Four Ways Phishing Has Evolved in 2014

Phishing isn’t exactly a new kid on the block. Phishing is one of the most common email-based threats. It is a tried and tested tactic that continues to deliver impressive results for cybercriminals. That’s why phishing continues to grow in popularity. In the month of June 2014 alone, phishing activities totaled $400 million in losses, which could be annualized at $102 million per year.

While it has been around for years, phishing has evolved considerably and has increased in efficiency and effectiveness. In the last six months (as compared to 2013), we’ve seen several differences in the type, size and sophistication of phishing attacks. In this post, we’ll explore the notable differences in the modern phish and discuss new phishing trends that we have seen in 2014 thus far.

#1:  There has been an increase in application-targeted attacks.

One of the primary trends that we are seeing in the phishing space, are attacks directed at commonly-used applications like Google Docs, Gmail or Yahoo. In the past, we saw a lot of big brands being attacked. However, today’s criminals are now going after things that are not directly related to the target company. The reason for this is the prevalence of password reuse. While large banks have improved their phishing defenses, personal email accounts provide a channel through which cybercriminals can gain access to individual bank accounts.

This trend is not limited to email programs, however. Considering that financial institutions have increased their defenses, cybercriminals are looking elsewhere and are diversifying their attacks. File sharing websites like Dropbox are major targets, as cybercriminals are able to use bogus links to intercept usernames and passwords. There has also been an increase in attacks targeting industries such as gaming, logistics and travel.

#2: Smaller brands are now being targeted.

While large brands still get a lot of attention, small brands, such as charities, are increasingly on the radar of cybercriminals. Similarly, there are also a lot of university phish. This trend began in 2013, but it has become more prevalent this year. Again, these brands provide a gateway for password reuse that allows cybercriminals to gain access to other things.

Targeted attacks against alumni have also become common in the university space. In most cases, the phisher will attempt to gain control of a university email account in order to reach out to trusted parties (such as boards of directors).

 #3: Attack frequency has increased, but size has decreased.

The number of attacks has increased, but the average size of a typical attack has dipped. While those “monster” attacks still exist, most phishing emails are now sent to a fewer number of targets than we saw last year.

#4: Phishing Emails are more believable.

Phishing emails are now much more sophisticated. We’re seeing fewer spelling mistakes and more professionalism in email design, which make the email campaigns much more believable and likely to be successful. Commoditization is driving down prices of phish kits, resulting in a much higher quality presentation.

In summary, each of these trends reflect that fact that cybercriminals are very opportunistic. Today’s cybercriminal is more professional and targeted than ever before. Not only does phishing persist as an attack method, it is increasingly more successful.

How does your organization plan to address the rise in phishing activity? Share your comments below.

Small but powerful — shortened URLs as an attack vector

Using tiny URLs to redirect users to phishing and malware domains is nothing new, but just because it’s a common delivery tactic doesn’t mean that attackers aren’t using it to deliver new malware samples. We recently received a report of a phishing email from one of our users here at PhishMe that employed a shortened google URL, and led to some surprising malware.

Through the power of user reporting, we received the report, discovered the malicious nature of the shortened URL, and reported the issue to Google – all within a span of 30 minutes. Google reacted quickly and took the link down shortly after our report.

Attackers using Dropbox to target Taiwanese government

While we have previously mentioned cyber-crime actors using Dropbox for malware delivery, threat actors are now using the popular file-sharing services to target nation-states. According to The Register, attackers targeted a Taiwanese government agency using a RAT known as PlugX (also known as Sogu or Korplug).

From an anti-forensics perspective, PlugX is a very interesting piece of malware. One of the main ways it loads is by using a technique similar to load order hijacking.

Dyre Banking Trojan: What You Need to Know

Beware of the Dyre banking Trojan! – A new malware threat that steals financial information such as login credentials. News of rhe Dyre banking Trojan has been circulating the web recently, following its discovery.

Dyre or Dyreza as it is also known exhibits classic banking Trojan behaviors such as using “man-in-the-middle” attacks to steal private information from victims. It is also being used on customers of certain banks in targeted attacks.

PhishMe identified this new malware on June 11, 2014. The Trojan is distributed via spam email messages that used similar email templates to other banking Trojan and malware distribution campaigns. Rather than infection occurring via a malicious attachment, the messages contained a link to a file hosted on Cubby.com: A free cloud storage provider. This campaign follows a recent trend in which cloud-hosting providers such as Cubby.com and Dropbox are used to host the malicious payloads.

As others within the blogosphere have noted, the Dyre banking Trojan is unique and represents a new type of malware being used by cybercriminals to steal banking credentials. Despite this novelty, its basic functionalities follow those that have long been employed by malware authors to exfiltrate private information from compromised systems. It’s a case of “the more things change, the more they stay the same.”

The Dyre banking Trojan works by ensuring that its hostile code is linked to the code of the victim’s web browser. As victim’s browse the Web, their web browser is effectively turned against them. This is part of the classic “man-in-the-middle” attack used by many malware types, including the prolific and notorious Zeus banking Trojan. As seen below, the binary data from this hostile code references browsers by name.

Part of the functionality is provided by “hooking” this malicious code into the browser’s runtime. Malicious actions then occur when the victim visits specific URLs or domains. This method has been seen before. Zeus Trojan variants and other banking Trojans such as Cridex use similar tactics. This can be seen in the malicious code itself as a list of URLs for popular banking websites, including the following:

  • businessaccess .citibank .citigroup .com/assets/
  • cashproonline .bankofamerica .com/assets/
  • www .bankline .natwest .com/
  • www .bankline .rbs .com/
  • www .bankline .ulsterbank .ie/

The “hooking” and the focus on a set of banks are examples of ways in which this new banking Trojan reuses methods common to many other types of malware. These methods are expected of many modern banking Trojans and are not out of the ordinary.

How is this threat actor likely to attack your organization? The source code of the malware provides a clue—in fact, it is the source of the name “Dyre”.

The hostile code “hooked” to browser processes by the malware contains a reference to the location of a “.pdb” or program database file. Compilers store data for debugging using this file type. More important to those seeking threat intelligence, it provides some information about how the malware writer or writers created this malicious software.

In the fight against malware distributors, knowledge is a powerful weapon. Leveraging actionable threat intelligence gives you the opportunity to identify the source of the infection. Armed with that information it is easier to mitigate the threat. PhishMe analyses these and other threats and uses the information to deliver active threat reports to help organizations take fast action to prevent malware attacks.

Machine-readable threat intelligence (MRTI) is provided in multiple formats to ensure that organizations are better prepared for malware and phishing attacks, thus preventing them from disrupting business processes and causing financial harm. Of course, not all organizations require threat intelligence to be fed through other systems. We also provide human-readable reports on the latest threats, allowing deeper analysis of the latest, and most serious threats. After all, being forewarned is being forearmed.

Project Dyre: New RAT Slurps Bank Credentials, Bypasses SSL

When analyzing tools, tactics, and procedures for different malware campaigns, we normally don’t see huge changes on the attackers’ part. However, in the Dropbox campaign we have been following, not only have the attackers shifted to a new delivery domain, but they have started to use a new malware strain, previously undocumented by the industry, named “Dyre”. This new strain not only bypasses the SSL mechanism of the browser, but attempts to steal bank credentials.

What we’re reading about the Chinese hacking charges

While the full implications from yesterday’s DoJ indictment of five Chinese hackers on charges of cyber crime are yet to be fully seen, these charges have already succeeded in elevating cyber crime from a niche discussion to an important debate in society at-large.

Furthermore, just as last year’s APT1 report did, the court documents provide a detailed glimpse at the tactics China is using to steal trade secrets from the world’s largest corporations (not surprisingly, phishing continues to be the favored attack method).

There has been a lot of media attention on this story, so we’ve put together a list of some of the most interesting content we’ve seen so far:

Dark Reading: ‘The New Normal’: US Charges Chinese Military Officers with Cyber Espionage

Pittsburgh Tribune-Review: Cybercrime case names U.S. Steel, Westinghouse, Alcoa as victims

The Wall Street Journal: Alleged Chinese Hacking: Alcoa Breach Relied on Simple Phishing Scam

The Los Angeles Times: Chinese suspects accused of using ‘spearphishing’ to access U.S. firms

Pittsburgh Business Times: Hackers posed as Surma on email to access U.S. Steel’s computers

Ars Technica: How China’s army hacked America

CNN: What we know about the Chinese army’s alleged cyber spying unit

The New York Times: For U.S. Companies That Challenge China, the Risk of Digital Reprisal

The Wall Street Journal: U.S. Tech Firms Could Feel Backlash in China After Hacking Indictments

The Washington Post: China denies U.S. cyberspying charges, claims it is the real ‘victim’

Mandiant: APT1: Exposing One of China’s Cyber Espionage Units

@higbee

There’s threat data and then there’s threat intelligence, do you know the difference?

The intelligence-led security approach is gaining traction in corporate security circles.  However, we’ve noticed that the term threat data is often confused with threat intelligence.

It’s an easy mistake to make, yet very important to distinguish between the two – one represents the “old way of doing things,” while the other brings about a new era in corporate security and brand protection. In this article, we’ll discuss threat intelligence and how it differs from threat data.

The Difference between Threat Intelligence and Threat Data

#1: Threat intelligence is verified. Threat data is just a list.

Modern threat intelligence has been verified, while traditional threat data is a list of random data points, such as IP addresses or URLs.  Verified intelligence without false positives produces actionable intelligence that security professionals can rely on to protect their brands from cybercrime.

#2: Threat intelligence is actionable. Threat data is noisy.

Modern threat intelligence gives you enough information for you to take swift and immediate action to stop a threat. Threat intelligence allows you to bring together your network and people with the solution. Rather than “educate” machines with threat data, threat intelligence relies on the analysis and action of your human capital in order to drive success.

Threat data, on the other hand, has a high signal-to-noise ratio. The majority of data found on traditional lists is meaningless and it requires a large effort to sift through high volumes of data to find something meaningful.

#3: Threat intelligence is reliable. Threat data is full of false positives.

Threat intelligence provides a clear picture of what is really going on because it has been filtered to remove information that is not directly relevant to protecting the brand. True threat intelligence has been analyzed, vetted and tested – binaries clicked, URLs followed, threats detonated in sandbox environments. Traditional threat data contains many false positives, false URLs, dead URLs, dead IP addresses.

If an organization is working with old school threat data, then they’re just importing white lists, gray lists, or black lists. They’re going to be chasing ghosts for a good bit of their career, trying to find out what’s there and what’s not.

Threat data has bad habit of constantly crying wolf.  After a while, you stop believing the kid crying wolf.  Then, you stop worrying if there’s a wolf there.  If you have actionable intelligence, however, you know where the wolf is every time.

Top Phishing Concerns of DNS Providers

Twitter and the New York Times were hacked this week, which means that they have officially joined the ranks of other major news organizations, including the Financial Times and Washington Post who have been targeted by hackers over the past few months.

So, how’d it happen?

Three things: hacker groups, DNS providers and spear phishing.

The Syrian Electronic Army (SEA) appears to be taking credit for this attack, as their logo was prominently displayed at NYTimes.com when the site was compromised. The SEA, a hacker group, protesting Syrian President Bashar Al-Assad, launched the attack in order to generate high profile awareness of their political agenda.

Why DNS Providers Are Targeted by Cybercriminals

The nature of this attack is consistent with several other cyberattacks that have recently taken place, in that the DNS Provider was targeted in order to carry out the attack. Melbourne IT, the New York Times’ registrar, was the victim of a spear phishing attack that successfully provided members of the SEA with access to the Times’ DNS Manager. DNS providers are among the most targeted businesses by cybercriminals, ranking alongside large financial institutions and major retailers as lucrative targets. There are two primary reasons for this:

  1. By gaining access to a customer account, DNS records can be changed to whatever the cybercriminal wants them to be.
  2. Gaining access to the DNS Provider’s employee accounts gives the cybercriminal access to several different domains, creating an opportunity to launch a large-scale attack.

Top Phishing Concerns of DNS Providers

  • Spear Phishing is increasing in frequency. A spear phishing attack happens when cybercriminals launch a targeted attack against specific individuals who they feel can give them access to the information, credentials or infrastructure that they need to carry out their attack. In the instance of the New York Times attack this week, a spear phishing attack was launched against employees of a reseller of Melbourne IT.
  • Hacktivism is becoming part of the “new normal” when it comes to the cybersecurity landscape. In attacks such as this, the goal is not to obtain customer credentials and access account information to procure funds. Instead, the goal is exposure. As Sun Tzu states, know your enemy.
  • Brand Loyalty/Customer Relationships suffer even if just one attack is successful. If a DNS provider fails to protect customer accounts from being accessed by cybercriminals, customer loyalty will be damaged and brand integrity will suffer long-term consequences.

What DNS Providers Can Do

The most important thing that DNS providers can do is focus on email.

When it comes to launching these attacks, cybercriminals almost always launch a phishing attack via email. That’s why email-based threat intelligence is so important. If you are using security intelligence appropriately, you can identify the source of a threat and even stop an attack before it happens.

Additionally, it’s important to take a look at which players in your organization have access to information that could be appealing to cybercriminals. There is another word for these employees: targets. Adjust the security level for these folks to provide additional protection against these kinds of attacks.

Share your thoughts. How can DNS providers protect themselves against phishing?

An untapped resource to improve threat detection

Speaking in front of the House Committee on Special Intelligence earlier this year, Kevin Mandia (CEO of Mandiant) remarked that, “One of the most valuable resources in detecting and responding to cyber attacks is accurate and timely threat intelligence.”  Despite its value, many organizations don’t have a way to get timely threat intelligence.

How can organizations improve in this area? If you know anything about us, it probably won’t shock you that we’re encouraging enterprises to focus on their users as a source of real-time threat intelligence. Given that the vast majority of targeted attacks focus on the end user as the primary point of entry, many compromises go through employees first, making them a potential (and largely untapped) source of intelligence about threats. Up until now, however, we’ve focused solely on the end user’s ability to recognize cyber attacks. We’ve proven users can be trained to improve their behavior toward phishing attacks, and we believe they are capable of more.