Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Crime The Almighty Buck

The Sophisticated Business of Today's Most Nasty Phishing Attacks (infoworld.com) 38

snydeq writes: Forget Nigerian princes — today's spearphishing is sophisticated business, fooling even the most seasoned security pros, writes InfoWorld's Roger A. Grimes, in a look at what sets today's most sophisticated spearphishing attempts apart. 'Most of the time, phishing attempts are a minor menace we solve with a Delete key. Enter spearphishing: a targeted approach to phishing that is proving nefariously effective, even against the most seasoned security pros. Why? Because they are crafted by thoughtful professionals who seem to know your business, your current projects, your interests. They don't tip their hand by trying to sell you anything or claiming to have money to give away. In fact, today's spearphishing attempts have far more sinister goals than simple financial theft.'
This discussion has been archived. No new comments can be posted.

The Sophisticated Business of Today's Most Nasty Phishing Attacks

Comments Filter:
  • it's an ego play.
    • by AHuxley ( 892839 )
      Or a competitor, state gov/fed officials/other gov/militnational or even legal international police cooperation trying to find out why all the no bid contracts go to just one company without trying to attract too much attention.
      If they seem to know so much, who or what is leaking the details to even set up the skilled entry attempts.
  • What seasoned security pro would click on a link that takes them somewhere that requires account credentials...and then enter those credentials?
    • by Anonymous Coward
      That would be MS seasoned security pros. The rest of us know better.
    • by caseih ( 160668 ) on Monday November 09, 2015 @09:09PM (#50898101)

      If you read the fine article, you'll find that what the author is really talking about is a full-blown compromise of corporate networks.

      Today's adversary isn't merely a passive reader. They intercept and change emails, albeit slightly, when the need arises. Yes decisions may become no; no may become yes. Sometimes key recipients will be removed from the email's receiver list. More receivers may be added. Email groups may be modified. Encryption and signing may be turned off.

      In one of the most notorious examples I've ever read, a company knew it was badly compromised with an APT. In an attempt to reclaim the network, the help desk sent out an email asking every recipient to change their password. Certainly, that would make it harder for the malicious intruders to hang out -- except that the intruders had control of the help desk's email account. Right before the email was sent, the intruders changed the embedded link so that it took users to a perfect copy of the company's password-change website hosted under the intruder's control. Users followed the help desk directions, but in doing so allowed intruders to capture every password change.

      Seems to me the problem isn't phishing... it's the compromise to begin with, and the problems that led to that.

      • Right before the email was sent, the intruders changed the embedded link so that it took users to a perfect copy of the company's password-change website hosted under the intruder's control. Users followed the help desk directions, but in doing so allowed intruders to capture every password change.

        Seems to me the problem isn't phishing... it's the compromise to begin with, and the problems that led to that.

        Or, in this case, subcontracting the most trivial tasks out of the company. If it is expected that even company-internal business is run outside of the company's network (surveymonkey...), then nobody blinks an eye if the password changing site isn't hosted by the company either.

    • by Jeremi ( 14640 )

      If they can combine the phishing email with a known browser exploit, then just getting the victim to click the link can be enough -- no entering of credentials is necessary.

    • by oic0 ( 1864384 )
      The latest phishing test we did at work used a spoofed email address that looked like HR at our domain and said you needed to read the enclosed word document, print it, and turn it in to HR. No macros so you didn't need to enable editing or enable macros in the document for it to work and it still silently redirected to an external site. In practice the email wouldn't have gotten through without help, but all it takes is one. You can image with just a word document, an internal looking email address, and pr
      • I can image better writing skills, that was clear as mud.

        • by KGIII ( 973947 )

          Well, they did mention "proper writing skills" so, I presume, they've not actually been able to do this as they appear to lack those skills. Perhaps they're sharing why it is, exactly, that "it" got lots of hits - they probably failed and were promptly beaten by their coworkers.

      • a spoofed email address that looked like HR at our domain

        A seasoned security pro would spot that... unless they actually hacked HR, and used their real e-mail (which would be one plausible attack vector, as HR are usually not "seasoned security pros", and are expected to receive loads of dodgy word documents which could carry all kinds of nasty...)

    • by raymorris ( 2726007 ) on Monday November 09, 2015 @11:44PM (#50898661) Journal

      There are plenty of regulations and such that require all employees take certain training or sign certain forms. In any company of significant size, HR sends out such emails.

      In the security realm specifically, SANS is a major, major name. Possibly the best known and respected provider of security training. They offer some of that training at securingthehuman.org. The have a program in which companies can have all employees take SANS training at CompanyName.securingthehuman.org. To ensure that each employee does the training, you have to log in with your credentials.

      Of course HR or the security administrator sends a mass email telling all employees to click the link to take their mandatory security training. That's security administrators working with the leading provider of security training, and we're REQUIRING all employees to click an emailed link and enter credentials.

      At most security- conscious companies, employees also have to agree to the security policy. In order to have a database showing that every employee has received the policy, we have them LOG IN and click "I have read and agree to the policy". And we send that link out to all employees either upon hire or annually.

      We don't just click links, the security professionals -require- all employees to click the log in. Then we get annoyed when an executive or sysadmin clicks a link in an official- looking email and logs in (forgetting that we ourselves did the same thing two weeks before).

      • we have such courses at google too, but the vendors are invariable required to use OAuth, so no credentials are entered on 3rd party sites.
        • Is the Oauth launched from / embedded in the 3rd party site?
          In other words, does the email link to a 3rd party, which then has an iframe or popup to Google's OAuth? If so, the source of the iframe is a technical detail that's invisible to the user. As far as they can tell, it's a third-party site they're being told to enter their credentials into.

          The alternative is to have them log in to the local trusted company web site, which then has an SSO link to the third party, so that users never enter credential

      • There are plenty of regulations and such that require all employees take certain training or sign certain forms. In any company of significant size, HR sends out such emails.

        At a previous company, HR sent out just such an email, and the links all went off-site, to some domain like "12monkeys.com" That wasn't the name, but it was something similarly named, a "no actual company HR would really use would ever have a name like that" sort of domain. It was also newly registered, and I believe that it had "Privacy Protect" on its whois data to boot.

        When I got it, I immediately sounded the alarm, yelling "PHISHY PHISHY PHISHY PHISH!!!", because the email went to everyone in the comp

    • What seasoned security pro would click on a link that takes them somewhere that requires account credentials...and then enter those credentials?

      It's not just about phishing... the article's title is poorly chosen. Even the introductory paragraph, Nigerian 419 scams, are not phishing strictly speaking.

      What they are doing is hack weakly protected business partners of the actual target, and send virus-laden mail from there to the intended target. Virtually impossible to spot (everything about the mail looks correct, including the actual content, which is indeed speaking about an ongoing project with this (hacked) partner). The only fault of the targe

  • From TFA:

    "Today’s professional Internet criminals work 9-to-5 days, pay taxes, and get weekends and holidays off. The companies they work for often have dozens to hundreds of employees, pay bribes to local law enforcement and politicians, and are often seen as the employer of choice in their region. Working for companies that break into companies in other countries is often proudly worn as a patriotic badge."

    Tell me again why a submarine launched Tomahawk [wikipedia.org] cruise missile doesn't suddenly strike that co

    • "Today’s professional Internet criminals work 9-to-5 days, pay taxes, and get weekends and holidays off."

      Sure, but whaddya bet that they go out to lunch a little early on Fridays to beat the crowd? After all, they are criminals...

    • by MyAlternateID ( 4240189 ) on Monday November 09, 2015 @10:48PM (#50898465) Homepage

      From TFA:

      "Today’s professional Internet criminals work 9-to-5 days, pay taxes, and get weekends and holidays off. The companies they work for often have dozens to hundreds of employees, pay bribes to local law enforcement and politicians, and are often seen as the employer of choice in their region. Working for companies that break into companies in other countries is often proudly worn as a patriotic badge."

      Tell me again why a submarine launched Tomahawk [wikipedia.org] cruise missile doesn't suddenly strike that corporate HQ one day, killing everyone in the building and reducing it to rubble and ash? It seems that these people need to be reminded of who they're messing with when they declare war against our financial system.

      The people who own the financial system are definitely not the people worthy of any sort of patriotic sentiment. There is a reason Jefferson warned us about this [monticello.org] a long time ago, because even in his time, this system wasn't new.

      Incidentally, two U.S. Presidents were killed by being shot in the head in public: Abraham Lincoln and JFK. What do they both have in common? They both tried to issue interest-free money directly through the Treasury department, outside of the control of private bankers. In Lincoln's case, they were called Greenbacks. In JFK's case, they were a representative currency (dollars backed by silver). I'm sure that's a total coincidence. After all, if someone tells you that a street thug might shoot you to take the $50 in your wallet, that person is reasonable; if someone else says that banksters would kill anyone to protect their trillions-of-dollars financial empires, well that guy's just a conspiracy nut, just like those guys who said several years ago that the NSA was spying on everyone, right? It's a good thing we're all above such tin-foil hattery!

      Of course there's the more practical matter of whether it's really worthwhile to kill people and commit what foreign nations would call an act of war, merely because a few domestic corporations had shitty security since they failed to appreciate that the public Internet is a hostile network. Generally, we don't kill people for financial or other property crimes, and we aren't supposed to sanction them in any way at all without a trial (preceded by an extradition if necessary).

      If you're going to pull an "America, FUCK YEAH!", please understand that "America" used to actually mean something, and in particular it meant we don't do certain things -- like punish people without due process -- just because more authoritarian nations might do such things. That was once the sort of thing we observed other nations doing, frowned upon, and considered ourselves better than. Believe it or not, the collective culture once valued the visceral satisfaction of swift vengeance less than it valued the sanctity of our founding principles. A good history book will talk about this, and the sad thing is, you would need one to hear about such things today.

      • by Anonymous Coward

        If you're going to pull an "America, FUCK YEAH!", please understand that "America" used to actually mean something, and in particular it meant we don't do certain things -- like punish people without due process -- just because more authoritarian nations might do such things. That was once the sort of thing we observed other nations doing, frowned upon, and considered ourselves better than.

        Things like ... oh, you know ... bombing a hospital run by a non-partisan international medical aid organization and killing 30 people -- staff and patients -- despite having been provided with the exact GPS coordinates of the hospital's location mere days earlier, thereby violating not only the Geneva Convention but pretty much all of the fundamental mores of humanity and decency.

        (anon to preserve mods and for no other reason)

  • With smartphones and social media broadcasting our every little detail through the lens of narcissistic amplification to the entire planet it wouldn't take much effort at all to figure out your soft spots. All it would take is the idea and a psychologist leading a call center where teams work on a list of targets scraping social media.

    Oh hey here's one from town x in the state of y and there is a documented outage of y right now. Lets call pretending to have shut y off until they pay the over-due amount.

    The

  • Do not sound dissimilar in action from the NSA, GCHQ, [intelligence agency X]... from the TFA:

    The companies they work for often have dozens to hundreds of employees, pay bribes to local law enforcement and politicians, and are often seen as the employer of choice in their region. Working for companies that break into companies in other countries is often proudly worn as a patriotic badge.

  • Demarcate internally-sent emails from external in the server and email clients (by IP address, with additional logic to detect spoofing). That way it becomes immediately clear whether the email you got is really from your coworker.

Solutions are obvious if one only has the optical power to observe them over the horizon. -- K.A. Arsdall

Working...