Research

Threat Intelligence comes in many shapes and sizes, all of which are helpful for Early Warning of imminent attack. After introducing the initial Early Warning concepts, we recently delved into how network telemetry and other information about your pipes can help to identify compromised devices in Network-based Threat Intelligence. We continue discussing all sorts of threat intel by focusing on phishing in our new series, Email-based Threat Intelligence. We stay true to our naming conventions. But in all seriousness, if you are targeted by phishing attacks, you probably know what we’re talking about. Attackers target your brand, they stage high-volume attacks to steal personal information from customers, and then ultimately they monetize stolen personal data – typically by looting the accounts of your customers. All of which cost your organization big money. So what we will do in this series is dig into the seedy underbelly of the phishing trade, starting with an explanation of how large-scale phishers operate. Then we’ll jump into threat intelligence on phishing – basically determining what kind of trail phishers leave – which gives us data to pump into the Early Warning system. Finally we will cover how to get quick wins with email-based threat intelligence. If you can stop an attack, go after the attackers, and ultimately disrupt attempts to steal personal data, you’d do that, right? So we will wrap up this short series by quickly showing impact. Before we get started I want to thank Malcovery for agreeing to potentially license the content at the end of the project. As with all our research, we will produce Email-based Threat Intelligence using Totally Transparent Research. That means we build the content independently and objectively, and tell you what you need to hear. Not what any vendor wants you to hear. Sizing up Targets Why do phishers target specific brands? To harvest and ultimately monetize personal information. Obviously targeting financial institutions is a no-brainer. So you probably see phishing attempts targeting every major bank, brokerage, and other financial institution like PayPal fly into your inbox all the time. Retailers are also low-hanging fruit – once phishers gain access to an online shopping account they can buy all sorts of stuff using your customer’s credit. And you get left holding the bag. Fun! But lately we have been receiving phishing attempts for other major consumer brands such as shipping companies, phone companies, and airlines. Huh? If someone owns a frequent flyer account, the risk is having them see how close until the next FF tier, right? No, not exactly. When you (or someone who works for your organization) clicks on a phish, they may enter account information into the phishing site, which is the first win for the attacker. But it’s not the only opportunity for pwnage. Attackers also systematically install malware on the device, and that’s where the real monetization happens. Once they have a foothold they mine the data for as long as they can. Attackers collect bank accounts, passwords, and other sensitive information. So basically every large consumer brand has been and will continue to be a serious phishing target. These companies have millions of customers, which means millions of potentially compromised devices for attackers to mine. Obviously the highest value phishing attacks target financials, where the victim can be monetized immediately. But the endgame involves installing malware which is why we see secondary brands emerge as phishing targets. It is outside of the scope of this research, but we would be negligent if we didn’t at least mention that it’s a very bad idea to save financial information in the website of any retailer or other services company. Sure, one-click buying is convenient, as is not enter that pesky credit card number with every purchase. But it also leaves you at the mercy of the website’s security – not a good place to be. If you do need to save personal information on these sites, at least use very strong unique passwords with a password manager, as Rich has described numerous times in places like MacWorld. The Phish Phishing is the front end of a multi-faceted attack, so let’s take a look at the first set of steps in Cloppert’s Kill Chain and show how these concepts apply to phishing. First let’s look at recon, which starts with picking the brand to target, typically a financial or payment company. The APWG’s statistics (PDF) show that upwards of 65% of phishing targets are financial and payment organizations. Duh. But let’s be clear about why many of the phishing campaigns target only a few popular brands. Is this just Pareto at work? The real reason is the advent of the phishing kit. Just like malware kits, phishing kits offer a packaged phishing campaign for a very modest price. This takes care of the weaponization step in the kill chain – these kits include everything you need to phish, with the exception of domains to host the phishing site. Images, emails, designs, and even a few malware variants are included, which is driving down the average IQ of phishers. You might think phishing kits need to be constantly updated to keep pace with the constant web site changes undertaken by the major consumer brands. Not so much – most consumer victims wouldn’t be able to tell a vintage 2009 Wells Fargo site from the latest and greatest. The images and code used on the phishing site tell a story about the attacker and can provide significant intelligence to disrupt the attack, so we will delve into that in the next post. The other key aspect of the kill chain for to phishing is delivery. The primary delivery mechanism for phishing is email, which requires the attacker to evade spam filters. Discussing those tactics is a bit beyond what we can do in this series, but suffice it to say that attackers are rather sophisticated in how they test both delivery of email and the domain names they drive victims to. Similarly to the way attackers use VirusTotal and other AV test harnesses, phishing professionals focus quite a bit of effort on testing against common anti-spam engines,

Thales released a 2012 survey on encryption spending trends today. In a nutshell, spending was up a modest amount for the first time in several years. From the Deep Dive post: estimated total spending on encryption by all sectors grew by 2.5 percent from 2011 to 2012, one of the biggest jumps in the eight years the survey has been conducted. Thales released the “2012 Global Encryption Trends Study” today. The Ponemon Institute of Traverse City, Mich., surveyed 4,205 individuals on Thales’ behalf. The spending figures were particularly interesting to Thales: “This last year we saw one of the biggest hikes in budgets that we’ve seen for the last seven years or so,” said Thales e-Security’s Richard Moulds, vice president of product strategy. In 2011, businesses and governments spent 15.1 percent of their information technology security budget on encryption. The number jumped to 17.6 in 2012. A couple things to note about this information. For security products not driven by compliance (like PCI) or vulnerabilities that totally disrupt IT (think SQL Slammer), sales typically grow at a rate of 2-3% a year. From our conversations with companies of all sizes, use of encryption is up across the board. However, adoption is mostly for new projects, rather than expansion of existing installations. And in many cases developers are the ones who select free or open source encryption products, not commercial products. They do this so the development process is not burdened by having to get budget or deal with sales droids. This means spending does not go up at the same rate that usage goes up. Still, the encryption market has not seen the sales growth we would otherwise expect – instead people invest in better key management services, or in alternatives to encryption (e.g. tokenization, masking) to protect data. It’s a growing market, but buyers are cautious about how and where they spend their money. Share:

One trend we see coming on like a freight train is the rebirth of security awareness training. Folks are working on content that doesn’t suck and enterprises are finally starting to gather data about how stupid mistakes (such as clicking phishing messages) are decreasing after training sessions. NetworkWorld recently ran an article (in their Insider section, which requires registration – boo!) providing some tips to deal with phishing. The part of the article I found most interesting was a description of how attackers appeal to either greed or fear to entice action. It sounds a bit like marketing to me… “most spear phishing attacks take one of two tacks – they either appeal to human greed or fear. In other words, either they offer money, coupons, discounts or bargains that are too good to be true. Or they announce that your checking account or eBay account has been frozen and you need to re-enter your credentials, or some other scenario in which you are required to enter personal information….or else.” Then there are a few tips about educating users, including having them look at URLs from right to left. Folks who read Hebrew have a clear advantage at this. And other obvious stuff, including not opening files from folks you don’t know, and never providing account credentials to an unsolicited query. Of course all this seems obvious to you and me. It’s too bad it’s not obvious to your employees. Get on board with security awareness training. Or keep cleaning up the mess. Photo credit: “Clean Up or You’re Out! :Brooklyn Street Sign” originally uploaded by emilydickinsonridesabmx Share: