Where Every Phisher Knows Your Name
Spear phishing is the unholy love child of email spam and social engineering.
It refers to when a message is specifically crafted, using either public or previously stolen information, to fool the recipient into believing that it’s legitimate. This personalization is usually fairly general, like mentioning the recipient’s employer (easily gleaned from their domain name.) Sometimes they address you by name. Much scarier is when they use more deeply personal information stolen from one of your contacts: if you get a message from a friend’s email or facebook account referring to a recent private conversation you had with them, wouldn’t you believe it was really them? Wouldn’t anyone?
Though not new, spear phishing has been increasing. There’s no way to measure it accurately, of course, but reports are increasing — and getting scarier. A US State Department cable made public by WikiLeaks discusses an attack on government climate change researchers in 2009. Return Path was targeted last year, along with many other major companies in the email industry. And over the holidays, dozens of government employees — including many who work on cybersecurity — fell for what looked like an eCard from the White House.
Historically, phishing attacks appeared fairly innocuous, when viewed from a global perspective. After all, how much damage can be done by stealing one user’s login credentials? And early on, the damage was minimal — again, from a global perspective. Most often, the stolen account was used to send spam until their ISP’s rate limits noticed, and shut down the account. Echoing Stalin, each stolen account was absolutely devastating for that individual user, but was otherwise lost in the noise.
But phishing — and especially spear phishing — has evolved since then. Late in 2007, phishers stole the login credentials of a salesforce.com employee, used those credentials to steal email addresses from salesforce.com, and then sent more phishing messages to those addresses.
Today, that same phish recipe is like Lipton onion soup dip: no matter how many times the phishers serve it, everyone still yums it up. And they’ve evolved, focusing now on specific high-value targets.
Email service providers are particularly tasty because they have lots of lists of email addresses, almost always split by interest in particular products and general demographics. By getting into ESPs, the phishers can take advantage of the hard work email marketers — the ESPs’ clients — have put into making sure their messages are relevant and welcome to recipients. Some of the big-name brands whose lists were compromised recently via their ESP accounts include McDonalds, Walgreens, and Honda Finance, all of whom did the right thing by immediately informing their customers and offering assistance.
So far it’s unclear what the bad guys will do with those stolen lists. They may just be used for spam, but it seems more likely that they’ll be used for additional spear phishing. For example, knowing that a particular list of addresses belong to recent Honda buyers, they could trick people into handing over all sorts of personal financial information with a promise of lowering the APR on their loan.
Government employees are also high-value targets for the spear phishers. According to this article by leading security journalist Brian Krebs, a recent spear-phishing attack featuring a fake holiday eCard purporting to be from the White House netted hundreds of NSF grant applications, records of court-ordered cell phone intercepts, and draft policy documents relating to money laundering, terrorist financing, new technologies, and foreign aid. Though receiving (thus far) far less attention than the Wikileaks collection, this is still one of the widest known governmental data breaches in recent memory.
In that attack on government employees, the message tricked recipients into downloading malware which they thought was an eCard from the White House. The malware then stole passwords and documents from their computer, and uploaded the stolen booty to a server apparently in Belarus. This, too, is different from the traditional phishing attack where victims are encouraged to type their username, password, and other information into a duplicitous web page.
It’s clear that the criminals’ techniques have evolved beyond technology-only attacks, and thus so must our protections and our paranoia.
Obviously, as always, education is necessary — though not sufficient. The Anti-Phishing Working Group has a list of the best educational materials available, but even there, user education about phishing tends to still be focused on the old, scattershot phishing methods rather than the extremely targeted attacks of today — and on identity theft, rather than theft of corporate or governmental data.
Overall, the most important thing is to stay aware of what’s going on out there so you can recognize when it happens to you. A few of the best sites for up-to-the-minute security-related information include Brian Krebs’ Krebs on Security, Wired’s Threat Level, Sophos’ Naked Security, and the curated aggregator Box of Meat.