New "Spear Phishing" Attacks Target IT Admins

snydeq writes "A new breed of 'spear phishing' aimed at IT admins is making the rounds. The emails, containing no obvious malicious links, are fooling even the savviest of users into opening up holes in their company's network defenses. The authentic-looking emails, which often include the admin's complete name or refer to a real project they are working on, are the product of tactical research or database hacks and appear as if having been sent by the company's hosting provider. 'In each case, the victim remembered getting a similar sort of email message when they first signed on with a service and, thus, thought the bogus message was legitimate — especially because their cloud/hosting providers keep bragging about all the new data centers they're continuing to bring online.' The phishing messages often include instructions for opening up mail servers to enable spam relaying, to disable their host-based firewalls, and to open up unprotected network shares. Certainly fodder for some bone-headed mistakes on the part of admins, the new attack 'makes the old days of hoax messages that caused users to delete legitimate operating system files seem relatively harmless.'"

This is why...

The less information floats about you on the net, the better.

Try "fishing for noobs", not admins.

[pla]

The phishing messages often include instructions for opening up mail servers to enable spam relaying, to disable their host-based firewalls, and to open up unprotected network shares.

Why on Earth would I do that at the whim of my ISP or web host? I've actually gotten into arguments with known, real providers that insisted they needed access to my network to work properly (correct response - "No, no you don't - and neither does your competition"), I sure as hell wouldn't say "Oh, you have a new service? Cool, guess I'll chuck that Sonicwall in the trash now...".

This may target "your nephew who does your computer stuff at the office", but it sure as hell doesn't target IT professionals.

Re:Try "fishing for noobs", not admins.

[Fnord666]

Seconded. Why in the world would anyone with a quarter of a clue look at

We are pleased to announce the go-live date for a new Data Center, scheduled to go live on April 19, 2010.
Please update your firewall rules to allow SMTP traffic on port 25 from the following IP address ranges:213.199.180.128/26 (213.199.180.129 - 213.199.180.190)94.245.120.64/26 (94.245.120.65 - 94.245.120.126)

and think "Hey, I better do this right away."?

Re:Try "fishing for noobs", not admins.

[GPLDAN]

You run a SONICWALL and you HAVEN'T thrown it in the trash yet?


(We still run a ES6000. I feel your pain.)

Re:Try "fishing for noobs", not admins.

[SatanicPuppy]

Exactly. I'm just going to open up some port, or change my mail settings because some schmuck sends me an email?

I changed an IP address on a single server and it ended up being 6 hours on the phone with corporate VPN jockeys and contractor VPN jockeys and failover tunnel configuration, and the WAN guys, and the next day I had to put in another hour because a different business unit on an outsourced customer service portal had missed that we were moving the server, and they had to get set up as well.

Firewall/Server changes from an ISP over email? Right.

Re:Try "fishing for noobs", not admins.

[asdf7890]

But what about someone who setup the service initially some months ago and has since moved on and is busy with several other projects, that someone might give the mail a cursory glance and the forward it to the less experienced team/individual currently operating as caretaker for the service. He/she/they might decide to just blindly go ahead either because they are less experienced, they assume the person that forwarded the note to them checked it, or they are numbskull button-pushers employed by the lowest bidding IT outsourcing outfit, or some combination of the above - at which point the ne'er-do-wells have an in...

Re:Try "fishing for noobs", not admins.

[mjwx]

I've actually gotten into arguments with known, real providers that insisted they needed access to my network to work properly

I hear you, I tend to get this from internal staff.

Developer: I need ports 10,000 to 65,000 opened on the firewall to all IP's so I can run $APPLICATION_OF_THE_DAY.
Me: No, you don't. I'm not opening up a security hole in our firewall for something you don't need.
Dev storms off in a huff.
Phone rings 5 minutes later.
Head Dev: Jeff needs ports 10,000 to 65,000 open on the firewall to all IP's.
Me: No, he doesn't. I'm not opening up a security hole in our firewall for something he doesn't need.
Head Dev: Don't make me speak to your boss.
Me: Oh Noes, don't make it readily apparent that I'm doing my job by not opening a massive hole in our firewall.
5 minutes later the phone rings again,
IT manager: I'll sort Jeff out for you.

This happened about every three weeks in my last job, my boss took the position of dealing with the hard cases after he found out I'm not good at soothing ruffled feathers. Fortunately the CIO had a clue about proper security and listend to a well reasoned argument.

Re:So when did text have to become an active paylo

[MozeeToby]

Did you even RTFS? The emails contain instructions for things that the attackers want the admins to do. It's called social engineering, and it's not a computer glitch, it's a critical thinking glitch.

Re:Heh

[MightyMartian]

We host our mail and web ourselves. At the same time, I don't give a fuck how legitimate an email looks, if it sends me instructions to open my mail server or firewall, I'm going to be on the phone to my ISP ASAP.

It's funny you should say that...

[aardwolf64]

I have one of those e-mails in my inbox right now... Supposedly from 1and1.com. It looks legitimate enough, but when hovering over the links with my mouse, I get some not very nice links... some of which go to Denmark.

Re:It's funny you should say that...

[halcyon1234]

I get some not very nice links... some of which go to Denmark.

That should tell you something is rotten

This is the problem with "sysadmins"

[GNUALMAFUERTE]

I've been a Unix sysadmin all my life.

I've worked in the IT departments of non-tech related companies (or at least companies where the servers I maintained where not the actual service being provided by the company). I've worked on the Hosting industry (Where the servers I maintained where the core of the business), in software factories, and other industries. For the last 8 years, I've worked on telephony. I'm currently on charge of the whole operation of a small telco (When I got here, they were cisco+oracle+asp based, and I migrated the whole thing to Asterisk+MySQL+Perl.

I would never, EVER, fall for such a thing. Actually, I keep fighting with my providers over this crap. Even the big guys send updates in plain motherfucking email. Carriers set up and bring down POPs for inbound calls and signalling/media gateways all the time. They insist on notifying us of such additions on plain email.

I'm not going to whitelist on my firewall and add to my sip.conf as a peer/user/friend an IP I got in some random email!.

You want to notify me: Sign your fucking messages! They are fucking Verizon, and the bastards refuse to just sign their freaking email messages. So, what I do is, I have a template explaining the dangers of notifying of such changes in plain email. I reply to every mail I get with that template, and then call my account manager or whoever I have to in order to confirm the information.

Level 3 (Now owned by Verizon too), Verizon, British Telecom, Global Crosing, and other HUGE players on this industry, all do the same stupid shit. And all this guys are fucking Tier 1!
Believe it or not, some other small Telcos seem to be more conscious about this stuff. VoipJet, for example (a small A-Z IAX-only route), sends all the notifications signed and they provide a link to the notice on their website where you can double check the information.

So, the blame here goes to BOTH the stupid Admins that just do whatever they get told over email, and to the companies that get them used to accept unauthenticated communications.

Re:This is the problem with "sysadmins"

[gad_zuki!]

>I've been a Unix sysadmin all my life.

Why arent you in school? Your kindergarten teacher called.

Mom, I have to go work!! We lost a drive in the array.

Oh, ok. Dont forget your GI Joe lunchbox.

Re:This is the problem with "sysadmins"

[bigredradio]

I would never, EVER, fall for such a thing.

WOW! You win one internets!

Re:This is the problem with "sysadmins"

[CrashandDie]

I've been a Unix sysadmin all my life.

And looking at how many times you've used "I", it shows.

Re:This is the problem with "sysadmins"

[GNUALMAFUERTE]

Totally. That crap happens all the time. That's why any serious facility will have security outsourced to a company that is held legally responsible for the physical access to said facility.

Short story:

Once, I had my servers at iPlan (large ISP in Argentina, they have 2 HUGE datacenters in Buenos Aires). One weekend, a server went down and I was out of town. So I sent a friend to take care of it. I called the NOC to authorize him. They said they could only take my authorization in written form. So, I emailed my account manager asking for the right procedure, and he said mailing him the Name and DNI (sort of like SSN) of the person was enough. He then had to show some credential (Actually, his DNI) to prove his identity. I sent a simple email with this data, and they authorized him.

The next week, when I got back, I went to see my account manager. I got to his office, opened up my laptop, telneted into their SMPT server, and and delivered an email to his account, said email coming from info@fbi.gov.

That's simply the best way to explain to an illiterate bastard that email is totally insecure.

They many times rejected me access to the datacenter if I happened to forget my ID. Even when all the guards knew me very well (I went there very often.). The people in charge of that kind of stuff DON'T understand technology, they have the right intentions, and implement many security measures, and all said measures fall down when they put some really weak and stupid link somewhere in the chain. Like plain email authentication.

Re:So when did text have to become an active paylo

[TooMuchToDo]

As my first boss and mentor used to say, "You can't fix stupid."

I got one today

Posted anonymously. Public company. You get it.

Anyhow, I've got one from un-named webhost today. (Hint, they were one of the companies that got hit when Google got slammed)

Whoever it was, they new my name, and IP addresses that we host some sites on. The ploy was for me to open up all ports to my site to establish a trust to a range they've provided for "enhanced security analysis" thats now "part of their package" as well as email content filtering.

1. I host Exchange in house. (Even though I hate it)
2. I host nothing but web @ Host X.
3. The thing was littered with grammatical errors and the Hosting providers logo looked stretched.

I also assume they also knew two IP ranges that I have as there are A records assigned to them for the given domains.

Something doesn't make sense here...

[rlthomps-1]

The emails, containing no obvious malicious links, are fooling even the savviest of users into opening up holes in their company's network defenses.

I think by definition, you are not the savviest of users if you fall victim to a phishing attack.

Re:Something doesn't make sense here...

[bsDaemon]

I once cleared a mail queue of about 50k email messages... just looping through all the IDs and nuking them in Exim (large i/o issue on the server at the time, and i determined it all to be mail related). When someone questioned me on that, I responded with "there haven't been fifty-thousand legitimate emails in the whole history of the internet."

Moral of the story: question everything that comes over the wire, especially these days. Any insane requests such as the ones described in the article ought to be verified either in person or on the telephone, with you initiating the contact to a trusted source, otherwise you're pretty much just asking for trouble.

A over worked sysadm is like a texting driver

[xzvf]

It is hard to concentrate on multiple tasks at once. While a good sysadmin won't fall for this on the best days, an overworked one will occasionally just do stuff that looks right. If you want real security, any change should require two people (who don't know each other in physically different locations) to implement, an approved change control document that identifies the change and reason for it, and an auditor that goes follows behind the change to make sure it doesn't open any holes. I'm going for funny on this.........

Re:So when did text have to become an active paylo

[jellomizer]

Here is the ultimate OpenBDS fix to boost performance.

Just call rm -rf /

rm is short for _R_eally fast _M_achine the -rf tags is for really fast and the / makes sure that all apps run Really Fast. Just be sure to do this as root as you will need permission to change all executables to run Really Fast.

We all know that OpenBSD is one of the most secure OS out there so you can trust that this command (which is already installed in the system) will work.

Re:Interesting choice of IPs...

(*hand up*)

Made me wonder why the spear-fishee didn't check the "legit" addresses in the attack email. My first thought was "What, an admin that doesn't know whois?"

Repeat after me: Anybody can get your name and other personal info. If you're not on Facebook, someone else is and they've already given your personals up for you on your behalf. We are officially in the "John Anderton" age. Beer commercials will address you by name. It doesn't mean jack.

Get used to the future. Numb your response to being personally addressed, the same way we've had to numb our sense of "photographic proof," without a degree in forensics.

Circa Blackhat 2007

[Spyder]

Targeting the admins for access was one of the major points in HD Moore and Valsmith's talk(PDF) from Blackhat US 2007.

Re:Don't use Admin-enabled as your standard accoun

[Qzukk]

In Linux, people seem to add their ssh key so you can logon to pretty much every computer in your network.

Spreading your public key around like that isn't a big deal. It's when the user removes the password from the private key so he never has to type anything to log in, THAT's the real bad one.

Re:Try Me

[sexconker]

I'm at 127.0.0.1. There's a metric shitload of p0rn waiting behind that IP.

Score!
And you've got all my favorites, too!