New "Spear Phishing" Attacks Target IT Admins

snydeq writes "A new breed of 'spear phishing' aimed at IT admins is making the rounds. The emails, containing no obvious malicious links, are fooling even the savviest of users into opening up holes in their company's network defenses. The authentic-looking emails, which often include the admin's complete name or refer to a real project they are working on, are the product of tactical research or database hacks and appear as if having been sent by the company's hosting provider. 'In each case, the victim remembered getting a similar sort of email message when they first signed on with a service and, thus, thought the bogus message was legitimate — especially because their cloud/hosting providers keep bragging about all the new data centers they're continuing to bring online.' The phishing messages often include instructions for opening up mail servers to enable spam relaying, to disable their host-based firewalls, and to open up unprotected network shares. Certainly fodder for some bone-headed mistakes on the part of admins, the new attack 'makes the old days of hoax messages that caused users to delete legitimate operating system files seem relatively harmless.'"

Try "fishing for noobs", not admins.

[pla]

The phishing messages often include instructions for opening up mail servers to enable spam relaying, to disable their host-based firewalls, and to open up unprotected network shares.

Why on Earth would I do that at the whim of my ISP or web host? I've actually gotten into arguments with known, real providers that insisted they needed access to my network to work properly (correct response - "No, no you don't - and neither does your competition"), I sure as hell wouldn't say "Oh, you have a new service? Cool, guess I'll chuck that Sonicwall in the trash now...".

This may target "your nephew who does your computer stuff at the office", but it sure as hell doesn't target IT professionals.

This is the problem with "sysadmins"

[GNUALMAFUERTE]

I've been a Unix sysadmin all my life.

I've worked in the IT departments of non-tech related companies (or at least companies where the servers I maintained where not the actual service being provided by the company). I've worked on the Hosting industry (Where the servers I maintained where the core of the business), in software factories, and other industries. For the last 8 years, I've worked on telephony. I'm currently on charge of the whole operation of a small telco (When I got here, they were cisco+oracle+asp based, and I migrated the whole thing to Asterisk+MySQL+Perl.

I would never, EVER, fall for such a thing. Actually, I keep fighting with my providers over this crap. Even the big guys send updates in plain motherfucking email. Carriers set up and bring down POPs for inbound calls and signalling/media gateways all the time. They insist on notifying us of such additions on plain email.

I'm not going to whitelist on my firewall and add to my sip.conf as a peer/user/friend an IP I got in some random email!.

You want to notify me: Sign your fucking messages! They are fucking Verizon, and the bastards refuse to just sign their freaking email messages. So, what I do is, I have a template explaining the dangers of notifying of such changes in plain email. I reply to every mail I get with that template, and then call my account manager or whoever I have to in order to confirm the information.

Level 3 (Now owned by Verizon too), Verizon, British Telecom, Global Crosing, and other HUGE players on this industry, all do the same stupid shit. And all this guys are fucking Tier 1!
Believe it or not, some other small Telcos seem to be more conscious about this stuff. VoipJet, for example (a small A-Z IAX-only route), sends all the notifications signed and they provide a link to the notice on their website where you can double check the information.

So, the blame here goes to BOTH the stupid Admins that just do whatever they get told over email, and to the companies that get them used to accept unauthenticated communications.

A over worked sysadm is like a texting driver

[xzvf]

It is hard to concentrate on multiple tasks at once. While a good sysadmin won't fall for this on the best days, an overworked one will occasionally just do stuff that looks right. If you want real security, any change should require two people (who don't know each other in physically different locations) to implement, an approved change control document that identifies the change and reason for it, and an auditor that goes follows behind the change to make sure it doesn't open any holes. I'm going for funny on this.........

Re:It's funny you should say that...

[halcyon1234]

I get some not very nice links... some of which go to Denmark.

That should tell you something is rotten