And he’ll hack for a lifetime. And how!

Spear-phishing, the practice of luring people in organizations into giving up control of confidential data via seemingly legitimate emails, is the contemporary corporation hacker’s bff. Why not, when all it takes is one employee clicking on one “2011 recruitment plan.xlsx.”

While researchers are working on ways to prevent spear-phishing, (more on that in a bit) right now, companies have to rely on a combination of IP monitoring and skeptical/savvy/paranoid employees.

Judging by the glut of spear-phishing attacks, such employees are far and few between. To wit:

1. Hacked: The New York Times Co

Date: Fall 2012-winter 2013

Details: In response to a New York Times investigative series on the finances of Chinese president Wen Jiabao, Chinese hackers persistently targeted the email accounts of Times employees involved with the story. This was a rather unusual hacking case in that the Times had been aware of the attacks from the get-go, and were observing them in order to understand how they were implemented--though this proved trickier than the Times had initially thought.

Info accessed: Email accounts, emails, documents, corporate computer passwords, information stored on corporate and personal computers.

Methodology: The hackers first gained access to computers at US universities and routed emails containing malware (spear-phishing attacks) through them. The malware allowed the hackers to gain entry to any computer on the Times’ network.
 

2. Hacked: RSA

Details: In order to gain information pertaining to RSA’s SecureID products, an anonymous hacker launched a so-called zero-day attack predicated on one single employee downloading one spreadsheet.

Methodology: Hackers sent specific RSA employees a phishing email with an Excel spreadsheet attached, entitled “2011 Recruitment Plan”. The spreadsheet hid an embedded Flash exploit; when opened, it downloaded a remote administration tool called Poison Ivy RAT. Hackers used the remote admin tool to access credentials, and used those to access other, higher-up accounts, then servers and server data, which they copied and extracted.
 

3. Hacked: The Financial Times

Date: Spring/Summer 2013

Details: The Syrian Electronic Army launched a successful spear-phishing attack on the employees of the Financial Times in response to “William Hague and David Cameron’s recent allocation of 40 million pounds to fuel death and destruction in our country in order to obtain political consessions [sic].”

Methodology: The SEA sent malicious rick-rolls to certain FT staff from external email accounts, some of which were the personal accounts of FT staff. The links appeared to be to a CNN story, but actually redirected to a page that mimicked the FT’s email login screen. The SEA was able to take control of the accounts of FTers who logged into that screen, send out email from their accounts (including IT notifications urging employees to change their passwords immediately), and send out links to SEA materials from hacked FT twitter accounts and wordpress blogs.

The FT is now encouraging and in some cases mandating two-factor authentication across the organization.
 

4. Hacked: The AP

Date: April, 2013

Details: Remember when the AP tweeted that the White House had been attacked and the president had been injured? Turns out that tweet was the work of the SEA as well. Using spear-phishing tactics similar to those used in the FT attack, the SEA sent an email from one AP staffer to another containing a link purporting to lead to Max Fisher’s WorldViews blog on the Washington Post. The tweet was repudiated quickly, but not before it had been retweeted thousands of times and sent the Dow, briefly, spiraling down 143 points.   
 

Spear-phishing is a particularly insidious method of attack because each instance of it is unique, and, often, well-disguised. But that doesn’t mean organizations should throw up their hands or ban any clicking of emailed links or downloading of emailed attachments. Researchers at Trustwave are looking into natural language algorithms capable of detecting malware -- no easy feat, considering these emails are predicated on aping the purported senders’ writing style.

There’s also the nascent Darkmail Protocol, Lavabit founder Ladar Levinson’s effort to open source the Lavabit code. Darkmail ditches SMTP for an end-to-end encryption of both the message and the email in transit, which would mean that any aspiring phisher would need to acquire the sender and recipient’s secret keys before sending an email.

Right now, a company’s best bet may come down to common sense policies like asking employees to read emails in plaintext (which would reveal url inconsistencies) and double-checking with attachment senders via alternative channels.

Comment