‘Old School’ email social engineering or data-entry phishing is an attack method that has been on the rise in recent months, notably employed by the Syrian Electronic Army to hack seemingly every major media outlet in the Western hemisphere, and possibly responsible for other high-profile breaches.
A Target spokesperson confirmed last week that attackers initially gained access to the company systems through stolen credentials obtained through a vendor. While Target has not confirmed the exact method through which the credentials were stolen, one possible scenario is that attackers sent a spear-phishing email to the vendor, obtained valid login credentials for Target, and used those credentials to gain a foothold in Target’s network.
Data-entry spear phishing emails contain a link that takes the recipient to a webpage that appears to be a genuine corporate or commercial site soliciting login information. Despite their pervasiveness and high-success rate, data-entry phishing emails seeking login credentials and other sensitive information have been a secondary concern for enterprises, who have been more concerned with phishing emails that attempt to carry out drive-by attacks (through a malicious link) or malware attacks (through an attachment).
Just 18 months ago, I asked 15 CISOs to rate the three aforementioned attack methods in order of severity. The results were interesting, with half rating drive-by as the most severe threat while the other half was most concerned with malware. Every CISO rated data-entry as least important.
Why has this attack method flown under the radar? Since data-entry phishing attacks don’t require malware, it’s quite possible to fall victim to this technique and never even realize it. Victims will often enter their information and not even realize something is wrong. Without the presence of malware, these attacks often go undetected by technical solutions such as sandboxing, network monitoring, and next-generation end point software.
Once attackers gain legitimate credentials into the network, their activity is difficult to detect. Using these credentials they can often take massive amounts of information from overly permissive file shares, search for other devices with weak or default credentials, and possibly escalate privileges to dump entire username/password databases that can serve to continue to grant future access. This activity may have the appearance of an insider threat, so breaches caused by data-entry phishing are often attributed to this source. Is it really an inside job if they gained access through a spear phish? From an attacker’s perspective, what is easier, researching social media to craft a spear phishing email? Or recruiting an actual insider within the organization?
Many in the security industry have identified two-factor authentication as a way to mitigate this threat; however, as Aaron pointed out last spring, two-factor authentication will not prevent phishing. Even if it did, for large enterprises implementing 2FA across the board is cost prohibitive and a logistical nightmare. This isn’t to say that 2FA won’t improve security, but it isn’t a panacea.
The same goes for technologies that take down phishing websites. At best these technologies offer lead times of 4-8 hours to take down phishing sites, and it can often take longer, particularly if the site’s domain is in an unfriendly country or if the site is hosted using a subdomain on a large provider. In PhishMe’s experience running simulated phishing attacks, most recipients interact with emails in a matter of minutes or seconds, so even a quick takedown in 4 hours could be too late.
As I described in this guest posting on the MANDIANT blog a couple of months ago the human sensor can work wonders, especially in such malware-less attacks, by providing real time intelligence.