Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Sophisticated Business of Today's Most Nasty Phishing Attacks (infoworld.com)

Posted by samzenpus on from the modus-operandi dept.

snydeq writes: Forget Nigerian princes — today's spearphishing is sophisticated business, fooling even the most seasoned security pros, writes InfoWorld's Roger A. Grimes, in a look at what sets today's most sophisticated spearphishing attempts apart. 'Most of the time, phishing attempts are a minor menace we solve with a Delete key. Enter spearphishing: a targeted approach to phishing that is proving nefariously effective, even against the most seasoned security pros. Why? Because they are crafted by thoughtful professionals who seem to know your business, your current projects, your interests. They don't tip their hand by trying to sell you anything or claiming to have money to give away. In fact, today's spearphishing attempts have far more sinister goals than simple financial theft.'

5 of 38 comments (clear)

  1. Re:Not new by U2xhc2hkb3QgU3Vja3M · · Score: 2

    Is that a real link? The summary made me paranoid.

    Fight for your bitcoins!

  2. Re:"fooling even the most seasoned security pros" by caseih · · Score: 4, Informative

    If you read the fine article, you'll find that what the author is really talking about is a full-blown compromise of corporate networks.

    Today's adversary isn't merely a passive reader. They intercept and change emails, albeit slightly, when the need arises. Yes decisions may become no; no may become yes. Sometimes key recipients will be removed from the email's receiver list. More receivers may be added. Email groups may be modified. Encryption and signing may be turned off.

    In one of the most notorious examples I've ever read, a company knew it was badly compromised with an APT. In an attempt to reclaim the network, the help desk sent out an email asking every recipient to change their password. Certainly, that would make it harder for the malicious intruders to hang out -- except that the intruders had control of the help desk's email account. Right before the email was sent, the intruders changed the embedded link so that it took users to a perfect copy of the company's password-change website hosted under the intruder's control. Users followed the help desk directions, but in doing so allowed intruders to capture every password change.

    Seems to me the problem isn't phishing... it's the compromise to begin with, and the problems that led to that.

  3. Re:"fooling even the most seasoned security pros" by oic0 · · Score: 2

    The latest phishing test we did at work used a spoofed email address that looked like HR at our domain and said you needed to read the enclosed word document, print it, and turn it in to HR. No macros so you didn't need to enable editing or enable macros in the document for it to work and it still silently redirected to an external site. In practice the email wouldn't have gotten through without help, but all it takes is one. You can image with just a word document, an internal looking email address, and proper writing skills, it got a LOT of hits.

  4. Re:How Are these Foreign Companies Legitimate? by MyAlternateID · · Score: 3, Insightful

    From TFA:

    "Today’s professional Internet criminals work 9-to-5 days, pay taxes, and get weekends and holidays off. The companies they work for often have dozens to hundreds of employees, pay bribes to local law enforcement and politicians, and are often seen as the employer of choice in their region. Working for companies that break into companies in other countries is often proudly worn as a patriotic badge."

    Tell me again why a submarine launched Tomahawk cruise missile doesn't suddenly strike that corporate HQ one day, killing everyone in the building and reducing it to rubble and ash? It seems that these people need to be reminded of who they're messing with when they declare war against our financial system.

    The people who own the financial system are definitely not the people worthy of any sort of patriotic sentiment. There is a reason Jefferson warned us about this a long time ago, because even in his time, this system wasn't new.

    Incidentally, two U.S. Presidents were killed by being shot in the head in public: Abraham Lincoln and JFK. What do they both have in common? They both tried to issue interest-free money directly through the Treasury department, outside of the control of private bankers. In Lincoln's case, they were called Greenbacks. In JFK's case, they were a representative currency (dollars backed by silver). I'm sure that's a total coincidence. After all, if someone tells you that a street thug might shoot you to take the $50 in your wallet, that person is reasonable; if someone else says that banksters would kill anyone to protect their trillions-of-dollars financial empires, well that guy's just a conspiracy nut, just like those guys who said several years ago that the NSA was spying on everyone, right? It's a good thing we're all above such tin-foil hattery!

    Of course there's the more practical matter of whether it's really worthwhile to kill people and commit what foreign nations would call an act of war, merely because a few domestic corporations had shitty security since they failed to appreciate that the public Internet is a hostile network. Generally, we don't kill people for financial or other property crimes, and we aren't supposed to sanction them in any way at all without a trial (preceded by an extradition if necessary).

    If you're going to pull an "America, FUCK YEAH!", please understand that "America" used to actually mean something, and in particular it meant we don't do certain things -- like punish people without due process -- just because more authoritarian nations might do such things. That was once the sort of thing we observed other nations doing, frowned upon, and considered ourselves better than. Believe it or not, the collective culture once valued the visceral satisfaction of swift vengeance less than it valued the sanctity of our founding principles. A good history book will talk about this, and the sad thing is, you would need one to hear about such things today.

  5. we -require- employees to do so. Mandatory trainin by raymorris · · Score: 5, Informative

    There are plenty of regulations and such that require all employees take certain training or sign certain forms. In any company of significant size, HR sends out such emails.

    In the security realm specifically, SANS is a major, major name. Possibly the best known and respected provider of security training. They offer some of that training at securingthehuman.org. The have a program in which companies can have all employees take SANS training at CompanyName.securingthehuman.org. To ensure that each employee does the training, you have to log in with your credentials.

    Of course HR or the security administrator sends a mass email telling all employees to click the link to take their mandatory security training. That's security administrators working with the leading provider of security training, and we're REQUIRING all employees to click an emailed link and enter credentials.

    At most security- conscious companies, employees also have to agree to the security policy. In order to have a database showing that every employee has received the policy, we have them LOG IN and click "I have read and agree to the policy". And we send that link out to all employees either upon hire or annually.

    We don't just click links, the security professionals -require- all employees to click the log in. Then we get annoyed when an executive or sysadmin clicks a link in an official- looking email and logs in (forgetting that we ourselves did the same thing two weeks before).