The Sophisticated Business of Today's Most Nasty Phishing Attacks

snydeq writes: Forget Nigerian princes — today's spearphishing is sophisticated business, fooling even the most seasoned security pros, writes InfoWorld's Roger A. Grimes, in a look at what sets today's most sophisticated spearphishing attempts apart. 'Most of the time, phishing attempts are a minor menace we solve with a Delete key. Enter spearphishing: a targeted approach to phishing that is proving nefariously effective, even against the most seasoned security pros. Why? Because they are crafted by thoughtful professionals who seem to know your business, your current projects, your interests. They don't tip their hand by trying to sell you anything or claiming to have money to give away. In fact, today's spearphishing attempts have far more sinister goals than simple financial theft.'

Re:"fooling even the most seasoned security pros"

[caseih]

If you read the fine article, you'll find that what the author is really talking about is a full-blown compromise of corporate networks.

Today's adversary isn't merely a passive reader. They intercept and change emails, albeit slightly, when the need arises. Yes decisions may become no; no may become yes. Sometimes key recipients will be removed from the email's receiver list. More receivers may be added. Email groups may be modified. Encryption and signing may be turned off.

In one of the most notorious examples I've ever read, a company knew it was badly compromised with an APT. In an attempt to reclaim the network, the help desk sent out an email asking every recipient to change their password. Certainly, that would make it harder for the malicious intruders to hang out -- except that the intruders had control of the help desk's email account. Right before the email was sent, the intruders changed the embedded link so that it took users to a perfect copy of the company's password-change website hosted under the intruder's control. Users followed the help desk directions, but in doing so allowed intruders to capture every password change.

Seems to me the problem isn't phishing... it's the compromise to begin with, and the problems that led to that.

we -require- employees to do so. Mandatory trainin

[raymorris]

There are plenty of regulations and such that require all employees take certain training or sign certain forms. In any company of significant size, HR sends out such emails.

In the security realm specifically, SANS is a major, major name. Possibly the best known and respected provider of security training. They offer some of that training at securingthehuman.org. The have a program in which companies can have all employees take SANS training at CompanyName.securingthehuman.org. To ensure that each employee does the training, you have to log in with your credentials.

Of course HR or the security administrator sends a mass email telling all employees to click the link to take their mandatory security training. That's security administrators working with the leading provider of security training, and we're REQUIRING all employees to click an emailed link and enter credentials.

At most security- conscious companies, employees also have to agree to the security policy. In order to have a database showing that every employee has received the policy, we have them LOG IN and click "I have read and agree to the policy". And we send that link out to all employees either upon hire or annually.

We don't just click links, the security professionals -require- all employees to click the log in. Then we get annoyed when an executive or sysadmin clicks a link in an official- looking email and logs in (forgetting that we ourselves did the same thing two weeks before).