“Spear Phishing” – An Inside Look at Some of the Strategies and Tactics Cybercriminals Use to Conduct Successful Phishing Attacks
This week’s news is abuzz with what may be the biggest data breach in US history. Epsilon, a provider of marketing services to some of the biggest brands around the world, was hacked. Thieves got away with the names and email addresses of customers from some of the largest banks in the U.S. as well as many retailers, hospitality companies and more. Companies are now warning their clients to be wary of suspicious emails and phishing attempts. As Brian Krebs noted on his blog, the hackers have gained much more than just simple lists of emails. Correlating an individual’s data across the different companies, they can craft emails targeting at specific individuals (aka “spear-phishing”). Providing personal information in an email – specifying for example a credit card from the individual’s bank known to buy at Best Buy and Target – makes the email seem all the more credible, flying under the radar.
Attackers are investing and honing their techniques to evade detection. Phishing emails are edited by professionals to give the impression of legitimacy. The US CERT has warned of successful HTML phishing campaigns. Fraudulent tax campaigns come out as soon as tax season starts and current events are also leveraged to entice users to open malicious attachments. What are these most recent phishing campaigns and what should be done against them?
Seasonal Phishing Campaigns
It’s the peak of tax season and with the precision of a Swiss clock, the US CERT has issued its annual warning against the most recent tax scams. As American tax filers scramble towards the April 15th deadline, so do hackers. How do these scams work? First, a hacker hacks into a legitimate website and uploads any one of the numerous phishing kits readily-available on hacker forums. Then, the kit is uploaded and the compromised site becomes a phishing site identical to the federal one. Next, the hacker sends creative phishing emails which urge the victim to click on a link promising early tax rebates, tax reductions or other benefits. A user falling for the scam follows the link which leads to the spoofed website. The victims proceed to insert their personal details which are sent off to the hacker’s “drop-box”.
When Phishing Goes HTML
Browsers have taken initial steps to protect their users against phishing campaigns, such as the above tax scam. These anti-phishing mechanisms rely on site URL blacklisting. Take for example Google Chrome’s Safe Browsing. A victim who clicked on a link embedded within a phishing email will be alerted of the suspicious URL destination. As a result, hackers have developed techniques to defeat some of these browser controls. One way is to use HTML phishing where the hacker attaches an HTML form. The victim opens the form and inserts her details which in turn get sent back to the hacker. This technique in essence bypasses the built-in anti-phishing techniques since this scenario does not include any URL to alert on. The hacker even has the added value of protection against “service disruption” by security researchers as there is no phishing site to take-down!
Malware Wipe Out Prior to Detection
As new Trojans are released at such a rapid rate, anti-malware tools are having difficulties to keep up to date with all these variants. Take for example a re-emergence of a variant of Proxy Trojans, dubbed “Boy in the Browser”(BitB). Enticing emails lure users to download necessary video players which disguise the Trojan. The BitB Trojan, once executed on the victim’s machine, re-routes the victim’s traffic to pass through an attacker-controlled server. It does this by tampering the file which maps the hostname to the network address. After this persistent change to the configuration file is performed, the exploit code is removed from the victim’s machine. As a consequence, even if that user updated to their latest AV content, then the next time she switches on her computer, there is no remnant of the Trojan to be detected by the AV. The simplicity of the BitB Trojans allows them for quick development and adaptation. So much so, that in my employer’s labs we actually witnessed these Trojans go undetected by AVs for more than a week!
Multiple Malware Distribution Platforms
A recent report has shown that another detection evasion method is to use multiple vehicles for distribution. Anti-viruses may flag malware as suspicious when distributed for example via an email. However, the same anti-virus may not flag the same malware as suspicious if distributed in another manner.
Malware on the Decline?
A counterintuitive report specifying that malware was on the rise recently came from PandaLabs, citing overall February anti-virus statistics summary showing a decline in malware as compared to January. In light of the above discussion and considering the resources hackers are currently investing to bypass current security tools, we can assume that less malware has been detected. In reality though, more malware has just evaded detection.
|Part in a Series on Cybercrime – Read Noa’s Other Featured Cybercrime Columns Here|
Malware – a Business Concern
This article has clearly shown that even the most sensible user cannot guarantee immunity. On the bright side, perhaps the concerning state of malware could lead to a change. The state of malware may force enterprises to deal with these threats in new ways. Much like seat belt laws forced manufacturers to deal with consumer safety in cars, enterprises should learn how to interact with infected customers and create a safe business environment for them. For example, they will have to develop solutions to defeat phishing campaigns, to detect infected clients and sand-box client sessions.
Next Column – Does Compliance Hinder Hackers
The winds of change will force businesses to provide the necessary security solutions to interact with their customers. But there is currently a more compelling driver for controls – compliance. Different industries are required to comply with different regulations, such as PCI, which mandate security controls. Stay tuned as I question whether compliance hinders hacker activity.