Slashdot Mirror

← Back to Stories (view on slashdot.org)

New "Spear Phishing" Attacks Target IT Admins

Posted by kdawson on from the parasitic-wasps dept.

snydeq writes "A new breed of 'spear phishing' aimed at IT admins is making the rounds. The emails, containing no obvious malicious links, are fooling even the savviest of users into opening up holes in their company's network defenses. The authentic-looking emails, which often include the admin's complete name or refer to a real project they are working on, are the product of tactical research or database hacks and appear as if having been sent by the company's hosting provider. 'In each case, the victim remembered getting a similar sort of email message when they first signed on with a service and, thus, thought the bogus message was legitimate — especially because their cloud/hosting providers keep bragging about all the new data centers they're continuing to bring online.' The phishing messages often include instructions for opening up mail servers to enable spam relaying, to disable their host-based firewalls, and to open up unprotected network shares. Certainly fodder for some bone-headed mistakes on the part of admins, the new attack 'makes the old days of hoax messages that caused users to delete legitimate operating system files seem relatively harmless.'"

18 of 134 comments (clear)

  1. Try "fishing for noobs", not admins. by pla · · Score: 5, Insightful

    The phishing messages often include instructions for opening up mail servers to enable spam relaying, to disable their host-based firewalls, and to open up unprotected network shares.

    Why on Earth would I do that at the whim of my ISP or web host? I've actually gotten into arguments with known, real providers that insisted they needed access to my network to work properly (correct response - "No, no you don't - and neither does your competition"), I sure as hell wouldn't say "Oh, you have a new service? Cool, guess I'll chuck that Sonicwall in the trash now...".

    This may target "your nephew who does your computer stuff at the office", but it sure as hell doesn't target IT professionals.

    1. Re:Try "fishing for noobs", not admins. by Fnord666 · · Score: 4, Interesting
      Seconded. Why in the world would anyone with a quarter of a clue look at

      We are pleased to announce the go-live date for a new Data Center, scheduled to go live on April 19, 2010.
      Please update your firewall rules to allow SMTP traffic on port 25 from the following IP address ranges:213.199.180.128/26 (213.199.180.129 - 213.199.180.190)94.245.120.64/26 (94.245.120.65 - 94.245.120.126)

      and think "Hey, I better do this right away."?

      --
      'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
    2. Re:Try "fishing for noobs", not admins. by GPLDAN · · Score: 3, Funny

      You run a SONICWALL and you HAVEN'T thrown it in the trash yet?


      (We still run a ES6000. I feel your pain.)

    3. Re:Try "fishing for noobs", not admins. by SatanicPuppy · · Score: 3, Interesting

      Exactly. I'm just going to open up some port, or change my mail settings because some schmuck sends me an email?

      I changed an IP address on a single server and it ended up being 6 hours on the phone with corporate VPN jockeys and contractor VPN jockeys and failover tunnel configuration, and the WAN guys, and the next day I had to put in another hour because a different business unit on an outsourced customer service portal had missed that we were moving the server, and they had to get set up as well.

      Firewall/Server changes from an ISP over email? Right.

      --
      ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
    4. Re:Try "fishing for noobs", not admins. by asdf7890 · · Score: 4, Interesting

      But what about someone who setup the service initially some months ago and has since moved on and is busy with several other projects, that someone might give the mail a cursory glance and the forward it to the less experienced team/individual currently operating as caretaker for the service. He/she/they might decide to just blindly go ahead either because they are less experienced, they assume the person that forwarded the note to them checked it, or they are numbskull button-pushers employed by the lowest bidding IT outsourcing outfit, or some combination of the above - at which point the ne'er-do-wells have an in...

  2. Re:So when did text have to become an active paylo by MozeeToby · · Score: 4, Informative

    Did you even RTFS? The emails contain instructions for things that the attackers want the admins to do. It's called social engineering, and it's not a computer glitch, it's a critical thinking glitch.

  3. Re:Heh by MightyMartian · · Score: 4, Insightful

    We host our mail and web ourselves. At the same time, I don't give a fuck how legitimate an email looks, if it sends me instructions to open my mail server or firewall, I'm going to be on the phone to my ISP ASAP.

    --
    The world's burning. Moped Jesus spotted on I50. Details at 11.
  4. It's funny you should say that... by aardwolf64 · · Score: 3, Interesting

    I have one of those e-mails in my inbox right now... Supposedly from 1and1.com. It looks legitimate enough, but when hovering over the links with my mouse, I get some not very nice links... some of which go to Denmark.

    1. Re:It's funny you should say that... by halcyon1234 · · Score: 5, Funny

      I get some not very nice links... some of which go to Denmark.

      That should tell you something is rotten

      --
      UTF-8: There and Back Again
  5. This is the problem with "sysadmins" by GNUALMAFUERTE · · Score: 5, Interesting

    I've been a Unix sysadmin all my life.

    I've worked in the IT departments of non-tech related companies (or at least companies where the servers I maintained where not the actual service being provided by the company). I've worked on the Hosting industry (Where the servers I maintained where the core of the business), in software factories, and other industries. For the last 8 years, I've worked on telephony. I'm currently on charge of the whole operation of a small telco (When I got here, they were cisco+oracle+asp based, and I migrated the whole thing to Asterisk+MySQL+Perl.

    I would never, EVER, fall for such a thing. Actually, I keep fighting with my providers over this crap. Even the big guys send updates in plain motherfucking email. Carriers set up and bring down POPs for inbound calls and signalling/media gateways all the time. They insist on notifying us of such additions on plain email.

    I'm not going to whitelist on my firewall and add to my sip.conf as a peer/user/friend an IP I got in some random email!.

    You want to notify me: Sign your fucking messages! They are fucking Verizon, and the bastards refuse to just sign their freaking email messages. So, what I do is, I have a template explaining the dangers of notifying of such changes in plain email. I reply to every mail I get with that template, and then call my account manager or whoever I have to in order to confirm the information.

    Level 3 (Now owned by Verizon too), Verizon, British Telecom, Global Crosing, and other HUGE players on this industry, all do the same stupid shit. And all this guys are fucking Tier 1!
    Believe it or not, some other small Telcos seem to be more conscious about this stuff. VoipJet, for example (a small A-Z IAX-only route), sends all the notifications signed and they provide a link to the notice on their website where you can double check the information.

    So, the blame here goes to BOTH the stupid Admins that just do whatever they get told over email, and to the companies that get them used to accept unauthenticated communications.

    --
    WTF am I doing replying to an AC at 5 A.M on a Friday night?
    1. Re:This is the problem with "sysadmins" by gad_zuki! · · Score: 4, Funny

      >I've been a Unix sysadmin all my life.

      Why arent you in school? Your kindergarten teacher called.

      Mom, I have to go work!! We lost a drive in the array.

      Oh, ok. Dont forget your GI Joe lunchbox.

  6. Re:So when did text have to become an active paylo by TooMuchToDo · · Score: 3, Insightful

    As my first boss and mentor used to say, "You can't fix stupid."

  7. Something doesn't make sense here... by rlthomps-1 · · Score: 4, Insightful

    The emails, containing no obvious malicious links, are fooling even the savviest of users into opening up holes in their company's network defenses.

    I think by definition, you are not the savviest of users if you fall victim to a phishing attack.

    1. Re:Something doesn't make sense here... by bsDaemon · · Score: 3, Insightful

      I once cleared a mail queue of about 50k email messages... just looping through all the IDs and nuking them in Exim (large i/o issue on the server at the time, and i determined it all to be mail related). When someone questioned me on that, I responded with "there haven't been fifty-thousand legitimate emails in the whole history of the internet."

      Moral of the story: question everything that comes over the wire, especially these days. Any insane requests such as the ones described in the article ought to be verified either in person or on the telephone, with you initiating the contact to a trusted source, otherwise you're pretty much just asking for trouble.

  8. A over worked sysadm is like a texting driver by xzvf · · Score: 5, Insightful

    It is hard to concentrate on multiple tasks at once. While a good sysadmin won't fall for this on the best days, an overworked one will occasionally just do stuff that looks right. If you want real security, any change should require two people (who don't know each other in physically different locations) to implement, an approved change control document that identifies the change and reason for it, and an auditor that goes follows behind the change to make sure it doesn't open any holes. I'm going for funny on this.........

  9. Re:So when did text have to become an active paylo by jellomizer · · Score: 3, Funny

    Here is the ultimate OpenBDS fix to boost performance.

    Just call rm -rf /

    rm is short for _R_eally fast _M_achine the -rf tags is for really fast and the / makes sure that all apps run Really Fast. Just be sure to do this as root as you will need permission to change all executables to run Really Fast.

    We all know that OpenBSD is one of the most secure OS out there so you can trust that this command (which is already installed in the system) will work.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  10. Circa Blackhat 2007 by Spyder · · Score: 3, Informative

    Targeting the admins for access was one of the major points in HD Moore and Valsmith's talk(PDF) from Blackhat US 2007.

    --
    Spyder
  11. Re:Don't use Admin-enabled as your standard accoun by Qzukk · · Score: 4, Insightful

    In Linux, people seem to add their ssh key so you can logon to pretty much every computer in your network.

    Spreading your public key around like that isn't a big deal. It's when the user removes the password from the private key so he never has to type anything to log in, THAT's the real bad one.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.