Remember the good old days when phishing schemes were easy to spot, at least to the trained eye? Errors in spelling or grammar, poor graphics, and general misuse of language were instant tip-offs. Those days are gone – modern phishing attacks are very sophisticated and very difficult to spot. Phishing pages are virtually indistinguishable from the genuine pages.

The un-targeted “shotgun approach” to phishihg is still increasing, but
the most dangerous phishing attacks are those that are targeted at specific companies, or even specific individuals. These are known as “spear phishing” attacks and are really blended attacks which combine social engineering attacks with information gathering and reconnaissance.

In a typical scenario, the attacker will use publicly available information, Google hacking methods, phone calls, “dumpster dives”, and even on-site reconnaissance to gather information about the structure of a company, the relationships between employees, email addresses, direct phone numbers, etc., for use in targeted attacks. It is surprisingly easy to obtain a large amount of information about a company this way.

The attacker then uses this information to target specific individuals. We associate familiarity with trust, so a message that contains personal information and details that would normally be known only to our co-workers lowers our defenses. For instance, an attacker may craft an email, with a forged address to an executive which references the fact that a coworker is on vacation in a specific location and asked to have a particular file sent. An attacker might also send a friendly note to an administrative assistant that contains personal information about his/her family, current events within the company, and so on. This message might contain a link to a malicious file that exploits a recent vulnerability in a web application. The victim has no idea that there has been a compromise.

We can imagine just how powerful these attacks can be. They do require a considerable investment of time and energy, so they are reserved for targets with known valuable information assets. Who does that include? At one end of the spectrum is any company that stores enough information about its employees or clients to facilitate identity theft (that includes a LOT of small businesses). Who is at the other end of the spectrum? How about the dozens of embassies and NGOs that were the victims of the recently-discovered Chinese “GhostNet” ? Targeted phishing attacks are suspected to be the attack vector used for most of these infiltrations.

How do companies defend against spear phishing attacks? Information protection policies and filtering at the gateway can mitigate the risks somewhat, but the most important line of defense is education and user awareness. We understand the threats against our physical assets and take reasonable precautions to protect them. We lock our doors, install alarms on our cars, and avoid dark alleys at night because we know that there are thieves who want to steal from us.

When it comes to information theft, the threats less familiar and the safeguards are less understood. As a society, we are just beginning to understand that information has become a currency that has a very real monetary value.

BOTTOM LINE: As consultants, it is our RESPONSIBILITY to help ALL of our clients understand the the VALUE of information, the THREATS they face, and the PRECAUTIONS that will must take to protect valuable information.

Dennis H in West Virginia, US

April 7

Forgive me if I editorialize and slip from factual reporting into expressing my opinion. April 1 has come to most of the world and the sky has not fallen yet. In fact, most of the incidents reported so far are more related to Conficker hysteria than to the effects of the worm (or are April Fools jokes themselves). To be sure, Conficker has been busy downloading instructions for the next round, but nothing dramatic has happened.

A breakthrough (thanks to some German researchers, Rich Mogull, and Dan Kaminksy) made a couple of days ago will make it possible to perform network scans for infected machines. There are also many tools available online to scan for and remove Conficker. The threat is far from over, but my biggest concern is not the noisy, headline-grabbing threats like Conficker. In the end, more harm may be done (and more money stolen from innocent victims by) the myriad of fake malware removal tools (rogues) that the publicity about Conficker has spawned.

In the end, the noisy Confickers of the security world are not our biggest threat. The whole Conficker affair smells like a marketing ploy to me – intended to get the attention of those potential buyers of future exploits who lurk in the shadows of the internet. The yet-undisclosed authors of Conficker have certainly demonstrated their abilities. Microsoft’s $250,000 reward is an indication of just how much top-notch malware writers like this could command for their services. The real threats are the quiet ones, the ones that lurk undetected for years, silently stealing information and leaking it out without being noticed. There is no better example than the recently-disclosed GhostNet allegedly operated by the Chinese.

We must not let ourselves become so distracted by the threats in yesterday’s or today’s headlines that we become laxed in our vigilance. This would be the perfect time to slip in a new zero-day exploit while everyone is focused on Conficker. It is those crafty, hidden pieces of malware that will be some future headline (or, worse, the ones that will remain undiscovered and never make the headlines) that keep me awake at night.

Dennis H in West Virginia, US

April 1

[media id=1 width=450 height=320]
CTV reports on Conficker – included above is an interview with Barry Ball and David Redekop of Nerds On Site.