Patience And The Art Of Spear Phishing

It’s a nervous time for companies that have switched from in-house email systems to online. Attacks against Web-based email services are exposing some of the weaknesses that business users must to be wary of.

The spear phishing attacks on Gmail, Yahoo Mail and Windows Live Hotmail show that the new professional hackers are more patient and have a focus on what they want to get from an exploit. In the old days, the aim of an attack was to penetrate the system and make off with whatever was revealed. The new style is to decide the desired outcome and then work out how that can be achieved without attracting attention.

Softly, Softly, Catch eMonkey

The target tends to be specific company intelligence, such as the attack on RSA Security which sought to find the “secret” of the company’s SecurID passcode seeding. The chosen vehicle, at the moment, appears to be online services which require Web-based logins, primarily email.

The would-be intruder finds vulnerable users within the target organisation. These are often those who are deemed to be the less tech savvy and are usually lower grade workers. Finding names and email addresses is relatively simple with the openness of websites and the simple formulaic style of company email addresses. Alternatively, an innocent-looking query typed into a query form on a site often solicits a reply revealing a useful internal email address.

LinkedIn and other social networking sites can be a mine of useful information for an attacker. These sites can reveal alternative addresses for the targeted employee, possibly Gmail or other addresses.

LinkedIn is popular because it is designed to help people to promote themselves as ideal employees in the hope it will open doors to bigger and better opportunities.

Most people would prefer not to receive job offers through their corporate address and happily offer Hotmail, Yahoo and Gmail addresses as their preferred email contact address.

The next part is straight out of The Sting movie. An exact replica of the sign-on site for the Webmail service is created and the scene is set for the scam. An email is sent to the victim saying that the email database is congested or asking the user to confirm that their account is still active.

The fake site is the classic Man-in-the-Middle set up. Lure an unsuspecting employee to the site through a disguised link in an email. The “mark” sees the site as being genuine and logs in as usual. The screen automatically records the login details and adds them to the hacker’s database.

Meanwhile, the fake site’s script connects to the real service, secretly logs the user in and then releases the user to check their emails. From the user’s perspective nothing that happened seemed untoward. Visit site, login, view emails.

The attacker can then login to the user’s account to see if there is any useful information that can further their nefarious aims.

There is a new twist on this scam, known as the Boy-in-the-Middle attack. This category of exploit takes its name from the fact that the fake site spawns a “child” routine.

When the user visits the fake site, it responds with a plausible dialog box that says that Adobe Flash, or some other popular browser add-on, needs to be updated. The unsuspecting user happily clicks on the upgrade request without a second thought.

Instead of the expected software download, the hacker has placed a Trojan on their system – a far more effective way to open the door into an enterprise’s network. To show how this works, Imperva has put together a video.

This initial approach shows how the professionals work towards their goal. Nothing is rushed and they take care to avoid attracting any attention. Like any spy in the real world, the virtual agent will go to great lengths to get what they want.

Patience is the key because the final prize is usually worth a fortune to the successful attacker.