What is Scaring Businesses the Most? Spear-phishing. New Websense Security Labs Research

Spear-phishing is a huge concern for today’s government and enterprises. While high profile attacks like last week’s spear-phishing attack against the White House and last year’s attack against Oak Ridge National Laboratory underscore the risk to government agencies, today’s businesses are also a primary victim. Hackers are increasingly looking to steal source code, intellectual property and financial information.

In light of these incidents, the Websense Security Labs collected data from the ThreatSeeker Network and analyzed it using our Advanced Classification Engine to identify the top trends in phishing today. These include:

• Dramatic shifts in attack strategy
• New security evasion tactics
• An evolution of the targeted threat model

From Spam to Phish

To begin talking about phishing, you must first look at email security trends in general, and this usually begins with a discussion on spam.

• Spam, often used as the first stage in many attacks, is sent in huge volumes to ensure penetration before signatures and other updates can be created be vendors or deployed by customers    
• 92 percent of email spam contains a URL.
• The total percent of spam that can be categorized as leading to a traditional phishing is approximately 1.62 percent.
• While this may not seem huge, it can be placed into perspective by the fact that spam campaigns can reach more than a quarter of a million emails per hour and that the percentage of virus-related email spam was only 0.4 percent. Phishing attempts outnumber malicious executables in email volume. 

The majority of these broad phishing attacks share a link to a fake web landing pages to steal the log in credentials of users. Where are these phishing sites hosted? Our research indicates that a large portion of these sites is hosted in the United States. This doesn’t mean that the majority of phishing criminals are in the U.S. It is more likely a representation of available bandwidth, infrastructure, number of servers and ease of domain registration. 

The U.S. continues to dominate the volume of hosted phishing URLs.

Top 10 countries hosting phishing URLs: *Based on September 30, 2011-October 1, 2012 research

1. United States
2. Canada
3. Bahamas
4. Egypt
5. Germany
6. United Kingdom
7. Netherlands
8. France
9. Brazil
10. Russian Federation 

In this circumstance, the objective is to send a huge volume of emails with a lure compelling to a larger audience. So what does it take to get users to click?

Security as Social Engineering

Increasingly, attackers are using an individual’s fears of compromise against them. In this way, they have taken advantage of a tactic employed so successful by fake or rogue AV peddlers. 

SECURITY ALERT!

How many times have you been browsing a web page and you get a pop up warning you that your computer is compromised? Most of us now know that these popups are the result of a fake AV scam and many of us have been conditioned not to click on these. However, if you receive a security alert email that looks like it comes from an organization you have a relationship with, such as a bank, or a social network you are a member of, it may increase your likelihood to click. Typically the page components replicate a real site, right down to the security warning to “Stay alert!”

Increasingly, phishers are using security notifications and alerts in their lures. In fact, after an analysis looking at the most recent quarter of this year, Websense Security Labs has determined that four of the top five subject lines of phishing attempts by volume are security messages:

Four out of the top five phishing email subject lines are related to security. These types of attacks represent the largest volume of recent subject lines designed to lure in victims.

Top five phishing email subject lines: *Based on July – September 2012 research

1. Your account has been accessed by a third party
2. (Bank Name) Internet Banking Customer Service Message
3. Security Measures
4. Verify your activity
5. Account security Notification

But I work in a business you say… we have an email security system in place that inspects for viruses and does some rudimentary URL scanning…

Dodging the Cops: New Phishing Security Evasion Techniques

A disturbing new twist on targeted attacks has started to emerge this year that directly affects professionally managed networks. If we look at the days of the week when most phishing emails are sent, we notice a huge uptick in volume on Fridays, Sundays and Mondays.

Most phishing emails are sent on Fridays, followed by Monday and Sunday. The bad guys have learned that they can evade email security measures by sending an email with a clean link on Friday or over the weekend – bypassing email URL scanning. Then, over the weekend they compromise the URL with malicious code.

Top phishing days of the week (percentage): *Based on July-August 2012 research

1. Friday (38.5%)
2. Monday (30%)        
3. Sunday (10.9%)      
4. Thursday (6.5%)     
5. Tuesday (5.8%)       
6. Wednesday (5.2%) 
7. Saturday (3.2%)                   

The bad guys know potential victim’s behavioral patterns. They know worker’s minds can stray on Fridays in a more relaxed setting. Relaxation and anticipation of the weekend can lead to more web browsing and an increased likelihood to click on links in emails. Similarly, stricken by a case of the Monday Blues, workers are also more likely to wander. By studying these behavioral elements, phishers know that they can increase their success rate. These guys are masters of lures and understanding their subjects. 

But they don’t just study their subjects, they study the security deployed to protect employees. This is also significantly increasing the volume of email sent late on a Friday and on Sunday.

The bad guys have learned that they can evade email security measures by sending an email with a clean link on Friday or over the weekend – bypassing email URL scanning. Then, over the weekend, they compromise the URL with malicious code.

A typical attack of this type would have the bad guy doing the following:

1. Find a URL that can be easily compromised… but do nothing at that time. Leave it ‘as is’ for now.
2. Craft an email that will not trigger spam, AV or other security measures based on its content, but include links to the currently ‘safe’ URL. Since they typically pretend to be something legitimate, it is best to simply copy a legitimate message… and only change one link to the ‘safe’ URL.
3. Send the email over the weekend, or late at night, so email defenses will approve the email and deliver it into the user’s mailbox.
4. Just before you believe employees will begin accessing email, compromise the URL and install that part of the attack strategy.

Evasion techniques like these help when hackers are going for the big game – spear-phishing employees with access to a specific network or data or whale phishing, the targeting of executives at companies.

Spear-phishing: The CSO Nightmare

Spear-phishing is one of the most pressing issues IT officers face today, and one they feel the least confident addressing.

Spear-phishing by definition isn’t a widely cast net. Instead, the attackers use well-crafted lures that incite a group or an individual’s urge to click. They are essentially socially engineering their victims onto the spear. Many of the targets of spear-phishing may also have an awareness of security initiatives in place, and may unwittingly rely more heavily on them.

For example:

• The White House became the victim of a spear-phishing attack just a few days ago. It is alleged that Chinese hackers attempted to gain access to an unclassified network within the office. Although no data was reported lost, the potential for a flood of increased attacks is increased after a successful incident.
• Last year, an email spear-phishing attack succeeded at Oak Ridge National Laboratory before the organization cut off internet access to workers. The Oak Ridge facility handles classified and non-classified research for the federal government and is known for researching cybersecurity initiatives. A targeted email was sent to specific employees masquerading as an employee benefits email from the human resource department. Data was presumed lost in this incident. This is in addition to a previous incident that exposed several years' worth of the social security numbers of visitors to the Lab.
• In March 2011, executives from security company RSA announced a possible breach of SecurID product information from a spear-phishing attack. A spear-phishing e-mail was sent to two small groups within the company. Though the e-mail was automatically marked as Junk, the subject of the message ("2011 Recruitment Plan") tricked one employee into opening it anyway. Later, in May 2011, Lockheed Martin announced it had been hacked and RSA SecurID tokens were involved.
• GhostNet, Night Dragon, and the Operation Aurora attack against Google, Adobe and approximately a dozen other companies, and many of the other so-called advanced persistent threats (APT) that have been publicly documented have been initiated at least in part through targeted spear phishing emails.

Spear-phishing is one of the primary vectors of compromise and subsequent data loss.

The Watering Hole: A New Way to Hunt

Recently, attackers responsible for past targeted spear-phishing attacks have added a new wrinkle to the old phishing attack. This one involves lying in wait for targets to come to them, rather than supplying an active lure. Websense Security Labs has identified a number of these attacks, two of which took place prior to June 2012, the date previously disseminated by other researchers as the beginning of this type of attack. 

• In May 2012, the Websense ThreatSeeker Network detected that the Institute for National Security Studies (INSS) website in Israel was injected with malicious code. INSS is described in its website as an independent academic institute that studies key issues relating to Israel's national security and Middle East affairs.

While we can't determine that the infection of this website with exploit code is part of a targeted attack, one could deduce that visitors to this type of site are likely to have an interest in national security or are occupied in this field hence making it an attractive place for cybercriminals and nation states to wait for victims of a certain commonality to saunter by and then infect them. This is an effective way for hackers to reach a very targeted group, without sending out socially engineered lures.

While the INSS attack served up Poison Ivy, a common remote access tool used in the RSA attacks, we have also seen other exploits used in similar compromises:

• Nepalese government websites were compromised to serve Zegost RAT in August 2012.
• Also, in May 2012, the Amnesty International UK website was compromised to serve Gh0st RAT.
• All of these used the same vulnerability (CVE-2012-0507).

Attacks of this nature may be a way for nation-states to garner additional information from a select audience without having to know the contact information or specific lure likely to compromise a target. This could be considered reconnaissance leading to more specific targeting and a more traditional spear-phish attempt.

These attacks illustrate how spam has evolved to phishing, which has evolved to spear-phishing, which in turn has evolved into sophisticated, targeted web compromises (watering holes), something unheard of just a short time ago.

Three Ways to Stop Spear-phishing

Websense recommends a three-pronged approach designed to stop 95-99 percent of spear-phishing attempts:

1. Employee education: The human element is incredibly important. Employee education is fundamental to preventing a spear-phish attack. Consider pen-testing your users. Show them why they need to think before they click. Also, use a combination of audio and visual education methods like videos, webinars, newsletters and in-person trainings.
2. Inbound email sandboxing: The most important control for stopping spear-phishing is to deploy a solution that checks the safety of an emailed link when a user clicks on it. You need to have URL sandboxing technology in place that analyzes website content and browser code in real time. 
3. Real-time analysis and inspection of your web traffic: Stop malicious URLs from even getting to your users’ inboxes at your gateway. Even if you have inbound email sandboxing, some users might click on a link through a personal email account, like Gmail. In that case, your email spear-phishing protection is unable to see the traffic. Your web security gateway needs to be intelligent, analyze content in real time, and be 95+ percent effective at stopping malware.

Click to download and view a pdf of the full size infographic: 6545.Websense phishing infographic OCT12.pdf

Click here to download the full size PDF infographic in Italian.