Spear phishing: Are you cybercriminals' next target?

How targeted attacks are sneaking in under the radar...
Written by Nick Heath, Contributor

How targeted attacks are sneaking in under the radar...

Email fraud

Spear phishing attacks have been used successfully against several large companies of latePhoto: Justin Kraemer

In the remake of the sci-fi show Battlestar Galatica, mankind was infiltrated by cyborgs that looked and sounded exactly like people but were hell-bent on destroying the human race.

Workers may find themselves facing a similar ploy the next time they open an email from a colleague. Is it really an update from HR about gym membership? Or is it a booby-trapped document designed to release data-stealing malware onto the corporate system?

This is spear phishing - where criminals send emails that have been carefully researched and crafted to fool a specific target into thinking they come from a trusted acquaintance or organisation, and trick them into divulging details or installing malware.

Of late, the practice has helped cybercriminals claim some high-value scalps, such as the security firm RSA. Here, a spear-phishing email was used to instigate an attack that stole information about RSA's SecurID authentication tokens - which are used by millions of people, including government and bank employees for two-factor authentication.

Spear-phishing emails are often the first stage in advanced persistent-threat (APT) attacks, where cybercriminals launch a long-term operation to target particular information or assets belonging to an individual or organisation.

In a blog entry detailing the RSA attack, Uri Rivner, head of new technologies and consumer identity protection at RSA, said: "The number of enterprises hit by APTs grows by the month, and the range of APT targets includes just about every industry. Unofficial tallies number dozens of mega-corporations attacked."

The RSA break-in bore many of the characteristics of a typical spear-phishing and subsequent advanced persistent-threat attack.

In the attack, an employee was tricked into opening an email with an innocuous-sounding spreadsheet attached, called 2011 Recruitment Plan.

When opened, this spreadsheet triggered software designed to exploit a then-unpatched vulnerability in Adobe Flash, and install software that allowed the attacker to access and control the employee's machine over the internet.

The attackers then began the second, longer phase of gaining access to the machines of other employees with more valuable information and more widespread system access, such as process experts and server administrators.

Once the attackers had established access to RSA servers containing information of interest, they moved quickly to extract that information to an external server, wiping traces of the attack behind them.

How common are targeted attacks?

Evidence that spear phishing and targeted attacks are...

...on the increase is mainly anecdotal.

In its latest Internet Security Threat Report, Symantec says seven per cent of phishing attacks in 2010 were spear phishing but the company does not have data for previous years.

Graham Cluley, senior technology consultant with security company Sophos, said: "It's hard to put real numbers on it. However, anecdotally and from what we are seeing in the labs, there does seem to be more and more activity in this area."

According to Cluley, targeted attacks are becoming more lucrative while mass phishing scams, where the same fake email is sent to millions of people in an attempt to trick them into revealing valuable information, are becoming less rewarding.

Mass phishing scams are becoming less effective as the population learns how to spot them, Cluley said, and as the computers that send out these emails are shut down more rapidly.

"The return on the investment for the cybercriminal becomes more and more difficult to retain," he said.

"However, in terms of corporate espionage and stealing information from companies and databases - data with real monetary value - there's more and more opportunity for that as more information is made digital."

For RSA's Rivner, spear phishing and APTs are becoming popular because they effectively target the weak link in any organisation's information security defences: the human being.

"You don't bother to just simply hack the organisation and its infrastructure. You focus much more of your attention on hacking the employees," he wrote in his blog post.

"One cannot stress enough the point about APTs being, first and foremost, a new attack doctrine built to circumvent the existing perimeter and endpoint defences. It's a little similar to stealth air fighters: for decades you've based your air defence on radar technology.

What sort of data is being stolen?

Spear phishing is just one technique for...

...attacking a corporate network or stealing digital information and assets, and as such has been used to attack organisations across the private and public sector.

RSA's Uri Rivner told silicon.com: "We are starting to see spear phishing as the entry point for many and various cybercrime attacks - be it on consumers or corporates, it's a very useful tool."

The one thing these attacks generally have in common is that the cybercriminals are targeting an individual or organisation with a view to stealing a particular piece of information or asset.

Private sector companies are usually targeted to steal money, gain access to systems or to take information and assets to sell to other criminals.

Symantec security strategist Sian John said: "It's a criminal underworld who's buying this data.

"Number one is credit card information, number two is bank account credentials and number three is email accounts. Those are the details you can get the most return on as a criminal."

RSA has compared targeted attacks to a stealth bomber

RSA's Uri Rivner compared targeted attacks to a raid by a stealth bomberPhoto: expertinfantry

According to Cluley, another common motivation is to gain access to an organisation's mail server, or individual email accounts, and use them to distribute spam or more phishing emails.

Another recent example of the type of assets being targeted comes from court documents that suggest publisher Condé Nast fell victim to a spear-phishing attack last year, which prompted it to authorise payments to a third party masquerading as a print services company.

According to the documents, an "electronic payment authorisation" form purporting to come from the print services company was sent to Condé Nast via email in early November 2010.

The form was completed and Condé Nast made payments of about $8m to the bank account between 17 November 2010 and 30 December 2010. No money was withdrawn from the account and the account was frozen by federal authorities.

In the public sector, Whitehall has been targeted by a spear-phishing attack, with William Hague revealing that last year government officials were sent a link purporting to come from a Whitehouse official that downloaded a variant of the Zeus virus.

Sophos' Cluley expects governments are also engaged in targeted attacks to protect national interests.

He said: "If a British company were bidding to build a huge dam in Africa, and there were also Chinese companies bidding, I don't think we should be surprised if the British company was being spied on for economic reasons, or that the British would be doing the same in reverse as well.

"I would expect every country around the world to be spying on each other via the internet for military, political or economic reasons."

While companies have been found to be buying information stolen from their competitors in the past, Symantec's John said the practice is rare.

Who is being targeted?

Senior staff make tempting targets for spear-phishing...

...attacks, due to their access to a large range of information and corporate systems.

Symantec's John said: "In last year's internet security report, we saw it was mostly senior executives - the sort of people who would be more likely to be carrying sensitive information around or have access to it."

HR executives in particular provide a rich source of information on employees and company structure for cybercriminals, Sophos' Cluley said.

"Obviously HR have access to a lot of information that regular employees in an organisation don't. In a way, they have privileged information regarding the identity and details of all kinds of people inside your organisation," he said.

However, spear-phishers will not always directly target the senior staff members, sometimes preferring to target junior employees who are easier to spoof.

Once the attacker has access to the junior employee's machine, they can then take control of computers belonging to staff with a higher level of network access, as happened in the RSA attack.

"It's not necessarily the case that it is only C-level staff who are at risk," said Cluley.

"You might be a fairly junior or middle-ranking member of staff but you have access to network passwords and so forth."

Often the spear-phishing email is the first stage in a longer attack, where the criminal will go on to compromise more machines and passwords, and locate information of value.

RSA's Rivner wrote in his blog post: "In many of the APTs publicised in the past 18 months, the attackers had months to do digital "shoulder surfing" on the attacked users, map the network and the resources, and start looking for a path to the coveted assets they desired.

"Then they use the compromised accounts, coupled with various other tactics, to gain access to more "strategic" users."

The final stage is extracting the data - a process that normally has to take place quickly, as Rivner said this stage is the "noisy" phase of the attack, where the intrusion is most likely to be detected.

How are attacks being crafted?

A successful spear-phishing attack has to ...

...look and sound like a legitimate email from a friend or trusted organisation.

Symantec's John said: "You do a lot of research about the person you're after and create an email that is likely to pique their interest.

"Say they've got an interest in a certain research topic, you would research that topic and find out who's the expert in the field, discover when a report's due out by that expert and on that day send an email referencing the expert saying, 'Click here to read my report'.

"It's a well-researched, well-written email in good English to fool people into thinking it's genuine and to open it."

Today, a wealth of information is available about individuals and companies online - particularly through social networks.

If someone is unguarded about the way they use social networks it can be easy for a cybercriminal to learn their interests, friends and colleagues - all important information in preparing a spear-phishing attack.

Social media privacy

Broadcasting too much information on social networks can provide ammunition for cybercriminals crafting a targeted attackPhoto: mikael altemark

"Take something like LinkedIn - that's a fantastic way of getting a corporate directory inside an organisation," Cluley said.

"I could find who the head of HR is at silicon.com and who the latest recruits are, then forge an email claiming to come from the head of HR to the new recruit saying, 'Congratulations on joining - find out about the gym membership by clicking on the following link and logging on with your network password'."

Details like names and email addresses are valuable to cybercriminals in creating a plausible spear-phishing email, Cluley said, referencing the potential use that cybercriminals might make of the names and email addresses stolen from email marketing company Epsilon - which handles mailing lists for firms including Marks & Spencer and Marriott.

"The potential threat is that the cybercriminals know people's email addresses and that they're interested in working with a particular company," he said.

"You can have a more targeted attack that way."

RSA's Rivner said during research RSA had seen a posting on an underground forum offering $50 for the email address of a company CEO.

What forms do the attacks take?

Spear-phishing attacks take many forms - some are...

...simple requests for valuable information such as financial details or network passwords, some are bogus forms authorising payments and some contain files or links rigged to install malware on the recipient's machines.

Despite the variation in attacks, Sophos' Cluley said everyday office document formats such as Microsoft Word files and PDFs were a common choice for hiding malware in spear-phishing attacks.

"There's a perception among the typical computer user that if it's a Word doc or a PDF file, that's safe," he said.

"Unfortunately there are things that Adobe built into the PDF format that can be equally dangerous and can be exploited."

It is not just individuals who are being targeted, but also specific industries.

Last year the Nimkey Trojan, aka Chilkat, was modified to record information when a person logged onto an online platform used by companies to trade licences for quotas for the emission of carbon dioxide. According to RSA, the Trojan was implicated in the theft of 1.6 million EU emission allowances, valued at nearly €20m.

Another instance of malware designed to exploit a particular industry is Stuxnet, a worm designed to target a piece of software used to control specific industrial processes, and which infected equipment used by the Iranian government to enrich uranium.

How to protect against attacks

The usual advice on keeping antivirus and patches up to date applies, not just for the OS, but also for web browsers and their plug-ins and Adobe software.

Cluley also recommends turning off options that allow Flash content and JavaScript to run in Adobe Acrobat, the program used to view PDF files, and updating to the latest version of Adobe Acrobat Reader that includes sandbox technology, which helps to block attacks.

To help limit the amount of personal information that can be used to put together a targeted email, Symantec's John recommended turning on all available privacy-protection options in social networks, and said users shouldn't post on social networks anything they "wouldn't be happy to shout out in the middle of Hyde Park".

To counter the effect of company email accounts being hijacked, Cluley recommends implementing an SMTP spam filter and using two-factor authentication for employees logging into email.

What the future holds

As social networks become integral to the way companies communicate and promote themselves, and growing numbers of people sign up to them, Cluley believes targeted attacks will become both easier to carry out and more frequent.

Cluley said: "I think these kinds of attacks will become more common, and I think it will come about as a result of social engineering.

"As people put more about themselves on social networks and the like, the emails and communications received will become more convincing."

Editorial standards