October 8, 2012

What is Scaring Businesses the Most? Spear-phishing. New Websense Security Labs Research

Patrik Runald

Spear-phishing is a huge concern for today’s government and enterprises. While high profile attacks like last week’s spear-phishing attack against the White House and last year’s attack against Oak Ridge National Laboratory underscore the risk to government agencies, today’s businesses are also a primary victim. Hackers are increasingly looking to steal source code, intellectual property and financial information.

In light of these incidents, the Websense Security Labs collected data from the ThreatSeeker Network and analyzed it using our Advanced Classification Engine to identify the top trends in phishing today. These include:

  • Dramatic shifts in attack strategy
  • New security evasion tactics
  • An evolution of the targeted threat model

From Spam to Phish

To begin talking about phishing, you must first look at email security trends in general, and this usually begins with a discussion on spam.

  • Spam, often used as the first stage in many attacks, is sent in huge volumes to ensure penetration before signatures and other updates can be created be vendors or deployed by customers    
  • 92 percent of email spam contains a URL.
  • The total percent of spam that can be categorized as leading to a traditional phishing is approximately 1.62 percent.
  • While this may not seem huge, it can be placed into perspective by the fact that spam campaigns can reach more than a quarter of a million emails per hour and that the percentage of virus-related email spam was only 0.4 percent. Phishing attempts outnumber malicious executables in email volume. 

The majority of these broad phishing attacks share a link to a fake web landing pages to steal the log in credentials of users. Where are these phishing sites hosted? Our research indicates that a large portion of these sites is hosted in the United States. This doesn’t mean that the majority of phishing criminals are in the U.S. It is more likely a representation of available bandwidth, infrastructure, number of servers and ease of domain registration. 

The U.S. continues to dominate the volume of hosted phishing URLs.

Top 10 countries hosting phishing URLs: *Based on September 30, 2011-October 1, 2012 research

  1. United States
  2. Canada
  3. Bahamas
  4. Egypt
  5. Germany
  6. United Kingdom
  7. Netherlands
  8. France
  9. Brazil
  10. Russian Federation 

In this circumstance, the objective is to send a huge volume of emails with a lure compelling to a larger audience. So what does it take to get users to click?

Security as Social Engineering

Increasingly, attackers are using an individual’s fears of compromise against them. In this way, they have taken advantage of a tactic employed so successful by fake or rogue AV peddlers. 


How many times have you been browsing a web page and you get a pop up warning you that your computer is compromised? Most of us now know that these popups are the result of a fake AV scam and many of us have been conditioned not to click on these. However, if you receive a security alert email that looks like it comes from an organization you have a relationship with, such as a bank, or a social network you are a member of, it may increase your likelihood to click. Typically the page components replicate a real site, right down to the security warning to “Stay alert!”

Increasingly, phishers are using security notifications and alerts in their lures. In fact, after an analysis looking at the most recent quarter of this year, Websense Security Labs has determined that four of the top five subject lines of phishing attempts by volume are security messages:

Four out of the top five phishing email subject lines are related to security. These types of attacks represent the largest volume of recent subject lines designed to lure in victims.

Top five phishing email subject lines: *Based on July – September 2012 research

  1. Your account has been accessed by a third party
  2. (Bank Name) Internet Banking Customer Service Message
  3. Security Measures
  4. Verify your activity
  5. Account security Notification

But I work in a business you say… we have an email security system in place that inspects for viruses and does some rudimentary URL scanning…

Dodging the Cops: New Phishing Security Evasion Techniques

A disturbing new twist on targeted attacks has started to emerge this year that directly affects professionally managed networks. If we look at the days of the week when most phishing emails are sent, we notice a huge uptick in volume on Fridays, Sundays and Mondays.

Most phishing emails are sent on Fridays, followed by Monday and Sunday. The bad guys have learned that they can evade email security measures by sending an email with a clean link on Friday or over the weekend – bypassing email URL scanning. Then, over the weekend they compromise the URL with malicious code.

Top phishing days of the week (percentage): *Based on July-August 2012 research

  1. Friday (38.5%)
  2. Monday (30%)        
  3. Sunday (10.9%)      
  4. Thursday (6.5%)     
  5. Tuesday (5.8%)       
  6. Wednesday (5.2%) 
  7. Saturday (3.2%)                   

The bad guys know potential victim’s behavioral patterns. They know worker’s minds can stray on Fridays in a more relaxed setting. Relaxation and anticipation of the weekend can lead to more web browsing and an increased likelihood to click on links in emails. Similarly, stricken by a case of the Monday Blues, workers are also more likely to wander. By studying these behavioral elements, phishers know that they can increase their success rate. These guys are masters of lures and understanding their subjects. 

But they don’t just study their subjects, they study the security deployed to protect employees. This is also significantly increasing the volume of email sent late on a Friday and on Sunday.

The bad guys have learned that they can evade email security measures by sending an email with a clean link on Friday or over the weekend – bypassing email URL scanning. Then, over the weekend, they compromise the URL with malicious code.

A typical attack of this type would have the bad guy doing the following:

  1. Find a URL that can be easily compromised… but do nothing at that time. Leave it ‘as is’ for now.
  2. Craft an email that will not trigger spam, AV or other security measures based on its content, but include links to the currently ‘safe’ URL. Since they typically pretend to be something legitimate, it is best to simply copy a legitimate message… and only change one link to the ‘safe’ URL.
  3. Send the email over the weekend, or late at night, so email defenses will approve the email and deliver it into the user’s mailbox.
  4. Just before you believe employees will begin accessing email, compromise the URL and install that part of the attack strategy.

Evasion techniques like these help when hackers are going for the big game – spear-phishing employees with access to a specific network or data or whale phishing, the targeting of executives at companies.

Spear-phishing: The CSO Nightmare

Spear-phishing is one of the most pressing issues IT officers face today, and one they feel the least confident addressing.

Spear-phishing by definition isn’t a widely cast net. Instead, the attackers use well-crafted lures that incite a group or an individual’s urge to click. They are essentially socially engineering their victims onto the spear. Many of the targets of spear-phishing may also have an awareness of security initiatives in place, and may unwittingly rely more heavily on them.

For example:

Spear-phishing is one of the primary vectors of compromise and subsequent data loss.

The Watering Hole: A New Way to Hunt

Recently, attackers responsible for past targeted spear-phishing attacks have added a new wrinkle to the old phishing attack. This one involves lying in wait for targets to come to them, rather than supplying an active lure. Websense Security Labs has identified a number of these attacks, two of which took place prior to June 2012, the date previously disseminated by other researchers as the beginning of this type of attack. 

Water hole attack

While we can't determine that the infection of this website with exploit code is part of a targeted attack, one could deduce that visitors to this type of site are likely to have an interest in national security or are occupied in this field hence making it an attractive place for cybercriminals and nation states to wait for victims of a certain commonality to saunter by and then infect them. This is an effective way for hackers to reach a very targeted group, without sending out socially engineered lures.

While the INSS attack served up Poison Ivy, a common remote access tool used in the RSA attacks, we have also seen other exploits used in similar compromises:

Attacks of this nature may be a way for nation-states to garner additional information from a select audience without having to know the contact information or specific lure likely to compromise a target. This could be considered reconnaissance leading to more specific targeting and a more traditional spear-phish attempt.

These attacks illustrate how spam has evolved to phishing, which has evolved to spear-phishing, which in turn has evolved into sophisticated, targeted web compromises (watering holes), something unheard of just a short time ago.

Three Ways to Stop Spear-phishing

Websense recommends a three-pronged approach designed to stop 95-99 percent of spear-phishing attempts:

  1. Employee education: The human element is incredibly important. Employee education is fundamental to preventing a spear-phish attack. Consider pen-testing your users. Show them why they need to think before they click. Also, use a combination of audio and visual education methods like videos, webinars, newsletters and in-person trainings.
  2. Inbound email sandboxing: The most important control for stopping spear-phishing is to deploy a solution that checks the safety of an emailed link when a user clicks on it. You need to have URL sandboxing technology in place that analyzes website content and browser code in real time. 
  3. Real-time analysis and inspection of your web traffic: Stop malicious URLs from even getting to your users’ inboxes at your gateway. Even if you have inbound email sandboxing, some users might click on a link through a personal email account, like Gmail. In that case, your email spear-phishing protection is unable to see the traffic. Your web security gateway needs to be intelligent, analyze content in real time, and be 95+ percent effective at stopping malware.

Phishing infographic

Click to download and view a pdf of the full size infographic: 6545.Websense phishing infographic OCT12.pdf

Click here to download the full size PDF infographic in Italian.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.