I never tire of hearing a sob story about a phishing attack being successful from an overly ambitious technophile who thinks phishing works on gullible people.Despite a success rate so high it’s become standard operating procedure for Chinese military and government cyber-espionage groups, people who respond to phishing emails are treated like they’re one walker-assisted step above the elderly shut-ins who send money to help Nigerian princes and ministers of finance mysteriously down on their luck.
If only the stupid fell for phishing scams the successful attacks against companies with sophisticated security – Google, Lockheed Martin, HB Gary, PayPal, various other U.S. military and intelligence agencies – would have been able to shut down the breaches quickly. Others with security at least as good — CitiBank, Bank of America, AOL, Western Union, – wouldn’t have to send out alerts every 10 minutes warning people that they weren’t sending out alerts, so don’t mail in your usernames and passwords.
Phishing works, for the same reason grifting works – given a set of facts that seem to fit all their expectations and experience, and the opportunity to either help out a co-worker or profit from something that’s very little trouble for them, most people will take the risk. Phishing emails are addressed to far too broad an audience to really fool anyone into thinking an email is from a friend or coworker.
Spear-phishing is different. Spear phishers use the same kind of research, target identification and individually designed approach spymasters use in trying to identify, approach and successfully recruit foreign nationals into betraying the interests of their country.
The goal isn’t to find a weakness and exploit it – through blackmail, bribery or what have you. It’s to find some specific person and present them with an email that has all the information they need to support their assumption that it’s a perfectly legitimate request from someone they know.
Spear-phishers “first look for who could be the high-value targets of an enterprise – Human Resources personnel who might have access to passwords or personal data, a system administrator who is listed on LinkedIn with a detailed resume describing what he does for the company,” according to Manoj Srivastava, chief technical officer at security-software company Cyveillance.
“Then they go to Facebook, MySpace, Twitter – any social network or forum or other site that could give them information about that person that could be used against them. If they can find pictures the person, or a friend of the person posted on Facebook, the email could look like it came from a friend named in the pictures and be labeled ‘Pictures from the picnic,’ with a malicious payload in the attachments or at the URL the picture links point to,” Srivastava said.
“With enough research on someone with some amount of information about themselves online, an email can very convincingly look like it came from a friend. The idea is not to raise any suspicions,” he said.
Often just the research is enough to turn up enough information to open the firewall a crack – spoofing the email of an employee well enough to get someone inside the firewall to open the message and launch a file or click a link that turns out to contain malware that lets the cracker in.
Anti-virus designed to catch malware coming in through email might not catch it being downloaded from a link clicked from inside, a fake application “update” or other vector, according to a March report from NSS Labs showing even good antivirus systems fail when the malware tries to come in through several different entry points. Cyveillance, among other services that all depend on extensive, real-time examination and analysis of online scams, runs an anti-phishing anti-spam service designed to identify potential high-risk email by looking not at the falsified email address, but the request inside the message.
“You have to look at the links and evaluate the level of risk based on whether it is asking that secure information inside the firewall be sent outside using links or sites that may not be secure,” he said.
Successful spear-phishing is not just Google searching and manipulative email-writing, either.
When members of Anonymous hacked HB Gary – the highly regarded security company whose CEO had bragged he was going to bring down the leaders of the hactivist group – they started with a SQL injection attack on HB Gary’s web site, and the low-security content-management system used to run the site. The SQL injection let Anonymi download the user database from the CMS – including email addresses and hash-encrypted passwords for employees.
If all HB Gary’s employees had used long or difficult passwords, the Anonymi would have been stuck for weeks trying to decrypt the passwords using rainbow tables. Unfortunately the hashing was relatively simple, as were the passwords used by both the CEO and COO.
Anonymous cracked passwords for the two used them to log into the company’s Google Apps email system and use the CEO’s administrator privileges to reset the passwords for all the other users on the system.
That gave them access to all the email, in which they found passwords and other information they used to create an email that looked, in its lack of capitalization and punctuation, shorthand references to servers and login methods, authentic enough to look to the security specialist in charge of HB Gary’s most valuable data store to ask him to open a hole in the firewall for them to run through.
ArsTechnica’s step-by-step story about the attack includes text of the email chain, which would bore anyone stupid who didn’t know it was Anonymous on one end of the request rather than the legitimate user. At no point does the security specialist who was taken in look either stupid or stupidly trusting. The request and subsequent exchange are more detailed and technical than most password-repair requests from end users, in fact – requests that are fulfilled in their tens of thousands every day by people in IT.
The amount of trouble the Anonymi went to to crack HB Gary is way out of line with what would make sense for most companies.
Most of us rely for our sense of safety on either anonymity or degree of difficulty. We’re safe from physical or digital attack (mostly) because we’re each one of relatively indistinguishable hundreds of millions online.
We know someone targeting one of us individually could crack us more easily than Anonymous cracked HB Gary, but why go to the trouble?
You and I might not be worth the trouble. Lockheed Martin is. So is each person within it whose combination of online personal data, job description and access to potentially valuable authentication data would make them an attractive potential entry point.
Successful cracks don’t depend on millions of generic emails. Ideally they could use just one apiece, directed at just the right person, using just the right amount of corroborating information and context, appearing to come from the right person’s email address or other source.
Why wouldn’t you help someone like that? Most likely, it’s part of your job to do exactly that!
Walk through a couple of spear-phishing exploits and the victims don’t look stupid anymore. In fact, the attackers look smarter, and the rest of us look a lot more vulnerable.