What's Scaring IT The Most? Spear-phishing

Spear-phishing is a huge concern for today’s government and enterprises. While high profile attacks like spear-phishing attack against the White House and last year’s attack against Oak Ridge National Laboratory underscore the risk to government agencies, today’s businesses are also a primary victim. Hackers are increasingly looking to steal source code, intellectual property and financial information.

In light of these incidents, the Websense Security Labs collected data from the ThreatSeeker Network and analysed it using its Advanced Classification Engine to identify the top trends in phishing today. These include dramatic shifts in attack strategy, new security evasion tactics and an evolution of the targeted threat model.

From Spam To Phish

To begin talking about phishing, you must first look at email security trends in general, and this usually begins with a discussion on spam.

Spam, often used as the first stage in many attacks, is sent in huge volumes to ensure penetration before signatures and other updates can be created be vendors or deployed by customers
92 percent of email spam contains a URL.

The total percent of spam that can be categorised as leading to a traditional phishing is approximately 1.62 percent.

While this may not seem huge, it can be placed into perspective by the fact that spam campaigns can reach more than a quarter of a million emails per hour and that the percentage of virus-related email spam was only 0.4 percent. Phishing attempts outnumber malicious executables in email volume.

The majority of these broad phishing attacks share a link to a fake web landing pages to steal the log in credentials of users. Where are these phishing sites hosted? Websense research indicates that a large portion of these sites is hosted in the United States. This doesn’t mean that the majority of phishing criminals are in the U.S. It is more likely a representation of available bandwidth and server infrastructure.

Security As Social Engineering

Increasingly, attackers are using an individual’s fears of compromise against them. In this way, they have taken advantage of a tactic employed so successful by fake, or rogue AV peddlers.

How many times have you been browsing a web page and you get a pop up warning you that your computer is compromised? Most of us now know that these popups are the result of a fake AV scam and many of us have been conditioned not to click on these. However, if you receive a security alert email that looks like it comes from an organisation you have a relationship with, such as a bank, or a social network you are a member of, it may increase your likelihood to click. In this example, you can see how accurate the page components replicate a real site, right down to the security warning to “Stay alert!”

Increasingly, phishers are using security notifications and alerts in their lures. In fact, after an analysis looking at the most recent quarter of this year, Websense Security Labs has determined that four of the top five subject lines of phishing attempts by volume are security messages.

These types of attacks represent the largest volume of recent subject lines designed to lure in victims.

Top five phishing email subject lines:

1. Your account has been accessed by a third party
2. (Bank Name) Internet Banking Customer Service Message
3. Security Measures
4. Verify your activity
5. Account security Notification

But I work in a business you say… we have an email security system in place that inspects for viruses and does some rudimentary url scanning…

Dodging The Cops: New Phishing Security Evasion Techniques

A disturbing new twist on targeted attacks has started to emerge this year that directly affects professionally managed networks. If we look at the days of the week when most phishing emails are sent, there is a huge uptick in volume on Fridays, Sundays and Mondays.

Most phishing emails are sent on Fridays, followed by Monday and Sunday.

The bad guys have learned that they can evade email security measures by sending an email with a clean link on Friday or over the weekend – bypassing email URL scanning. Then, over the weekend they compromise the URL with malicious code.

The bad guys know potential victim’s behavioural patterns. They know worker’s minds can stray on Fridays in a more relaxed setting. Relaxation and anticipation of the weekend can lead to more web browsing and an increased likelihood to click on links in emails. Similarly, stricken by a case of the Monday Blues, workers are also more likely to wander. By studying these behavioural elements, phishers know that they can increase their success rate. These guys are masters of lures and understanding their subjects.

But they don’t just study their subjects, they study the security deployed to protect employees. This is also significantly increasing the volume of email sent late on a Friday and on Sunday.

The bad guys have learned that they can evade email security measures by sending an email with a clean link on Friday or over the weekend – bypassing email URL scanning. Then, over the weekend they compromise the URL with malicious code.

A typical attack of this type would have the bad guy doing the following:

1. Find a URL that can be easily compromised… but do nothing at that time. Leave it ‘as is’ for now.

2. Craft an email that will not trigger spam, AV or other security measures based on its content, but include links to the currently ‘safe’ URL. Since they typically pretend to be something legitimate, it is best to simply copy a legitimate message… and only change one link to the ‘safe’ URL.

3. Send the email over the weekend, or late at night, so email defenses will approve the email and deliver it into the user’s mailbox.

4. Just before you believe employees will begin accessing email, compromise the URL and install that part of the attack strategy.

Evasion techniques like these help when hackers are going for the big game – spear-phishing employees with access to a specific network or data or whale phishing, the targeting of executives at companies.

Spear-phishing: The CSO Nightmare

Spear-phishing is one of the most pressing issues IT officers face today, and one they feel the least confident addressing.

Spear-phishing by definition isn’t a widely cast net. Instead, the attackers use well crafted lures that incite a group or an individual’s urge to click. They are essentially socially engineering their victims onto the spear. Many of the targets of spear-phishing may also have an awareness of security initiatives in place, and may unwittingly rely more heavily on them.

Three Ways To Stop Spear-phishing

Websense recommends a three-pronged approach designed to stop 95-99 percent of spear-phishing attempts:

Employee education: The human element is incredibly important. Employee education is fundamental to preventing a spear-phish attack. Consider pen-testing your users. Show them why they need to think before they click. Also, use a combination of audio and visual education methods like videos, webinars, newsletters and in-person trainings.

Inbound email sandboxing: The most important control for stopping spear-phishing is to deploy a solution that checks the safety of an emailed link when a user clicks on it. You need to have URL sandboxing technology in place that analyses website content and browser code in real time.

Real-time analysis and inspection of your Web traffic: Stop malicious URLs from even getting to your users’ inboxes at your gateway. Even if you have inbound email sandboxing, some users might click on a link through a personal email account, like Gmail. In that case, your email spear-phishing protection is unable to see the traffic. Your web security gateway needs to be intelligent, analyse content in real time, and be 95+ percent effective at stopping malware.