The Sophisticated Business of Today's Most Nasty Phishing Attacks (infoworld.com)

← Back to Stories (view on slashdot.org)

The Sophisticated Business of Today's Most Nasty Phishing Attacks (infoworld.com)

Posted by samzenpus on Monday November 9, 2015 @01:13PM from the modus-operandi dept.

snydeq writes: Forget Nigerian princes — today's spearphishing is sophisticated business, fooling even the most seasoned security pros, writes InfoWorld's Roger A. Grimes, in a look at what sets today's most sophisticated spearphishing attempts apart. 'Most of the time, phishing attempts are a minor menace we solve with a Delete key. Enter spearphishing: a targeted approach to phishing that is proving nefariously effective, even against the most seasoned security pros. Why? Because they are crafted by thoughtful professionals who seem to know your business, your current projects, your interests. They don't tip their hand by trying to sell you anything or claiming to have money to give away. In fact, today's spearphishing attempts have far more sinister goals than simple financial theft.'

38 comments

Min score:

Reason:

Sort:

Not new by Anonymous Coward · 2015-11-09 13:21 · Score: 0

Not new on the Internet; not new in general: http://www.imdb.com/title/tt0070735/
1. Re:Not new by U2xhc2hkb3QgU3Vja3M · 2015-11-09 13:28 · Score: 2
  
  Is that a real link? The summary made me paranoid.
  Fight for your bitcoins!
2. Re:Not new by Anonymous Coward · 2015-11-09 16:52 · Score: 0
  
  Is that a real link? The summary made me paranoid.
  Fight for your bitcoins!
  Just another dumb cunt who can't comprehend what <a href> and </a> tags are for. Like dumb bastards who write "it's" when they meant "its", confuse there/their/they're, or pronounce "nuclear" as "nyoo-kee-lar", these are all sure signs that they're a fucking moron and whatever bullshit they espouse is not worth your attention.
3. Re:Not new by Anubis+IV · 2015-11-09 17:23 · Score: 1
  
  Great movie, and yeah, definitely not new. I remember studying spearphishing attacks back around the 2008-2010 time frame while doing some grad research. Moral of the story: never click email links from anyone. Always navigate to the site yourself.
4. Re:Not new by Zontar+The+Mindless · 2015-11-09 19:56 · Score: 1
  
  Whereas you're a humourless moron, and that's somehow better.
  
  --
  Il n'y a pas de Planet B.
Link to phishing site! by Anonymous Coward · 2015-11-09 13:34 · Score: 0

which is the plan according to Dice. Why do you come here anymore? Leave and never come back! Dice will sell /. for $1. THEN come back.
I have retorted!
1. Re:Link to phishing site! by Anonymous Coward · 2015-11-09 16:57 · Score: 0
  
  which is the plan according to Dice. Why do you come here anymore? Leave and never come back! Dice will sell /. for $1. THEN come back.
  I have retorted!
  No, you have retarded. Perform fellatio (with swallowing) on a well-endowed African American man and fuck right off.
spearphishing or honeypot by turkeydance · 2015-11-09 13:42 · Score: 1

it's an ego play.
1. Re:spearphishing or honeypot by AHuxley · 2015-11-09 15:54 · Score: 1
  
  Or a competitor, state gov/fed officials/other gov/militnational or even legal international police cooperation trying to find out why all the no bid contracts go to just one company without trying to attract too much attention.
  If they seem to know so much, who or what is leaking the details to even set up the skilled entry attempts.
  
  --
  Domestic spying is now "Benign Information Gathering"
"fooling even the most seasoned security pros" by JoeyRox · 2015-11-09 13:50 · Score: 1

What seasoned security pro would click on a link that takes them somewhere that requires account credentials...and then enter those credentials?
1. Re:"fooling even the most seasoned security pros" by Anonymous Coward · 2015-11-09 14:04 · Score: 1
  
  That would be MS seasoned security pros. The rest of us know better.
2. Re:"fooling even the most seasoned security pros" by caseih · 2015-11-09 14:09 · Score: 4, Informative
  
  If you read the fine article, you'll find that what the author is really talking about is a full-blown compromise of corporate networks.
  
  Today's adversary isn't merely a passive reader. They intercept and change emails, albeit slightly, when the need arises. Yes decisions may become no; no may become yes. Sometimes key recipients will be removed from the email's receiver list. More receivers may be added. Email groups may be modified. Encryption and signing may be turned off.
  In one of the most notorious examples I've ever read, a company knew it was badly compromised with an APT. In an attempt to reclaim the network, the help desk sent out an email asking every recipient to change their password. Certainly, that would make it harder for the malicious intruders to hang out -- except that the intruders had control of the help desk's email account. Right before the email was sent, the intruders changed the embedded link so that it took users to a perfect copy of the company's password-change website hosted under the intruder's control. Users followed the help desk directions, but in doing so allowed intruders to capture every password change.
  
  Seems to me the problem isn't phishing... it's the compromise to begin with, and the problems that led to that.
3. Re:"fooling even the most seasoned security pros" by Jeremi · 2015-11-09 14:55 · Score: 1
  
  If they can combine the phishing email with a known browser exploit, then just getting the victim to click the link can be enough -- no entering of credentials is necessary.
  
  --
  
  I don't care if it's 90,000 hectares. That lake was not my doing.
4. Re:"fooling even the most seasoned security pros" by oic0 · 2015-11-09 14:58 · Score: 2
  
  The latest phishing test we did at work used a spoofed email address that looked like HR at our domain and said you needed to read the enclosed word document, print it, and turn it in to HR. No macros so you didn't need to enable editing or enable macros in the document for it to work and it still silently redirected to an external site. In practice the email wouldn't have gotten through without help, but all it takes is one. You can image with just a word document, an internal looking email address, and proper writing skills, it got a LOT of hits.
5. Re:"fooling even the most seasoned security pros" by MyAlternateID · 2015-11-09 15:24 · Score: 1
  
  That would be MS seasoned security pros. The rest of us know better.
  Yes, but it's so Easy To Use!
6. Re:"fooling even the most seasoned security pros" by Anonymous Coward · 2015-11-09 15:27 · Score: 0
  
  You can image with just a word document, an internal looking email address, and proper writing skills
  I suppose, but when I want to image, my digital camera seems to do a much better job.
7. Re:"fooling even the most seasoned security pros" by Pinky's+Brain · 2015-11-09 17:11 · Score: 1
  
  I can image better writing skills, that was clear as mud.
8. Re:"fooling even the most seasoned security pros" by ArsenneLupin · 2015-11-09 20:33 · Score: 1
  
  What seasoned security pro would click on a link that takes them somewhere that requires account credentials...and then enter those credentials?
  It's not just about phishing... the article's title is poorly chosen. Even the introductory paragraph, Nigerian 419 scams, are not phishing strictly speaking.
  What they are doing is hack weakly protected business partners of the actual target, and send virus-laden mail from there to the intended target. Virtually impossible to spot (everything about the mail looks correct, including the actual content, which is indeed speaking about an ongoing project with this (hacked) partner). The only fault of the target is to run windows. Now, a "seasoned security pro" might not run windows on his own accord, but in many companies people don't have the choice about that...
9. Re:"fooling even the most seasoned security pros" by ArsenneLupin · 2015-11-09 20:36 · Score: 1
  
  Right before the email was sent, the intruders changed the embedded link so that it took users to a perfect copy of the company's password-change website hosted under the intruder's control. Users followed the help desk directions, but in doing so allowed intruders to capture every password change.
  Seems to me the problem isn't phishing... it's the compromise to begin with, and the problems that led to that.
  Or, in this case, subcontracting the most trivial tasks out of the company. If it is expected that even company-internal business is run outside of the company's network (surveymonkey...), then nobody blinks an eye if the password changing site isn't hosted by the company either.
10. Re:"fooling even the most seasoned security pros" by ArsenneLupin · 2015-11-09 20:41 · Score: 1
  
  a spoofed email address that looked like HR at our domain
  
  A seasoned security pro would spot that... unless they actually hacked HR, and used their real e-mail (which would be one plausible attack vector, as HR are usually not "seasoned security pros", and are expected to receive loads of dodgy word documents which could carry all kinds of nasty...)
11. Re:"fooling even the most seasoned security pros" by KGIII · 2015-11-10 04:23 · Score: 1
  
  Well, they did mention "proper writing skills" so, I presume, they've not actually been able to do this as they appear to lack those skills. Perhaps they're sharing why it is, exactly, that "it" got lots of hits - they probably failed and were promptly beaten by their coworkers.
  
  --
  "So long and thanks for all the fish."
Misleading title by Anonymous Coward · 2015-11-09 14:54 · Score: 0

The editor seems to have confused "compromised network" with "phishing."
Methinks /. needs new editors.
How Are these Foreign Companies Legitimate? by Anonymous Coward · 2015-11-09 14:59 · Score: 1

From TFA:
"Today’s professional Internet criminals work 9-to-5 days, pay taxes, and get weekends and holidays off. The companies they work for often have dozens to hundreds of employees, pay bribes to local law enforcement and politicians, and are often seen as the employer of choice in their region. Working for companies that break into companies in other countries is often proudly worn as a patriotic badge."
Tell me again why a submarine launched Tomahawk cruise missile doesn't suddenly strike that corporate HQ one day, killing everyone in the building and reducing it to rubble and ash? It seems that these people need to be reminded of who they're messing with when they declare war against our financial system.
1. Re:How Are these Foreign Companies Legitimate? by Marginal+Coward · 2015-11-09 15:42 · Score: 1
  
  "Today’s professional Internet criminals work 9-to-5 days, pay taxes, and get weekends and holidays off."
  Sure, but whaddya bet that they go out to lunch a little early on Fridays to beat the crowd? After all, they are criminals...
2. Re:How Are these Foreign Companies Legitimate? by MyAlternateID · 2015-11-09 15:48 · Score: 3, Insightful
  
  From TFA:
  "Today’s professional Internet criminals work 9-to-5 days, pay taxes, and get weekends and holidays off. The companies they work for often have dozens to hundreds of employees, pay bribes to local law enforcement and politicians, and are often seen as the employer of choice in their region. Working for companies that break into companies in other countries is often proudly worn as a patriotic badge."
  Tell me again why a submarine launched Tomahawk cruise missile doesn't suddenly strike that corporate HQ one day, killing everyone in the building and reducing it to rubble and ash? It seems that these people need to be reminded of who they're messing with when they declare war against our financial system.
  The people who own the financial system are definitely not the people worthy of any sort of patriotic sentiment. There is a reason Jefferson warned us about this a long time ago, because even in his time, this system wasn't new.
  
  Incidentally, two U.S. Presidents were killed by being shot in the head in public: Abraham Lincoln and JFK. What do they both have in common? They both tried to issue interest-free money directly through the Treasury department, outside of the control of private bankers. In Lincoln's case, they were called Greenbacks. In JFK's case, they were a representative currency (dollars backed by silver). I'm sure that's a total coincidence. After all, if someone tells you that a street thug might shoot you to take the $50 in your wallet, that person is reasonable; if someone else says that banksters would kill anyone to protect their trillions-of-dollars financial empires, well that guy's just a conspiracy nut, just like those guys who said several years ago that the NSA was spying on everyone, right? It's a good thing we're all above such tin-foil hattery!
  
  Of course there's the more practical matter of whether it's really worthwhile to kill people and commit what foreign nations would call an act of war, merely because a few domestic corporations had shitty security since they failed to appreciate that the public Internet is a hostile network. Generally, we don't kill people for financial or other property crimes, and we aren't supposed to sanction them in any way at all without a trial (preceded by an extradition if necessary).
  
  If you're going to pull an "America, FUCK YEAH!", please understand that "America" used to actually mean something, and in particular it meant we don't do certain things -- like punish people without due process -- just because more authoritarian nations might do such things. That was once the sort of thing we observed other nations doing, frowned upon, and considered ourselves better than. Believe it or not, the collective culture once valued the visceral satisfaction of swift vengeance less than it valued the sanctity of our founding principles. A good history book will talk about this, and the sad thing is, you would need one to hear about such things today.
3. Re:How Are these Foreign Companies Legitimate? by Anonymous Coward · 2015-11-09 22:06 · Score: 1
  
  If you're going to pull an "America, FUCK YEAH!", please understand that "America" used to actually mean something, and in particular it meant we don't do certain things -- like punish people without due process -- just because more authoritarian nations might do such things. That was once the sort of thing we observed other nations doing, frowned upon, and considered ourselves better than.
  Things like ... oh, you know ... bombing a hospital run by a non-partisan international medical aid organization and killing 30 people -- staff and patients -- despite having been provided with the exact GPS coordinates of the hospital's location mere days earlier, thereby violating not only the Geneva Convention but pretty much all of the fundamental mores of humanity and decency.
  
  (anon to preserve mods and for no other reason)
4. Re:How Are these Foreign Companies Legitimate? by Anonymous Coward · 2015-11-10 03:04 · Score: 0
  
  Followed your Jefferson link:
  
  This quotation is at least partly spurious; see comments below.
Table turning by Anonymous Coward · 2015-11-09 15:32 · Score: 0

Such attempts can be easily be stopped dead to rights by social reverse engineering, and attention to detail. Obviously the seasoned IT professionals do not sound like real IT professionals at all. In this day in age you have to think more like a Black Hat and less like an engineer in a hat when it comes to information security.
Facebook, Twitter, Snapchat, Instagram, Etc. by Hylandr · 2015-11-09 16:06 · Score: 1

With smartphones and social media broadcasting our every little detail through the lens of narcissistic amplification to the entire planet it wouldn't take much effort at all to figure out your soft spots. All it would take is the idea and a psychologist leading a call center where teams work on a list of targets scraping social media.
Oh hey here's one from town x in the state of y and there is a documented outage of y right now. Lets call pretending to have shut y off until they pay the over-due amount.
Then there's the 'find out your new Star Trek Name' games:
Correlating your birthday to words ? You just gave them your Birth-date etc.

--
~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
we -require- employees to do so. Mandatory trainin by raymorris · 2015-11-09 16:44 · Score: 5, Informative

There are plenty of regulations and such that require all employees take certain training or sign certain forms. In any company of significant size, HR sends out such emails.
In the security realm specifically, SANS is a major, major name. Possibly the best known and respected provider of security training. They offer some of that training at securingthehuman.org. The have a program in which companies can have all employees take SANS training at CompanyName.securingthehuman.org. To ensure that each employee does the training, you have to log in with your credentials.
Of course HR or the security administrator sends a mass email telling all employees to click the link to take their mandatory security training. That's security administrators working with the leading provider of security training, and we're REQUIRING all employees to click an emailed link and enter credentials.
At most security- conscious companies, employees also have to agree to the security policy. In order to have a database showing that every employee has received the policy, we have them LOG IN and click "I have read and agree to the policy". And we send that link out to all employees either upon hire or annually.
We don't just click links, the security professionals -require- all employees to click the log in. Then we get annoyed when an executive or sysadmin clicks a link in an official- looking email and logs in (forgetting that we ourselves did the same thing two weeks before).
Re:we -require- employees to do so. Mandatory trai by hanwenn · 2015-11-09 21:45 · Score: 1

we have such courses at google too, but the vendors are invariable required to use OAuth, so no credentials are entered on 3rd party sites.
The companies they describe... by tomxor · 2015-11-10 02:43 · Score: 1

Do not sound dissimilar in action from the NSA, GCHQ, [intelligence agency X]... from the TFA:

The companies they work for often have dozens to hundreds of employees, pay bribes to local law enforcement and politicians, and are often seen as the employer of choice in their region. Working for companies that break into companies in other countries is often proudly worn as a patriotic badge.
Simple solution - color-encode source of emails by JoeyRox · 2015-11-10 02:54 · Score: 1

Demarcate internally-sent emails from external in the server and email clients (by IP address, with additional logic to detect spoofing). That way it becomes immediately clear whether the email you got is really from your coworker.
1. Re:Simple solution - color-encode source of emails by Anonymous Coward · 2015-11-10 03:13 · Score: 0
  
  How would that help with anything? If John (internal email user) usually gets funny lolcat pictures from Linda (external email user), coloring would indicate external but the link would still be clicked by John. Unfortunately the faux lolcat page now carries a JS payload that hits the browser => Done.
  And about that additional logic to detect spoofing, how would that help if Linda's PC is already under external control. Whoever controls them has been monitoring for months that every few days there's a great lolcat mail to intercept and re-use to hit John's company's network. These mails look absolutely legit to John - as far as lolcat emails can look legit in the first place.
2. Re:Simple solution - color-encode source of emails by JoeyRox · 2015-11-10 03:15 · Score: 1
  
  It would help by instructing employees not to click emails that claim to be from their coworkers but are color-coded to indicate they're from an external email source.
3. Re:Simple solution - color-encode source of emails by Anonymous Coward · 2015-11-10 03:26 · Score: 0
  
  The whole problem exists because social engineering works. If the email says "I'm in home office, sorry I had to use my private email address", what does a color encoding help? People will be like "Sure it's from external because he is not using his internal account" and off they go click into the email.
  We've been trying to educate users for decades now about reading and considering warning dialogs and other visual cues. Unfortunately that doesn't help. Users develop a simple habit to click until the dialog box goes away (usually pressing OK because it will enable more functionality). They would easily ignore your coloring, too, if it enables them to see lolcats. If you make stricter rules and start blocking emails, that will last until one important email doesn't reach the boss. Then you are toast. Even if it was an invitation to a golf club gathering.
an invisible technical detail, if Oauth embedded by raymorris · 2015-11-10 03:09 · Score: 1

Is the Oauth launched from / embedded in the 3rd party site?
In other words, does the email link to a 3rd party, which then has an iframe or popup to Google's OAuth? If so, the source of the iframe is a technical detail that's invisible to the user. As far as they can tell, it's a third-party site they're being told to enter their credentials into.
The alternative is to have them log in to the local trusted company web site, which then has an SSO link to the third party, so that users never enter credentials after the third-party site is loaded.
Re:we -require- employees to do so. Mandatory trai by Mike+Van+Pelt · 2015-11-10 05:42 · Score: 1

There are plenty of regulations and such that require all employees take certain training or sign certain forms. In any company of significant size, HR sends out such emails.
At a previous company, HR sent out just such an email, and the links all went off-site, to some domain like "12monkeys.com" That wasn't the name, but it was something similarly named, a "no actual company HR would really use would ever have a name like that" sort of domain. It was also newly registered, and I believe that it had "Privacy Protect" on its whois data to boot.
When I got it, I immediately sounded the alarm, yelling "PHISHY PHISHY PHISHY PHISH!!!", because the email went to everyone in the company. The HR types were ... quite put out ... but I did the right thing, and my boss, and everyone having anything to do with security agreed.
I'd like to think the HR types learned something from that one, but I suspect they didn't.