy!

********** END NEWS **********

So it seems that there is still no official full copy on bittorrent but it’s only a matter of time.

In another story by PCmag: Dissecting the Harry Potter ‘Hack’ we read:

“it is conceivable that a successful download-based exploit was launched, according to a member of the hacker community, who asked that his name not be used. He pointed out that hackers have begun to carefully target companies and market segments. A well-crafted attack that uses correct names and titles, and spoofs a sending address from a partner firm, can be highly effective.”

For the record, it’s beyond conceivable, it’s happening now. In the recent incident response projects that we’ve worked the attack vector used to gain a foothold into the organization is a targeted phishing attack. It’s not just a problem for the commercial world either.
Do you think that the DOD is requiring mandatory anti-phishing training because they fear that they might get hacked using this method? Check out this quote from this DOD battles spear phishing article:

“At this point, the true scope of compromise and exploitation is unknown, but likely thousands more users and computers have been, or will be, successfully targeted,” the bulletin states. “

It’s too bad that external penetration testing no longer mimics the ways that attackers are getting into organizations. If you’re responsible for commissioning an external penetration test against your organization, maybe it’s time to do more than full TCP/UDP port scans (*Think social engineering). Today’s myspace generation of attackers don’t even know what UDP is.

-higB