Fraudsters Hone Attacks with Spear Phishing

In my previous column, I said that the No. 1 way to reduce IT security risks [1] in your organization is to "simply" prevent end-users from installing stuff they shouldn't. This, of course, is much easier said than done.

Although infected innocent Web sites results in a large percentage of security breaches, fraudulent emails still abound. Unfortunately, long gone are the days when it was easy to identify malicious phishing [2] email by their strange subject lines and horrible grammar.

[ InfoWorld's Roger Grimes explains how to stop data leaks in an enlightening 30-minute webcast, Data Loss Prevention [3], which covers the tools and techniques used by experienced security pros. | Learn how to secure your systems with InfoWorld's free security newsletter [4].]

Today's phishers, at the very least, are grammatically correct. The ones without enough education or experience to use language correctly naturally made less money and fell out of the criminal business early on; either that, or they hired smarter people.

The next generation of phishing messages, which is still prevalent today, strongly resembles legitimate messages from our banks, cable companies, online electronic payment services, and credit card companies. Everything in the emails looks legitimate, including the graphics that originate from the real company's Website. (The ones that included a notice to watch out for fake phishing messages always made me giggle.) The only thing that's fake in the entire message is the link that victims are required to click to complete the requested action.

This form of phishing is pretty effective, but the messages at least contain a small clue (the bogus URL link) to users that they should evaluate the legitimacy of the request. Today's browsers, with antiphishing features, might even warn an end-user against loading the bogus site.

But now end-users are being targeted by a new form of phishing, called "spear phishing," which specifically targets a user or company. Spear-phishing emails look more authentic than the aforementioned breed, often including the user's complete name or referring to a real project that the user is working on. Spear phishers often gather this information by doing tactical research or even breaking into a database, and it's effective enough to fool even the savviest end-users.

Often these forms of phishing attempt to entice the end-user into running a Trojan horse program, which then compromises the computer and the company's network. Most of the companies I work with these days have been exploited by one of these spear phishing e-mails. If the end-user is running antimalware [5] scanning software, the product may block the Trojan install.

To get around that previous mentioned potential blocks, phishing writers are now creating emails that do not contain any obvious malicious links. They don't ask users to visit bogus Websites or to install unexpected software. Rather, they attempt to fool a user or system admin into opening up holes in the company's network defenses.

Here's an example of one of these messages, sent to me by my friend and CISSP, Bob McCoy. It was addressed to him directly and appeared to come from his company's email service provider. (For brevity and safety, I've removed the vendor names, authentic-looking graphics, and links from the message.)

Dear Valued Customer,

We are pleased to announce the go-live date for a new Data Center, scheduled to go live on April 19, 2010.
Please update your firewall rules to allow SMTP traffic on port 25 from the following IP address ranges:xxx.xxx.xxx.xxx/xx (xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx)xx.xxx.xxx.xx/xx (xx.xxx.xxx.xx - xx.xxx.xxx.xxx)

If you have settings on your e-mail server which control the IPs which are allowed to connect for e-mail relay please confirm that those settings are updated as well.

We will be able to test and verify connections one week prior to April 19, 2010. Additionally, we will be proactively running connection tests prior to the launch on behalf of all customers, and contacting you directly if we are unable to connect to any of your domains from ALL specified IP addresses for that domain.

Prior to the launch of the new IP addresses, we recommend that you set up and configure the Deferral Notification alerting feature for your domains using the Deferral Notification option on the Domain properties page in the Admin Center. The Deferral Notification alert feature sends a message to you when a customized threshold has been met or exceeded for deferred e-mail in your domain. After the new IP addresses are launched, this feature will help to ensure that e-mail sent to your domains is not deferred because of unsuccessful connection attempts to your network, and that you alerted in the event that e-mail is being deferred beyond your acceptable limits. For more information on how to set up the Deferral Notification alert feature, see the Admin Center Guide in the Resource Center.

Please refer to the Configuration subtab of the Administration Center for a complete list of IPs which should be allowed to connect to your environment at any time.

Simply analyzing the phishing message's contents would not reveal anything out of the ordinary. Unlike regular phishing e-mails, all links and e-mail addresses were legitimate. There were no bogus Web sites and no Trojan horse executables to install. Rather, the attackers are essentially instructing the victims to open up their e-mail server for spam relaying.

Upon opening this message, Bob suspected the scam immediately. His suspicions were confirmed 10 minutes later when he received an identical message from another vendor. Others users have not been as lucky.

I'm already aware of several clients who've fallen for this scam. In each case, the victim remembered getting a similar sort of email message when they first signed on with a service and, thus, thought the bogus message was legitimate -- especially because their cloud/hosting providers keep bragging about all the new data centers they're continuing to bring online.

Other phishing messages have instructed users to disable their host-based firewalls [6] and to open up unprotected network shares and enable overly permissive peer-to-peer file sharing. It makes the old days of hoax messages that caused users to delete legitimate operating system files seem relatively harmless.

As with any suspected phish email, recipients should contact the purported senders using another out-of-band method to confirm the legitimacy. Moreover, you should update your end-user education materials to include these sorts of phishing e-mails.

Subscribe to the Security Watch Newsletter

Comments