An interesting thing happened to a customer of ours recently. A very senior member of their staff received an email from Network Solutions for a regular renewal payment for a domain name. Within minutes of this email, another email, seemingly from the same company, came in. This time the email stated that their account was restricted and this needed to be resolved. Understandingly, the recipient was concerned as this was for the companies primary website. So she clicked on the link, as many of us would. She was then presented with a screen asking for the update of her credit card details. Fortunately, at this point, she sniffed a rat and realized something was up. She went to the normal URL for the legitimate company and checked that in fact her credit card details were not out of date, and all was well.
This time, disaster was averted, but it isn’t always. The fact that the bogus email came in minutes after the original one was no coincidence. This second bogus email can't be called phishing or spear phishing, we'll call it bot phishing.
Most of us by now have heard of phishing. Phishing is where a cybercriminal will send out an email to a massive number of email addresses, the email will look legitimate, perhaps from a well-known company like PayPal, Facebook or a bank. The email will usually say something along the lines of your account has been compromised or they need to review your account details and there will be a link to click on where you can ‘check your account’. This link will take you to a spoof website which will download malware onto your computer, often installing into your browser, resulting in data loss and/or the stealing of banking credentials and similar other nasty activities.
Phishing emails are a big problem. Kaspersky, the anti-virus specialists have an ‘Anti-phishing System’ which detects computers of Kaspersky clients that have been subject to phishing attacks. In Q1 of 2015, this system was triggered 50,077,057 times! That’s a lot of fish.
But folks are getting wary of phishing, so the hackers are becoming ever more sophisticated and turning their criminal minds to an even more sophisticated method of phishing called spear phishing. Spear phishing is like standard phishing, except it is highly targeted. This time the email with the link to the spoof website will be sent, on purpose, to a particular employee within a company. A recent attack on JP Morgan bank shows how spear phishing works. In this attack, specific bank employees were targeted and ended up having their passwords to critical network servers stolen, with the result being that those servers were hacked. The hackers then used this access point to steal the email addresses of millions of JP Morgan customers who the hackers can now spear phish in turn.
Spear phishing showed an increase of 91% in 2013 according to Symantec’s Internet Security Report 2014. And it’s not just the JP Morgans of the world that are at risk from spear phishing. Hackers are targeting small and medium sized companies too, in fact there is an increasing threat against SMB’s. The same Symantec report illustrated that 30% of spear phishing targets were against companies with less than 250 employees.
Going back to our original story of our customer who was bot phished - it may have been a coincidence that the email came in immediately after an actual legitimate email. It might be that the cybercriminal involved simply checked out online items, like expiration dates of websites, which show when a website is about to expire. The cybercriminal then chose a prominent email or emails within that company and sent out the phishing email to hook at least one of them. But, given the timing of the emails, it seems unlikely this could have been coincidence.
Much information about us is available and easy to access online. Cybercriminals know this and aggregate this information for use in their crimes. It is almost impossible to prevent this from happening, so we need to have protections in place for when it does. Education and protection are the watchwords in the fight against phishing and spear phishing, and now perhaps bot phishing. One of the most recognized and important things we can do as potential victims of cybercrime is to make sure software, such as browsers, are fully and promptly patched, as hackers make use of vulnerabilities in software to install malware. We also need to make use of monitoring and alerting across the network to make sure we are fully aware of issues before they take hold and expose our data. Educating ourselves and our employees on how to recognize these emails and not to make the mistake of simply clicking on the link should also be part of our overall cybercrime strategy. WatchPoint Data can provide the security platform needed to help tackle phishing, whatever form it takes.
If Kaspersky, world renowned security specialists can get spear phished then anyone can. This news broke just as this article was being finalized, more details to come.
Updated: Kaspersky Duqu 2.0 Hack