Monday, June 10, 2013

Casting a net : phishing and spearphishing

Phishing and spearphishing are terms almost daily used. The former covers the whole family of attacks in which an attacker tries to gain some information from his victim. The distinction to spearphishing comes when the attacker has a prior knowledge of his targets.

At large, the attacker massively sends e-mails to targets without knowing them, and has a generic message, such as a communication from a bank, a government agency (IRS, FBI, ...), an e-mail or social network provider, or any other entity. The goal is to have the target either provides some information about itself such as first and last names, e-mail or social network credentials, date of birth, social security or credit card number, passport informations and so forth; or click on a link that is serving some malware to compromise its computer. The latter form can be used to install some crimware or a botnet agent, collect personal information, or access bank accounts.

A botnet agent can, in turn, be used to distribute spam or be used as an anonymizing proxy to access illegal content. All the connections will seem to be originated from the victim's computer.

In this scenario, the attackers often use spam lists, address books of e-mail addresses collected by spammers and used to distribute junk mail. These address lists can contain millions of addresses, and even if as low as 0.01% of the targets fall from it, that still represents a significant number - if the list has "only" 100,000 valid entries, and 0,01% of them provide  the information, that is 10 people who will become victims of the phishing attack. On the other hand, an attacker with a list containing 1 million valid entries and a success rate of 1% will make 10,000 victims.

The information collected can either be exploited directly by the phisher or sold to other parties. For example, the credentials to access a valid Bank of America account with an $18,000 balance costs $800 [2].

Corporations, governmental and non-governmental agencies have to face a more specific type of attack: spearphishing. The attacker will gather as much information as possible on the target, including subscriptions, center of interests, relationships between people and so forth. The idea is to be able to craft an e-mail to will have a very high likelihood of being read and reacted upon to achieve a higher rate of success, with industry statistics indicating an average rate of 19% [1].

The aims behind the attack is to gain some information, for example credentials to access a corporate remote access, but also often to plant a piece of code categorized as an advanced persistent threat ("APT"). Once installed, these can stay for months without being detected, quietly sending data off of the network to the attacker. That data can be some intelectual property, but also classified or sensitive information,  commercial offers or client's list.  

Protecting against phishing or spearphishing is not easy as it appeals to our emotions and feelings: the fear of being prosecuted by a government agency or of losing a job, the lust of easy money or of an unbelievable opportunity, the compassion towards people suffering or in distress, the trust we usually have for authority figures. Against that, people have to start questioning and thinking: if it is too good to be true, then it most likely isn't. If it seems legit but a bit off, then it most likely is.



[1] Bimal Parmar, "Protecting against spear-phishing", Computer Fraud and Security, January 2012, http://www.faronics.com/assets/CFS_2012-01_Jan.pdf
[2] "Zero-Days Hit Users Hard at the Start of the Year", TrendLab 1Q 2013 Security Roundup, January 2013, http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt-zero-days-hit-users-hard-at-the-start-of-the-year.pdf