Targeted spear phishing attacks

Targeted spear phishing attacks

Summary: A colleague of mine, Dave Wong, from Ernst & Young's Advanced Security Center in New York, pointed me to a really interesting article on targeted spear phishing attacks by John Markoff of the New York Times.  Phishing has been really interesting to me lately, as I've seen a wave of discussions, black hat presentations, and technologies abound that deal with phishing and identity theft.


A colleague of mine, Dave Wong, from Ernst & Young's Advanced Security Center in New York, pointed me to a really interesting article on targeted spear phishing attacks by John Markoff of the New York Times.  Phishing has been really interesting to me lately, as I've seen a wave of discussions, black hat presentations, and technologies abound that deal with phishing and identity theft.  In fact, this article comes just one day after I watched another colleague, Nitesh Dhanjani, provide a presentation to a Security Interest Group here in Chicago, organized by Kevin Richards of Ernst & Young and involving numerous large companies from the Midwest area.  The phishing and identity theft talk that Nitesh gave really raised some eyebrows, especially when he discussed the targeted spear phishing attacks.

Phishing has always been a hot topic, but this targeted spear phishing is more mature and doesn't involve just dumb email blasts.  The emails are typically targeted to individuals at companies that are high ranking officials, possibly CXOs.  The contents of the email will usually include personally identifiable information of the victim to build confidence in the email.  This might include full name, telephone number, position, etc.

The attack covered by Markoff in his blog is possibly one of the best examples of a targeted spear phishing attack that I've seen.  As Markoff states:

Thousands of high-ranking executives across the country have been receiving e-mail messages this week that appear to be official subpoenas from the United States District Court in San Diego. Each message includes the executive’s name, company and phone number, and commands the recipient to appear before a grand jury in a civil case.

A link embedded in the message purports to offer a copy of the entire subpoena. But a recipient who tries to view the document unwittingly downloads and installs software that secretly records keystrokes and sends the data to a remote computer over the Internet. This lets the criminals capture passwords and other personal or corporate information.

An example image (courtesy of the New York Times blog by John Markoff) of the article is show below:

Spear Phishing

As Markoff states:

Another piece of the software allows the computer to be controlled remotely. According to researchers who have analyzed the downloaded file, less than 40 percent of commercial antivirus programs were able to recognize and intercept the attack.

A large piece of Markoff's article continues on the statistics of the attack, as well as where the attack may be coming from (of course we're assuming China, although it could've came from the US and been just as devastating and anonymous, so what's the difference?), etc.  I thought it might be interesting for me to discuss how to avoid this. 

Obviously, the number one thing is user awareness.  Unfortunately, the security community has been pushing user awareness for a decade, and the attackers just get less blatant and obvious about their attacks, making it more difficult for users to avoid this type of attack. 

Of course, all the browsers and Google are trying to implement their own phishing site black listing, but as Nitesh mentioned in his presentation the other day, that's like playing whack a mole.  Nitesh did mention that one thing phishing kits do is import in images and javascript, etc. from the site they are trying to pose as.  An application could track the referer for requests for these types of resources and report remote referers to the company, allowing them to profile these sites (possibly even as they are being developed).

One thing that I've found as quite a creative solution is the use of something like a CAPTCHA for a SERVER to authenticate to the client (traditionally it's the other way around).  Actually, Yahoo! Mail does this.  You can choose some text or image, and if you don't see that image on a Yahoo! login page, then you know that you are being phished.

Of course, the attack reported in the New York Times is far more advanced and isn't really a phishing site as much as it is an email scam.  I'd be interested if anyone had any other ideas on how to prevent this type of a phishing/email scam attack.


Topics: Collaboration, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Federal Subpoena email spam

    It is kind of a whaling attack targeting big fishes in corporate offices like CEO?s, top executives and managers.

    ?This is one of the best phish e-mails I've seen in the past 6 years? quoted by Mr. Steve Kirsch, a well known Silicon Valley entrepreneur

    Remember, that it is not legal to send subpoena via emails unless it is agreed by the people. Also All US Federal courts have URLs of the form ? and not in the form
    ? mentioned in email. So Beware of these kinds of mails. The Abaca Email Protection Gateway ( service was the only service I know that quarantined these emails.
    victor louis
    • Whaling

      Yeah, I've heard it called both whaling and targeted phishing attacks.

      Interesting legaleeze... only problem is, not enough people will know of that ahead of time. I'm really struggling on how this issue would've been prevented.

      • Spearphishing

        I've always preferred "spearphishing" over "targeted phishing" but I must admit that seeing "whaling" for the first time made me chuckle.

        I'll have to consider using that when we present this in-person to our Executives...
        • Yeah, haaha

          I think I was calling it targeted spear phishing. Honestly, I never cared much about phishing until recently, so I'm not sure if I'm using the accurate term... in hindsight though, I wish I would have used "whaling"... that plain hilarious!

  • Abaca???s email protection gateway service found subpoena phishing mail

    We use Abaca???s email protection gateway service. It actually found the subpoena phishing email and stopped it. Their ReceiverNet technology characterizes each user based on the percentage of spam they receive and then uses those reputations to rate the incoming message flow. You can find more information at
    victor louis
    • RE: Well

      Could you provide a link that shows they did catch this? The NY Times article said only 40% of the softwares caught on to it.

      There has to be a solution that is better than hoping some software can prevent it for you... there's just too many variants and profiling there to be comfortable.

    • RE: Targeted spear phishing attacks

      thank you so much! i cant wait to watch these ^^ <a href="">replica watches uk</a>
  • Education

    [i]I???d be interested if anyone had any other ideas on how to prevent this type of a phishing/email scam attack.[/i]

    Education is the only way as this is a social, and common sense, issue rather than a technical one barring some kind of super AI that can keep these phishes from even showing up in personal email inboxes while allowing similar legit emails to pass. Phishes like these have been going on with phones and snail mail for years. As long as there are suckers, the attacks will go on. There are just too many ways to verify email contents without blindly following instructions, and I believe that any CxO that would fall for this is simply not qualified to do their job regardless of how 'good' they are.

    I would start with teaching what legit organizations won't send in emails, like requests for account information, and then what to do if there is any doubt, like call the organization directly to verify.
    • Yep

      Well training just hasn't been effective though... and targeted attacks like this that involve a users individual information make it even tougher to uncover.
      • Training

        Nate, the attacks impersonate some organization they 'trust', especially when they involve a user's individual information. How hard can it be to teach to contact the organization? I could go on with relatively simple ways of checking where the email was actually sent from, but these ways are too complicated for most CxOs. I have been writing software for a long time, and I know that it is going to a long time before it is technically possible to protect people from their own instincts. As long as people are the slightest bit gullible, there is always going to be a way to get to them, just ask Kevin Mitnick.

        I really believe that at this point, looking for a pure technical solution is like looking for a cancer cure pill or for eternal just isn't there. No technical solution will be completely effective without some kind of common sense (at least to you and me) education.
        • See, the thing is

          Training can't capture the gut reacton. Even if someone has been through training, these attacks play on someones instinct to want to know the details... that's why this attack is so successful.

          • I know and agree with you,

            but technology can't compensate for gut reaction. The best solution for now is a combination of both. At least in the world of targeted phishes in the business world, it is easier to figure out who needs the training.

            I'm sure we could go on and on about this, maybe over that free beer we get in the email offer. Take care and keep up the good work, and I'll keep reading it.
          • Yep, agree with that

            It's a really tough problem.
            Thanks for the vote of confidence!

  • Emailed Subpeonas????

    Not sure what the law is in the US on these things up here in Canada if I received one of these I'd delete it as you subpoena can't issued in this manner. It usually has to come via register mail or someone as to serve it to you personally.
    • You have to hit them where they are vulnerable

      Some people like to click to get free security software or to check out overseas pharmacies. Other people like to verify their bank account info from an email link. Still others want to get their hands on the $50,000,000 they won in the lottery in the Netherlands. CxOs want to cooperate with the court system.

      Hmm, I wonder what I would do if someone emailed me and said to click for free beer...........
      • Click!

        Whoa, careful there man, let's not get crazy... I'd click that, and probably gladly accept the pwnage for the free beer.

    • Surely, but...

      It only takes one person to not realize that for the attack to be successful.

    • Same Is True Here In The U.S., And...

      ...let's hope that the executives who are receiving these are ALL smart enough to know that government, at any level, would never issue a subpoena via e-mail! If the targets become "lesser" individuals than corporate execs, let's also hope they would be smart enough realize the same.
      • Execs aren't always the only ones reading their own email

        I'll admit it's nowhere near as bad as it used to be (I can recall Execs with computers on their desks that had more dust on them than fingerprints), but many VIPs still have Admins and Assistants that have access to their email. It's common for these individuals to help their boss by going through their inbox and either get rid of the fluff or highlight the important items for them in order to save their valuable time.

        This is why Security Awareness that is targeted towards Executives needs to be shared with their support staff as well. These are the same individuals who can be targeted by Social Engineers who figure it might be easier to get past a "mere" admin as opposed to a c-level executive.
      • Execs are often the most IT illiterate

        but _hopefully_ they'd realise this ain't from the govt.