Syrian Electronic Army continues to carry out successful data-entry phishing attacks

When the Syrian Electronic Army nailed a number of prominent media outlets earlier this year, we were pleased to see a number of open and honest responses from those that were breached, notably from The Onion and The Financial Times.

Last week, the SEA was at it again, successfully hacking content recommendation service Outbrain, an attack which provided a foothold to compromise media behemoths The Washington Post, Time, and CNN. The SEA attacked Outbrain with largely the same tactics it has used so successfully in the past few months, by eliciting log-in credentials through a phishing email, the same tactics PhishMe simulates in our data entry scenarios.

Double Barrel Throwdown Contest Terms and Conditions

Please read before entering, as entry in this contest constitutes acceptance of these rules.

No purchase is necessary to participate. The contest is open to all entrants who submit a valid entry form using a qualified email address.

ENTRY IN THIS CONTEST CONSTITUTES YOUR ACCEPTANCE OF THESE OFFICIAL RULES

The Double Barrel Throwdown (the “Contest”) is a competition to produce the most original, persuasive, and realistic Double Barrel phishing scenarios. PhishMe’s panel – composed of PhishMe employees – will select the best entry according to those criteria, with the winner receiving a Google Nexus tablet. To submit a valid entry into the contest, an individual must complete and submit the web form available on PhishMe’s website, ensuring to complete all required fields.

Submission Guidelines:

All submissions become the property of PhishMe, Inc. and we reserve the right to use any and all submission content in future PhishMe products, services, or marketing efforts.

All submissions must come from a qualified email address (such as corporate, government, or other recognized organizational emails).

All submissions must be received no later than 12 AM EDT on Thursday, July 25, 2013.

A valid entry must comply with the following content limitations:

  • Entries may not use trademarked material, logos, domains, images and any content that does not belong to the entrant. Any use of unauthorized content will automatically disqualify the entry.
  • Entries that are lewd, obscene, pornographic, or otherwise contain objectionable material will be disqualified at PhishMe’s discretion.

Prize

The contest winner will be announced on July 31, 2013 at PhishMe’s booth at the Black Hat Expo and simultaneously via PhishMe’s Twitter and LinkedIn accounts. The contest winner must reply to our Twitter or LinkedIn accounts to be eligible to claim the prize, a Google Nexus tablet.

The Phish Chain: Phishing Attack from Start to Finish

A few years ago, Computer Security Intelligence expert, Mike Cloppert discussed the Cyber Kill Chain, the process through which a cybercriminal uses malware to attack the victim. In a recent webinar titled “How to Use Email-based Threat Intelligence To Catch a Phish,” Securosis’ Mike Rothman applied Cloppert’s methodology to how cyberattacks work in the instance of a phishing attack.

The kill chain begins with weaponization and ends with monetization, the point at which credentials are stolen. In this post, we’ll dig into the Phish Food Chain, as explained by Mike Rothman and discuss how cybercriminals utilize this process to attack your brand. Let’s take a closer look at how Rothman took Cloppert’s work with the kill chain and applied it to phishing.

Leverage

Step 1: Reconnaissance

Reconnaissance is all about leverage. Phishers are seeking large consumer brands, that have a broad base of customers that they can target. Think about it, why go after 100 people when you can go after 100 million people? These are the kind of attacks where you see the big brands targeted – the companies who have the broadest array of customers.

Phishing Kits

Step 2: Weaponization

Weaponization occurs in the form of phishing kits. Phishing kits are pre-packaged attack materials targeted at a specific brand, containing all of the files, malware and materials that a phisher would need to launch an attack against a specific brand. As soon as the phisher uses these materials to launch a phishing website, they are officially “in business” (and on their way to putting you out of business).

Spam Filter Evasion

Step 3: Delivery

Delivery aims to evade spam filters. This is the point at which phishing email is delivered to its target.

Advanced Malware Attacks

Step 4: Exploitation / Step 5: C2 (Command & Control)

Exploitation and command and control has everything to do with advanced malware attacks so that they’re using fairly advanced malware to gain presence on those devices to take advantage of vulnerabilities.

Monetize

Step 6: Exfiltration

This is where the monetization takes place. Phishers acquire credentials that allow them to access the resources that they are seeking in the phishing attack.

Build Phishing Countermeasures to Protect Your Brand

Corporations fight phishing each and every day. Large and recognizable financial institutions, retail companies, internet service providers/telecommunication companies are among those most heavily targeted victims of phishing.

While the aftermath of a phishing attack is costly and yields long-term consequences, it’s quite difficult to keep up with cybercriminals. It’s shockingly easy for cybercriminals to create a phishing site targeted at your brand, so easy that the cybercriminal simply needs to unpack and upload a pre-built “phishing kit” in order to create a new phishing website. Just one phishing kit can produce hundreds of phishing URLs.

With just a few clicks of the mouse, the cybercriminal attacks your brand, sending you scrambling to “take down the site.” One-by-one you take down each individual website, costing your brand time, money and reputation. As you take down, he creates. It’s a never-ending battle. In our data, we’ve found that it is often the case that the same attacker is using this method to attack several institutions or companies within the same industry over a period of several months or years.

While the term “big data” is both ambiguous and overused, it defines the new frontier in the fight against phishing. Data sourced from hundreds of phishing sites targeting hundreds of brands is analyzed to identify trends, which allow us to build more effective strategies to fight cybercrime and prevent future phishing attacks.

Below we’ll discuss how to use phishing intelligence to build more effective countermeasures to protect your brand from attackers:

  1. Isolate a single attacker. Instead of taking down each phishing site one-by-one, what if you could go directly to the source and stop the criminal in his tracks? Analyzing phishing data allows us to gain clues as to how the criminal operates. For example, in a recent analysis of phishing attacks targeting large financial institutions, we found one particular criminal who had created 604 phishing sites with a single phishing kit, 390 of which were hosted on a single IP address. We call this a “clue.” Using this data, we’re able to identify several details about the criminal, often including email addresses and social media profiles. If you could identify an attacker that’s behind multiple attacks against your brand, how would that change the way that you approach phishing in your organization?
  2. Identify the monetization path. Another important component of building effective countermeasures against cyber attackers is to take a close look at the monetization path. It’s critical to understand the motives behind the attack (is the attacker money-motivated in the first place?) and how he has constructed his scheme to put your money in his pocket. Understanding the process is a key step in building future strategies and barriers to stop cybercriminals in their tracks.
  3. Build barriers. Using intelligence and patterns that you’ve identified, build barriers to protect your brand against future cyber attacks in order to identify threats early and stop criminals from leaving a stealing from your customers.

Have you used phishing intelligence to build effective countermeasures against cybercriminals? Share your insight in the comments below.

Do young employees present a phishing risk?

Spring. For some it signals rejuvenation, rebirth, everything blooming…but for security administrators it can mean new security risk. Spring means that the next round of college seniors will be entering the workforce soon, which for phishers means a fresh group of targets. Hopefully their college educations have prepared them for the majority of challenges they will face, but when it comes to phishing that is unlikely. The types of phishing emails students and consumers receive are quite different from what employees receive, and without training, young employees can’t be expected to avoid tactics they haven’t seen.

2-factor authentication wouldn’t have prevented AP Twitter hack

When a hacked Twitter account spreads false news of an explosion at the White House and causes hysteria that spurs a 140 point drop in the stock market, it should encourage calls for Twitter to bolster its security measures, so it’s no surprise that many are clamoring for Twitter to offer 2-factor authentication. One problem with this – news outlets are reporting that hackers gained access to the AP’s account through a phishing attack. While 2-factor authentication makes it more difficult to phish an account, it will not prevent this type of attack from being successful (nor will a more complex or longer password for that matter).

How to defend against longline phishing attacks

A report from ProofPoint released at the RSA conference discussed what is supposedly a new phishing technique dubbed “longline” phishing.  The report touts “longlining” as the newest way criminals are sending phishing emails in efforts to bypass technical controls.  Mass customization of emails allows criminals to fly under the radar of most email filters and successfully deliver spear-phishing emails to a larger number of email users at a single organization.  This tactic combines the best of both worlds from the criminal’s standpoint, but it doesn’t really change the game in terms of defending against phishing attacks, as your users still provide the most effective line of defense against the phishing threat.

Whether “longline” phishing is actually a new type of attack or not, Security Officers should focus on the fact that adversaries will continue to modify their attack strategies to circumvent or evade technical controls in an attempt to directly exploit humans. This is why it’s increasingly critical for organizations to invest in proven and effective behavioral change programs that educate users about the attacks that target them.

The New York Times breached… a PhishMe Sales Pitch?

Most of you are probably aware of the breach that occurred at the New York Times. Employee passwords and sensitive information related to an investigative news story covering the finances of Wen Jiabao, China’s Prime Minister, were compromised. The New York Times’research helps give them a competitive advantage in their industry, it is their proprietary information. It is the equivalent to the theft of financial reports, blueprints and customer data.

The headlines roll in…  The NYTimes breached by spear-phishing! Symantec AV fails to detect attackers! In an official press release, Symantec says, “Anti-virus software alone is not enough.” Later, the CEO of the incident response firm hired to respond to the NYtimes news goes to Bloomberg TV to say that these attacks are rampant and that the group responsible for the breach has been active in nearly 100 other organizations.  In that same interview he says that the attack (spear-phishing) is not unique.

This sounds like the type of story PhishMe would pounce on and twist into an obvious sales pitch right?  Security Technology Fail; Spear Phishing is “rampant” ergo you need the PhishMe training method to change employee behavior regarding email safety.

Planes, Trains, Automobiles and… Spear Phishing?

With 2013 upon us, it will be a busy year at PhishMe, as we are already scheduled to appear at around 70 events. That means another year of heavy traveling for our sales and marketing team. While it’s definitely exciting to visit new places and introduce new people to PhishMe, as with anything else in life, there are risks involved. Does your organization have employees that travel frequently? If so, they are probably being targeted by phishers.