Phishing: Cutting the Identity Theft Line
When TippingPoint’s president and chief technology officer, Marc Willebeek-Lemair, received an e-mail from the Federal Trade Commission informing him that a client was filing a complaint against his network security company for overcharges, he was directed to download the complaint – a Microsoft Word file – from an FTC Web page and return the attached form with any questions about the process.
The message, sent in 2008, was an elaborate scam targeting top-level executives.
TippingPoint researchers discovered the sender’s address had been “spoofed” (faked) and the link didn’t lead to the FTC’s Web site. In fact, the document – which looked like an FTC complaint – was infected with a data-stealing Trojan horse. Because the message referred to Willebeek-Lemair by name and no one else in TippingPoint received the message, the company concluded that criminals studied its chain of command and selected their target.
“It specifically said something that a C-level executive would get immediately alarmed about,” said Rohit Dhamankar, director of security research at TippingPoint’s DVLabs.
The message is an example of an increasingly common hacker technique known as spear-phishing, a much more effective and carefully crafted variation of the phishing lures that seek to trick victims into surrendering their private data.
Researchers believe that as spam-filtering technology has improved and people have become savvier at recognizing phishing ploys (such as the classic Nigerian e-mail scam), criminals are now dedicating more time and resources to going after specific groups of individuals. They often trick users into downloading malicious software from infected Web pages or e-mail attachments like Adobe Reader PDFs and Microsoft Office documents.
Carefully planned
In these attacks, the hackers identify specific individuals or groups of people with something in common. To make their attacks more effective, criminals take pains to impersonate credible sources, adorning messages with professional graphics and composing well-written stories to hook their targets.
To personalize the messages and make them more convincing, security researchers believe criminals run simple search queries to find biographical information, including a person’s position within an organization and their responsibilities. Hackers can also learn names of friends.
“This is very easy to do. Google, Facebook, LinkedIn and other sites can provide valuable information about anybody,” Dhamankar said.
The extra homework pays off. The Anti-Phishing Working Group estimates that less than 1 percent of people who receive one of the billions of generic phishing schemes sent every day take the bait. Meanwhile, estimates from several experts place the success rate of these tailored attacks between 25 and 60 percent.
In a 2006 experiment by the department of computer science at Indiana University, researchers sent e-mails with test links to almost 500 students purporting to come from friends with the intent of finding out how many would unwittingly have fallen for a real attack.
Even though researchers placed obvious clues to recognize the test – like prominently displaying the word “phishing” in the phony Web site – 72 percent of respondents gave their user names and passwords away.
“That is a dramatic yield. That’s the power of using the spear,” said Markus Jakobsson, principal scientist at the Palo Alto Research Center and one of the experiment’s authors.
Nilesh Bhandari, product manager at Cisco IronPort Systems’ security technology unit, estimated targeted attacks comprise less than 1 percent of all phishing schemes, but he said criminals intentionally keep the volume low. The fewer of these ploys there are, the more difficult it is for researchers to study and filter them out.
“The challenge is really finding the needle in the haystack,” Bhandari said.
Targeted attacks can go after anyone: from job seekers, gamers and gamblers to military contractors, pro-Tibet activists and people who just happen to live in a geographical area selected by the criminals. Last year, the FBI said that small and medium-size businesses have lost at least $40 million since 2004 to criminal exploits like spear-phishing.
“Most advanced users do not fall for regular phishing but (they) do fall for targeted attacks,” said Mikko Hypponen, chief research officer at Finnish security firm F-Secure. “You get an e-mail from someone you know, talking about real events and pointing to a normal-looking attachment. Would you open it? Of course you would.”
In spear-phishing samples collected by F-Secure, criminals hacked e-mail addresses from the domains of George Washington University, the Washington Post and even the State Department.
Attack on Google
The most notable instance of spear-phishing recently is the January attack on Google that attempted to hack into the Gmail accounts of Chinese human rights activists and steal valuable source data from the search giant and more than 30 other tech companies.
Researchers now know that criminals identified key Google staffers, found out who their friends were and fashioned attacks to lure them to infected Web pages.
“They were all attacked for a particular reason. (The hackers) knew the machines and networks they wanted to access. They knew who was sending e-mails to their targets and who they were receiving them from. It speaks to the reconnaissance they did beforehand,” said David Marcus, director of security research at McAfee Labs.
These types of attacks are particularly dangerous because, as the attack on Google demonstrated, anyone can fall for them.
“In terms of internal security, it’s the weakest link – people who might not be involved with security technology – who fall for these attacks,” Dhamankar said. “If someone was targeting an entire company and sends spear-phishing to all employees, even if one or two people click on that link, (the tactic) succeeds because the criminal has gotten a foothold in the enterprise.”
Dodging the spear
It is difficult to fend off an attack from a crook determined to steal your information, but security experts suggest a few simple precautions that can go a long way:
— Above all, keep your security software up to date.
— If a link is malicious, rolling the cursor over it without clicking sometimes reveals a URL leading to a different address than the one it promises.
— Never share personal information solicited through e-mail. When in doubt, go to the Web site of the organization purporting to send the message instead of clicking on any links.
— Be suspicious of links and attachments sent through e-mail or social networks.
Sources: Cisco Systems and TippingPoint
By Alejandro Martínez-Cabrera: Read more: http://www.sfgate.com
Tags: Anti-Phishing Working Group, Nigerian e-mail scam, spam-filtering, spear-phishing
