Article
Hacking Horror of the Month - Spear Phishing
Spamming and phishing attacks are generally thought of as involving indiscriminate mass mailings in the hope of catching a few unsuspecting souls. However, this month’s Hacking Horror episode brings into focus a more sophisticated form of highly targeted spamming – “spear phishing” - which, from the hacker’s perspective, potentially provides much greater returns. What’s more, whereas “traditional” phishing scams have generally been aimed at private individuals (typically with a view to stealing log on credentials to personal bank accounts), spear phishing can be used as a basis for attacks on the internal networks of major organisations, and is unlikely to be picked up by antispam technology.
A number of employees at Dekalb Medical Centre received what appeared to be a genuine internal email telling them they had been retrenched. The email then advised the recipient to click on a link to a web site providing career counselling information. Victims of the hoax who clicked on the link unwittingly downloaded a keylogger program.
The mail spoofed a genuine Dekalb mail address as the sender address, and was only sent to a small number of genuine Dekalb recipient mail addresses. The Dekalb spam filters did not detect anything suspicious about the mail because it looked for all the world like a genuine internal communication from a known address to a handful of known addressees. This demonstrates how spear phishing enables an attacker to circumvent the defences that most organisations have in place to address the spam attack vector.
In this particular case, Dekalb found out about the incident fairly quickly as some of the recipients contacted the HR department to complain about the way they were being treated. However, it is easy to see how variants of this more subtle kind of scam could result in keylogging programs being installed on corporate users’ computers and remaining there undetected. There is then a significant chance that the keylogger program would capture the user’s log on credentials, potentially providing the perpetrator of the scam with the ability to gain remote access to the internal network posing as that user. Additionally, depending on the user’s role, the keylogger program could pick up any amount of sensitive internal information.
So what can an organisation do to prevent this kind of attack? A determined attacker will generally find it fairly straightforward to obtain the email addresses of many users in an organisation (a lot of web sites make a point of publishing the addresses of many of its staff in order to facilitate communication with the organisation, and to demonstrate its “customer friendly” culture), and there is not a great deal that can be done to tackle the problem from this angle. However, two other steps can be taken.
The first is to harden desktops and laptops so that they are not able to inadvertently install keylogger programs. This can be done by ensuring that, as part of the SOE, users do not have administrator privileges on their computers. Additionally, further “lock down” policies can be implemented through Group Policy settings.
The second is to look at introducing digital signatures for internal mail. This prevents the attacker from being able to spoof an internal sender address (although it will not prevent the attacker from successfully spoofing the address of an external person whose address looks good to the spam filter – e.g. a known business partner or supplier). Whilst implementing and administering this policy will require some time and effort, this may well be a good investment if – as seems likely – this kind of scam starts to increase.
For a full account go to
http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9004698
A number of employees at Dekalb Medical Centre received what appeared to be a genuine internal email telling them they had been retrenched. The email then advised the recipient to click on a link to a web site providing career counselling information. Victims of the hoax who clicked on the link unwittingly downloaded a keylogger program.
The mail spoofed a genuine Dekalb mail address as the sender address, and was only sent to a small number of genuine Dekalb recipient mail addresses. The Dekalb spam filters did not detect anything suspicious about the mail because it looked for all the world like a genuine internal communication from a known address to a handful of known addressees. This demonstrates how spear phishing enables an attacker to circumvent the defences that most organisations have in place to address the spam attack vector.
In this particular case, Dekalb found out about the incident fairly quickly as some of the recipients contacted the HR department to complain about the way they were being treated. However, it is easy to see how variants of this more subtle kind of scam could result in keylogging programs being installed on corporate users’ computers and remaining there undetected. There is then a significant chance that the keylogger program would capture the user’s log on credentials, potentially providing the perpetrator of the scam with the ability to gain remote access to the internal network posing as that user. Additionally, depending on the user’s role, the keylogger program could pick up any amount of sensitive internal information.
So what can an organisation do to prevent this kind of attack? A determined attacker will generally find it fairly straightforward to obtain the email addresses of many users in an organisation (a lot of web sites make a point of publishing the addresses of many of its staff in order to facilitate communication with the organisation, and to demonstrate its “customer friendly” culture), and there is not a great deal that can be done to tackle the problem from this angle. However, two other steps can be taken.
The first is to harden desktops and laptops so that they are not able to inadvertently install keylogger programs. This can be done by ensuring that, as part of the SOE, users do not have administrator privileges on their computers. Additionally, further “lock down” policies can be implemented through Group Policy settings.
The second is to look at introducing digital signatures for internal mail. This prevents the attacker from being able to spoof an internal sender address (although it will not prevent the attacker from successfully spoofing the address of an external person whose address looks good to the spam filter – e.g. a known business partner or supplier). Whilst implementing and administering this policy will require some time and effort, this may well be a good investment if – as seems likely – this kind of scam starts to increase.
For a full account go to
http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9004698