Home    Victim´s Story   Fraud Prevention    Project GSO   Hall of Shame   LINKS  

Global Scambaiting Forum  

 
 

 

 

 

 

 

 

 






SPEAR PHISHING SCAM



What´s Spear Phishing?




 

Definition:

Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. As with the e-mail messages used in regular phishing expeditions, spear phishing messages appear to come from a trusted source. Phishing messages usually appear to come from a large and well-known company or Web site with a broad membership base, such as eBay or PayPal. In the case of spear phishing, however, the apparent source of the e-mail is likely to be an individual within the recipient's own company and generally someone in a position of authority.

According to an article in the New York Times, spear phishing attempts are not typically initiated by "random hackers" but are more likely to be conducted by "sophisticated groups out for financial gain, trade secrets or military information."

Here's one version of a spear phishing attack: The perpetrator finds a Web site for a targeted organization that supplies contact information for employees and other relevant data about the company. Using available details to make the message seem authentic, the perpetrator drafts an e-mail appearing to come from an individual who might reasonably request confidential information, such as a network administrator. Typically, a spear phisher requests user names and passwords or asks recipients to click on a link that will result in the user downloading spyware or other malicious programming. The message employs social engineering (fraudulent, non-technical) tactics to convince the recipient. If a single employee falls for the spear phisher's ploy, the attacker can masquerade as that individual and gain access to sensitive data.

Most people have learned to be suspicious of unexpected requests for confidential information and will not divulge personal data in response to e-mail messages or click on links in messages unless they are positive about the source. The relative success of spear phishing relies upon the details used: The apparent source is a known and trusted individual, information within the messsage supports its validity, and the request seems to have a logical basis.

At West Point in 2004, teacher and National Security Agency expert Aaron Ferguson sent out a message to 500 cadets asking them to click a link to verify grades. Ferguson's message appeared to come from a Colonel Robert Melville of West Point. Over 80% of recipients clicked the link in the message. In response, they received a notification that they'd been duped and warning that their behavior could have resulted in downloads of spyware, Trojan horses, and/or other malware.

IBM's Global Security Index research found that, in 2005, intercepted spear-phishing attempts rose from 56 intercepted attempts in January to over 600,000 in June.



***************************



Spear phishing is a pinpoint attack against some subset of people (users of a website or product, employees of a company, members of an organization) to attempt to undermine that company or organization. It isolates a specific group of people, as opposed to spamming the world, and attempts to get them to do something to gain access to proprietary data or company systems. It will often look real and appear to come from a legitimate member of the organization. For instance, a spear phish may appear to come from an executive of the company asking for login IDs and passwords.


As an example, the CIO of Acme Inc. is John Doe. The entire organization receives an e-mail from John Doe saying that everyone should send their user IDs and passwords to him because he is doing a system audit. Those who do not will get their access to the network terminated and may face disciplinary action. Employees then respond to the email thinking they are sending the email to John Doe, but it is really going to Joe Hacker.


A more recent example involved a recent 0-day Microsoft Word exploit reported at the Internet Storm Center. Organizations would get legitimate looking e-mails with signatures and all, that included a hostile Word document. The e-mail would encourage users to read the Word document which would happily infect the target machine. The Word document would install a bot that would do extensive system reconnaissance searching of (among other things) the My Documents Folder, patches that were installed on the machine, and the configuration of Internet Explorer. It would then leave a bot on the machine to allow for remote control of the host.


While spear phishing is unique in that it is highly customized to the recipient to increase the chance of exploitation, the defenses against spear phishing are largely the same. If a user gets a suspicious e-mail, they can simply call the sender and verify they sent it. Users should avoid sending confidential information over e-mail. Because spear phishing tried to imitate legitimate users, it is typically very easy to verify if an e-mail is legitimate by simply calling the apparent sender.[1]


Microsoft offers the following 5 tips to avoid phishing:[2]

Never reveal personal or financial information in a response to an e-mail request, no matter who appears to have sent it.
If you receive an e-mail message that appears suspicious, call the person or organization listed in the "From" line before you respond or open any attached files. Never click links in an e-mail message that requests personal or financial information. Enter the Web address into your browser window instead. Report any e-mail that you suspect might be a spear phishing campaign within your company.


Use Internet Explorer 7 or the Windows Live Toolbar, both of which contain Phishing Filter, which scans and helps identify suspicious Web sites, and provides up-to-the-hour updates and reporting on known phishing sites. The Wall Street Journal carried a story about New York State CIO Will Pelgrin's use of fake phishing emails to test the awareness of some 10,000 New York state employees, About 15% of the recipients tried to enter their passwords before being stopped by the automated program, which sent them a note explaining the exercise. An additional 3% tried to enter the Web address in their own browsers, a sound security practice that can deflect most attacks.


In July, a second message, purportedly from the employee's own agency, asked for help fixing an Internet problem "due to a suspected cyber security event." A link took employees to a Web page that asked their email address, agency, network user name and password, and phone number. This time, only 8% of the recipients tried to interact with the fake Web site, while 5% were careful enough to enter the Web address themselves.[3]


Awareness and education, while important, are not enough. "Educating e-mail users has had only limited success, according a West Point faculty member. The first test e-mail, sent to 400 West Point cadets, received an 80 percent click rate. Subsequent exercises with as many as 3,000 cadets produced lower, but not sharply lower, response rates."[4] Content filtering at the browser and network egress point is critically important.


1. http://isc.sans.org/diary.php?storyid=1346
2. http://www.microsoft.com/athome/security/email/spear_phishing.mspx
3. http://online.wsj.com/public/article/SB112424042313615131-z_8jLB2WkfcVtgdAWf6LRh733sg_20060817.html?mod=blogs
4. http://www.itbusinessedge.com/item/?ci=20508



Definition: "Spear Phishing"



-  Phishing targeted at a specific person, usually by sending an e-mail message crafted to appear as though it was sent by someone known to the recipient.

-   More recently, however, a hybrid form of phishing, dubbed "spear-phishing," has emerged and raised alarms among the digital world's watchdogs. Spear-phishing is a distilled and potentially more potent version of phishing. That's because those behind the schemes bait their hooks for specific victims instead of casting a broad, ill-defined net across cyberspace hoping to catch throngs of unknown victims.

-  Spear-phishing, say security specialists, is much harder to detect than phishing. Bogus e-mail messages and Web sites not only look like near perfect replicas of communiqués from e-commerce companies like eBay or its PayPal service, banks or even a victim's employer, but are also targeted at people known to have an established relationship with the sender being mimicked.


"After three unsuccessful attempts to access your account, your Online Profile has been locked. This has been done to secure your accounts and to protect your private information. You may unlock your profile by going to: ..."


Sounds like a normal phishing e-mail, right? But what if the e-mail seemed to come from the head of IT at your small business, warning about your company account? Would you click the link?


Today's phishers hope so. In fact, the excerpt above didn't appear in the usual global barrage of e-mail sent out to catch recipients with eBay or PayPal accounts. Instead, it went exclusively to students and faculty of the University of Kentucky as part of a directed, or "spear-phishing," attack against the small, 33,000-member university credit union this May.



Methods of Attack



According to Dr. Dorothy Denning, "The rise in computer-based attacks can be attributed to several factors, including general growth of the Internet, with corresponding increase in the number of potential attackers and targets; a never-ending supply of vulnerabilities that, once discovered, are quickly exploited; and increasingly sophisticated hacking tools that allow even those with modest skills to launch devastating attacks."1


In the Mitnick example, we focused on a single attack that used just a few specific techniques to achieve a well-defined goal. Although there are probably thousands of different exploits that attackers can use against your systems, most can be classified into one or more categories. A large amount of research is being done in an attempt to define a standard vulnerability taxonomy; but so far, none have been widely accepted. A comprehensive taxonomy must be:


-  Mutually exclusive
-  Exhaustive
-  Unambiguous
-  Repeatable
-  Accepted
-  Useful2
A-  ttacks usually rely on programming or user errors


Consider the following Computerworld headline:

"April 26, 2006 (IDG News Service) A number of flaws in the software that is used to administer the Internet's Domain Name System have been discovered by researchers at Finland's University of Oulu."3


Did they use exploits? No, they ran tests looking for problems in software. Security Tracker, probably one of the best sources to track vulnerabilities on the Internet, lists the following categories of causes for software vulnerabilities:


-  Access control error
-  Authentication error
-  Boundary error
-  Configuration error
-  Exception handling error
-  Input validation error
-  Not specified
-  Randomization error
-  Resource error
-  State error4


When a potential attacker finds evidence of a software error, they can then construct an attack to take advantage of the error. Once they have their tools, they can search for a victim.


In the classic sense of a planned attack, executed by a hacker with malicious intent, a sequence of events typically takes place. First, in the reconnaissance phase, the attacker gently probes the system(s) or network(s) to get a sense of what is out there. Second, after discovering potential targets, the attacker performs more thorough system scanning, if necessary, and begins the process of enumeration. With enumeration, the attacker attempts to gain some actual information about the network or system's users such as specific system names, open shares, SNMP or LDAP directories, and so on. Third in the sequence is the breach, where the attacker actually attempts to penetrate the system or network. The fourth step is a system administration mode. In this step, the attacker gains access and control of the resource in question. Finally, there may be a clean up mode where they attempt to eliminate evidence of their work.


In the Methods of Attack series, we will discuss classes of attacks that can be applied to almost any system.


1 http://www.ssrc.org/sept11/essays/denning.htm
2 http://www.nccaiim.org/Education/Proceedings/2004/7-Moore-vulnerabilities.ppt
3 http://www.computerworld.com/printthis/2006/0,4814,110897,00.html
4 http://securitytracker.com/topics/topics.html#cause



Logic Bombs, Trojan Horses, and Trap Doors



There are many types of malicious code in the wild today. Though they are only a small subset of these, logic bombs, Trojan horses, and trap doors are fairly common.



Logic Bombs



Logic bombs are small programs or sections of a program triggered by some event such as a certain date or time, a certain percentage of disk space filled, the removal of a file, and so on. For example, a programmer could establish a logic bomb to delete critical sections of code if she is terminated from the company. Logic bombs are most commonly installed by insiders with access to the system.


UBS PaineWebber system administrator Roger Duronio has been charged with Logic bomb
Former UBS PaineWebber system administrator, Roger Duronio, has been charged with sabotaging company computer systems in an attempt to manipulate its stock price. Duronio placed logic bombs that deleted files on the computers. Duronio has been charged with one count of securities fraud and one count of violation of the Computer Fraud and Abuse Act.



Trojan Horses



Trojan horses (often just called Trojans) are programs that must be installed or executed by a user to be effective. Often, these are disguised as helpful or entertaining programs which can include operating system patches, Linux packages, or games. Once executed, however, Trojans perform actions the user did not intend such as opening certain ports for later intruder access, replacing certain files with other malicious files, and so on.1


"Assistant U.S. Attorney Mauro Wolfe gave his closing arguments to the jury in U.S. District Court here for more than two hours Monday. He told jurors that Roger Duronio, the defendant in this computer sabotage case, was the man with the motive, the means and the ability to do the crime. And on top of that, copies of the trigger for the logic bomb were found in his home."2 He was sentenced for 8 years.3


Roger Duronio showed all the classic signs of entitlement
Entitlement, railing at a perceived injustice, is known as a "trigger". A trigger, commonly seen in insider attack and espionage cases, is an event that causes an individual to choose to act out betrayal. "Many people, perhaps most people, experience some form of stress that threatens their self-image at some time in their lives. They face serious financial problems combined with an available opportunity for illegal gain; failure to compete effectively with their peers; perceived injustice at the hands of an employer or supervisor; termination from a job under circumstances that prompt resentment; rejection or betrayal by a spouse or other close family member."4

A chilling piece of journalism from Information Week shows this was quite likely to come.


"Wolfe reminded the jury about the testimony of Rajeev Khanna, manager for UBS's Unix Systems Group, at the time of the attack. Khanna had told the jury that Duronio went to him in 2000, saying he had "cash flow problems" and asking for a pay increase. Khanna said he had liked Duronio and went to bat for him, even though it was midyear and an unusual time to ask for, or give out, a pay raise. Khanna got Duronio a $10,000 bump in salary. But Wolfe was quick Monday to remind the jury that Duronio had not been satisfied with it. "It wasn't good enough," Wolfe told the jury. "The seeds were planted. He wasn't happy with what he was taking home."5


NOTE: This was such a serious breach of faith that Paine Webber changed their name to UBS Wealth Management after the incident.



Logic bombs for good



Some of these techniques can also be used against attackers in a devious sort of way. Administrators sometimes intentionally deploy pseudo flaws, also known as honey tokens, which are things that look vulnerable to attack but really act as alarms or triggers of automatic actions when an intruder attempts to exploit the flaw. Do not confuse the single pseudo flaw with the concept of a pseudo flaw that extends to encompass an entire host or network - often referred to as a honeypot or a honeynet; neither of these terms properly refers to a single pseudo flaw.



Trap doors



Trap doors, also referred to as backdoors, are bits of code embedded in programs by the programmer(s) to quickly gain access at a later time, often during the testing or debugging phase. If an unscrupulous programmer purposely leaves this code in or simply forgets to remove it, a potential security hole is introduced. Hackers often plant a backdoor on previously compromised systems to gain later access. Trap doors can be almost impossible to remove in a reliable manner. Often, reformatting the system is the only sure way.



DEBUG mode Sendmail, the most famous Unix Trap Door



The so called Morris worm took advantage of a common trap door in 1988. Here is a part of that famous account,


"Sendmail is the program that provides the SMTP mail service on TCP networks for Berkeley UNIX systems. It uses a simple character-oriented protocol to accept mail from remote sites. One feature of sendmail is that it permits mail to be delivered to processes instead of mailbox files; this can be used with (say) the vacation program to notify senders that you are out of town and are temporarily unable to respond to their mail. Normally this feature is only available to recipients. Unfortunately a little loophole was accidentally created when a couple of earlier security bugs were being fixed - if sendmail is compiled with the DEBUG flag, and the sender at runtime asks that sendmail enter debug mode by sending the debug command, it permits senders to pass in a command sequence instead of a user name for a recipient. Alas, most versions of sendmail are compiled with DEBUG, including the one that Sun sends out in its binary distribution. The worm mimics a remote SMTP connection, feeding in /dev/null as the name of the sender and a carefully crafted string as the recipient. The string sets up a command that deletes the header of the message and passes the body to a command interpreter. The body contains a copy of the worm bootstrap source plus commands to compile and run it. After the worm finishes the protocol and closes the connection to sendmail, the bootstrap will be built on the remote host and the local worm waits for its connection so that it can complete the process of building a new worm."6


The ultimate Trap Door, in the compiler itself



"Ken Thompson's Reflections on Trusting Trust7was the first major paper to describe black box backdoor issues, and points out that trust is relative. It described a very clever backdoor mechanism based upon the fact that people only review source (human-written) code, and not compiled machine code. A program called a compiler is used to create the second from the first, and the compiler is usually trusted to do an honest job.


Thompson's paper described a modified version of the Unix C compiler that would:

Put an invisible backdoor in the Unix login command when compiled and as a twist
Also add this feature undetectably to future compiler versions upon their compilation as well.
Because the compiler itself was a compiled program, users would be extremely unlikely to notice the machine code instructions that performed these tasks. (Because of the second task, the compiler's source code would appear "clean".) What's worse, in Thompson's proof of concept implementation, the subverted compiler also subverted the analysis program (the disassembler), so that anyone who examined the binaries in the usual way would not actually see the real code that was running, but something else instead. This version was never released into the wild. It was released to a sibling Bell Labs organization as a test case; they never found the attack."8


Defending against logic bombs and trap/back doors
According the the Chey Cobb blog,


"How can companies defend against such attacks? Some executives may bridle at our answer, but we think it is the right one: by hiring the right people and then treating them right. In other words, this is a people problem and so it needs a human solution. All the technology in the world is not going to prevent an insider, with authorized system access and detailed knowledge of the system, from planting a logic bomb. There are some technologies, such as network surveillance and monitoring programs, that might detect attempts to create logic bombs. Integrity checking software might deflect attacks from logic bombs. Properly enforced software development policies and procedures will make it harder for someone to plant a logic bomb. But the bottom line is that a determined insider is almost impossible to stop."9


Indeed it is a tough problem. In the case of Roger Duronio, it is not clear if more money would have helped him despite the fact that he had a supportive supervisor. Of the five types of defense in depth architectures, the hardest to implement, threat vector analysis10, works best against this difficult issue. We have little doubt at this point that UBS Wealth Management has a documented threat of unauthorized modification of code and has determined the vectors that one would have to use to accomplish this. Generally this requires separation of duties so that one person cannot move modified code to a production system; they can, at most, move it to a staging area. In addition, we would not be surprised to find code audits high on the list!


SANS courses that teach how to defend against logic bombs and trap doors include:


Reverse-Engineering Malware - Hands-On11 - The same principles used to analyze malware work just fine on any code you have in your organization. Java Security Auditing12 - If you are programming in Java, this will teach your auditors what to look for so they can find logic bombs and trap doors



1 http://www.informationweek.com/story/showArticle.jhtml?articleID=188700855
2 http://www.darkreading.com/document.asp?doc_id=98858
3 http://www.theregister.co.uk/2006/12/13/ubs_logic_bomber_sentenced/
4 http://rf-web.tamu.edu/security/secguide/Treason/Insider.htm
5 http://www.informationweek.com/news/showArticle.jhtml?articleID=190301972
6 http://www.google.com/search?q=cache:cihLehcH3WMJ:ftp.cerias.purdue.edu/pub/doc/morris_worm/seely.PS.Z
7 http://www.acm.org/classics/sep95/
8 http://en.wikipedia.org/wiki/Backdoor
9 http://www.cheycobb.com/logic_bombs.html
10 http://www.sans.edu/resources/securitylab/316.php
11 http://www.sans.org/training/description.php?tid=390
12 http://www.sans.org/training/description.php?tid=447


 More


 
 
 

 Top

 
       
© 2006-2010 by GSO •  Contact