The Resurgence of Data-Entry Phishing Attacks

‘Old School’ email social engineering or data-entry phishing is an attack method that has been on the rise in recent months, notably employed by the Syrian Electronic Army to hack seemingly every major media outlet in the Western hemisphere, and possibly responsible for other high-profile breaches.

A Target spokesperson confirmed last week that attackers initially gained access to the company systems through stolen credentials obtained through a vendor. While Target has not confirmed the exact method through which the credentials were stolen, one possible scenario is that attackers sent a spear-phishing email to the vendor, obtained valid login credentials for Target, and used those credentials to gain a foothold in Target’s network.

Punishing users is the wrong approach to improving security behavior

Punishing users for undesired security behavior? We believe that punishing users is a misguided idea that will alienate them and make it difficult to ever improve user security behavior. Every so often, someone in the industry brings up the idea of punishing users as a way of motivating/improving behavior. We hadn’t heard much on this topic since we wrote a post on it back in September; however, it has flared up again.

Popular holiday-themed phishing attacks

The holidays are a busy time for everyone… especially for hackers trying to phish your employees. Phishing is most effective when it exploits human emotions—fear, greed, anxiousness, curiosity, compassion, getting a good deal—and the holidays tend to bring these emotions out more than other times of the year. This gives adversaries a bevy of relevant topics to use to build phishing campaigns.

How can you ensure your employees are prepared for the onslaught of phishing attacks this holiday season? We’ve mentioned before that training your employees needs to be continuous, and if you have provided immersive security awareness training throughout the year, your employees will be more resilient to phishing attacks at all times. We’ve also noted the need to keep that continuous training fresh, and providing holiday themed training is a great way to provide training that is engaging and timely.

How to Integrate Anti-Phishing Solutions into Existing Security Infrastructure

Today, we answer the question “How do I integrate anti-phishing solutions into my existing security infrastructure?”

Today, layered security and perimeter-based security solutions are less effective than they used to be. Organizations tend to lump these things together as anti-phishing solutions as they deal with traditional symptoms of phishing problems – cybercriminals luring you to another site or emails with malware attachments.

The great thing about phishing intelligence solutions is they fit in with other solutions that you have in place, supporting standards such as XML, where the data you consume is normalized and delivered in the form of an IP Address that you can block directly from your firewall, IDS/IPS or whichever mechanism you have in place – quickly and easily.

Cost of Phishing for Businesses

We’re always talking about the cost of phishing for businesses, but why? Well, you might be surprised to learn that the true costs of phishing aren’t as obvious as you may suspect.

Phishing, of course, is not a new problem. It’s in fact a very old problem that has its roots 20 years ago when people used floppy disks and moved from computer to computer in the good old days of the “sneakernet.”

While phishing is not a new problem, it remains a very viable threat to many organizations – particularly financial institutions, e-commerce companies and government organizations. Rarely a day goes by without a significant attack being reported in the news.

Despite existing layers of security, such as education and training, IDS/IPS, web gateway/web filtering, takedown vendors, etc., there is still a high success rate. It has been estimated that one of every 200 phishing attacks is successful. The average cost of a phishing attack is $150,00 to the organization. That is a significant amount of money.

Now, what may surprise you is that the smallest portion of that cost is the actual fraud. Damage to the reputation and cost of remediation actually account for almost ⅔ of the cost of phishing. Phishing is incredibly costly, and worse, the problem is growing at an alarming rate.

Syrian Electronic Army continues to carry out successful data-entry phishing attacks

When the Syrian Electronic Army nailed a number of prominent media outlets earlier this year, we were pleased to see a number of open and honest responses from those that were breached, notably from The Onion and The Financial Times.

Last week, the SEA was at it again, successfully hacking content recommendation service Outbrain, an attack which provided a foothold to compromise media behemoths The Washington Post, Time, and CNN. The SEA attacked Outbrain with largely the same tactics it has used so successfully in the past few months, by eliciting log-in credentials through a phishing email, the same tactics PhishMe simulates in our data entry scenarios.

Double Barrel Throwdown Contest Terms and Conditions

Please read before entering, as entry in this contest constitutes acceptance of these rules.

No purchase is necessary to participate. The contest is open to all entrants who submit a valid entry form using a qualified email address.

ENTRY IN THIS CONTEST CONSTITUTES YOUR ACCEPTANCE OF THESE OFFICIAL RULES

The Double Barrel Throwdown (the “Contest”) is a competition to produce the most original, persuasive, and realistic Double Barrel phishing scenarios. PhishMe’s panel – composed of PhishMe employees – will select the best entry according to those criteria, with the winner receiving a Google Nexus tablet. To submit a valid entry into the contest, an individual must complete and submit the web form available on PhishMe’s website, ensuring to complete all required fields.

Submission Guidelines:

All submissions become the property of PhishMe, Inc. and we reserve the right to use any and all submission content in future PhishMe products, services, or marketing efforts.

All submissions must come from a qualified email address (such as corporate, government, or other recognized organizational emails).

All submissions must be received no later than 12 AM EDT on Thursday, July 25, 2013.

A valid entry must comply with the following content limitations:

  • Entries may not use trademarked material, logos, domains, images and any content that does not belong to the entrant. Any use of unauthorized content will automatically disqualify the entry.
  • Entries that are lewd, obscene, pornographic, or otherwise contain objectionable material will be disqualified at PhishMe’s discretion.

Prize

The contest winner will be announced on July 31, 2013 at PhishMe’s booth at the Black Hat Expo and simultaneously via PhishMe’s Twitter and LinkedIn accounts. The contest winner must reply to our Twitter or LinkedIn accounts to be eligible to claim the prize, a Google Nexus tablet.

The Phish Chain: Phishing Attack from Start to Finish

A few years ago, Computer Security Intelligence expert, Mike Cloppert discussed the Cyber Kill Chain, the process through which a cybercriminal uses malware to attack the victim. In a recent webinar titled “How to Use Email-based Threat Intelligence To Catch a Phish,” Securosis’ Mike Rothman applied Cloppert’s methodology to how cyberattacks work in the instance of a phishing attack.

The kill chain begins with weaponization and ends with monetization, the point at which credentials are stolen. In this post, we’ll dig into the Phish Food Chain, as explained by Mike Rothman and discuss how cybercriminals utilize this process to attack your brand. Let’s take a closer look at how Rothman took Cloppert’s work with the kill chain and applied it to phishing.

Leverage

Step 1: Reconnaissance

Reconnaissance is all about leverage. Phishers are seeking large consumer brands, that have a broad base of customers that they can target. Think about it, why go after 100 people when you can go after 100 million people? These are the kind of attacks where you see the big brands targeted – the companies who have the broadest array of customers.

Phishing Kits

Step 2: Weaponization

Weaponization occurs in the form of phishing kits. Phishing kits are pre-packaged attack materials targeted at a specific brand, containing all of the files, malware and materials that a phisher would need to launch an attack against a specific brand. As soon as the phisher uses these materials to launch a phishing website, they are officially “in business” (and on their way to putting you out of business).

Spam Filter Evasion

Step 3: Delivery

Delivery aims to evade spam filters. This is the point at which phishing email is delivered to its target.

Advanced Malware Attacks

Step 4: Exploitation / Step 5: C2 (Command & Control)

Exploitation and command and control has everything to do with advanced malware attacks so that they’re using fairly advanced malware to gain presence on those devices to take advantage of vulnerabilities.

Monetize

Step 6: Exfiltration

This is where the monetization takes place. Phishers acquire credentials that allow them to access the resources that they are seeking in the phishing attack.

Build Phishing Countermeasures to Protect Your Brand

Corporations fight phishing each and every day. Large and recognizable financial institutions, retail companies, internet service providers/telecommunication companies are among those most heavily targeted victims of phishing.

While the aftermath of a phishing attack is costly and yields long-term consequences, it’s quite difficult to keep up with cybercriminals. It’s shockingly easy for cybercriminals to create a phishing site targeted at your brand, so easy that the cybercriminal simply needs to unpack and upload a pre-built “phishing kit” in order to create a new phishing website. Just one phishing kit can produce hundreds of phishing URLs.

With just a few clicks of the mouse, the cybercriminal attacks your brand, sending you scrambling to “take down the site.” One-by-one you take down each individual website, costing your brand time, money and reputation. As you take down, he creates. It’s a never-ending battle. In our data, we’ve found that it is often the case that the same attacker is using this method to attack several institutions or companies within the same industry over a period of several months or years.

While the term “big data” is both ambiguous and overused, it defines the new frontier in the fight against phishing. Data sourced from hundreds of phishing sites targeting hundreds of brands is analyzed to identify trends, which allow us to build more effective strategies to fight cybercrime and prevent future phishing attacks.

Below we’ll discuss how to use phishing intelligence to build more effective countermeasures to protect your brand from attackers:

  1. Isolate a single attacker. Instead of taking down each phishing site one-by-one, what if you could go directly to the source and stop the criminal in his tracks? Analyzing phishing data allows us to gain clues as to how the criminal operates. For example, in a recent analysis of phishing attacks targeting large financial institutions, we found one particular criminal who had created 604 phishing sites with a single phishing kit, 390 of which were hosted on a single IP address. We call this a “clue.” Using this data, we’re able to identify several details about the criminal, often including email addresses and social media profiles. If you could identify an attacker that’s behind multiple attacks against your brand, how would that change the way that you approach phishing in your organization?
  2. Identify the monetization path. Another important component of building effective countermeasures against cyber attackers is to take a close look at the monetization path. It’s critical to understand the motives behind the attack (is the attacker money-motivated in the first place?) and how he has constructed his scheme to put your money in his pocket. Understanding the process is a key step in building future strategies and barriers to stop cybercriminals in their tracks.
  3. Build barriers. Using intelligence and patterns that you’ve identified, build barriers to protect your brand against future cyber attacks in order to identify threats early and stop criminals from leaving a stealing from your customers.

Have you used phishing intelligence to build effective countermeasures against cybercriminals? Share your insight in the comments below.