Spear Phishing Takes it Up a Notch

Tuesday, March 5, 2013 @ 05:03 PM gHale


A surge of highly convincing spear-phishing emails are going out in bulk.

More than one in 10 recipients of these messages click on links to compromised websites because the phishing email look utterly plausible, according to cloud-based security services firm Proofpoint.

RELATED STORIES
APT Disconnect Means Poor Defense
‘Trust’ Risk Losses Soaring
Attacks Spreading to Other Industries
More Effective DDoS Attacks on Rise

The combination of tailored emails and mass volume means that cyber-criminals can cost-effectively send 10,000 or even 100,000 individual spear-phishing messages, all potentially capable of bypassing traditional security defenses. This approach greatly improves odds of success and the ability to exploit Zero Day vulnerabilities in victims’ PCs, Proofpoint said.

Unlike conventional mass-mailing phishing lures, the email messages are highly variable rather than all identical. The body content also includes multiple mutations of an embedded URL, which points to an innocuous website to begin with but then booby-trapped some time after the email went out. Attackers can distribute thousands of malicious URL messages in a matter of hours, Proofpoint researchers said.

The company said it has observed, documented and countered dozens of attacks globally over the last six months. Victims end up lured into visiting “drive-by downloads” websites that typically exploit browser, PDF and Java security vulnerabilities to install “rootkits” on vulnerable PCs.

The user does not need to do anything else after clicking on the emailed URL and visiting a malicious website. In many cases, system compromises triggered when employees accessed corporate email accounts from home or on the road and sometimes using mobile devices.

One wave originating from Russia last October included 135,000 emails sent to more than 80 companies in a three-hour period. To avoid detection, the attacker used approximately 28,000 different IP addresses for its sending agents, 35,000 different ‘sender’ aliases, and more than 20 legitimate websites compromised to host drive-by downloads and Zero Day exploiting malware.

Because of the different agents, sender aliases, URLs, subject lines and body content, no single targeted organization saw more than three emails with the same characteristics. All these characteristics meant the attack would fail to register as anything more than background noise and stood an excellent chance of making it past traditional signature and reputation-based anti-spam defenses and secure gateway appliances as a result.

In another attack, approximately 28,800 messages ended up sent in multiple one-hour bursts to more than 200 enterprises. The campaign consisted of 813 unique compromised URLs sent from 2,181 different sending IPs. Again, each organization saw no more than three messages with identical content.

By using a distributed cloud of previously compromised machines and process automation to create high variance, attackers have been able to combine the stealth techniques and malicious payloads of spear-phishing with massively parallel delivery.

“With longlining, cyber-criminals are combining the stealth and effectiveness of spear phishing with the speed and scale of traditional phishing and virus attacks,” said David Knight, executive vice president of product management for Proofpoint.

Click here to download a whitepaper on longline phishing attacks.



Leave a Reply

You must be logged in to post a comment.