Consultant's view: Spear phishing - the wolf in Granny's bed
The latest concern is custom malware that targets internal desktops, writes Gunter Ollmann.
When I meet the CSOs or heads of security of organisations to talk about the latest threats or the motivations behind high-profile security incidents, they are often surprised at the scale of some of the current targeted attacks. They are used to the endless rain of unsolicited and unwanted spam that can make up 90 per cent of their email traffic, along with the regular deluge of email- or web-borne viruses and spyware.
Most security professionals are also familiar with the constant “door rattling” of script-kiddies and would-be attackers, apparent when they run their port scanners or generic vulnerability scanners and cycle through their organisations' netblock. For some, this can consume up to 10 per cent of internet bandwidth.
The threats that are causing increasing concern are attacks that compromise an internal desktop system and propagate internally. Not so much the classic worm blindly leaping between hosts, but custom malware designed to steal customer details or authentication credentials – delivered directly to employees – and bundled in a way that could fool even the most paranoid security professional.
These targeted attacks are on the increase, with their success largely governed by the strength of their social engineering message. Consider a bogus email from the sales director of one country sent to hundreds of email addresses in another region proposing an organisational change – the details of which are contained within an attached JPEG file of the organisation chart. The JPEG, of course, uses the latest buffer overflow vulnerability to install a bot-agent on the endpoint machine.
These are “spear phishing” attacks, and their scale has surprised many professionals. The perpetrators are well-organised and study their target well to maximise future infiltration. They perform extensive passive information gathering, trawling websites, newsgroups and instant messenger forums for details of the organisation's internal structure – its hierarchical management charts and staff names and email addresses.
In addition, they often have access to a talented pool of expert malware developers and will build a custom bot-agent just for the attack. They will design this carefully so as not to trigger signature-based anti-virus engines and test it using websites that allow you to submit files that are then scanned by a dozen different AV solutions (and tell you which engine actually identified the virus).
Spear phishers' favoured delivery method is email, and most targeted attacks start with less than 200 individual emails. A well-researched attack, with an equally well-crafted social engineering message, will typically have an infection success rate of more than 80 per cent, initially compromising 150+ internal workstations (only five per cent of typical phishing attacks usually succeed).
From then on, the nature of the attack is linked to the sophistication of the installed bot-agent. Some of the newer bots tend to operate stealthily, spending their first few days or weeks in a passive mode, sniffing the network and recording host names, user names and passwords. They then wake at a later date to use this captured information and infect the next batch of internal hosts.
With 150 initial “seed” bots, it is not unusual to see the botnet reach 5,000 infected hosts by the end of a week – propagating “legitimately” using sniffed user credentials.
Obviously, with such a persuasive infection, the attacker can do a lot of damage to the organisation. But the key point that CSOs and heads of security should remember is the sheer scale of the attack.
While there has been an annual increase in the number of attackers poking away at perimeter defences in an attempt to compromise valuable server hosts, there has been a much larger increase in targeted attacks, and an exponential rise in spear phishing attacks, mainly because they are so successful.
A word of advice for those organisations that have yet to invest in internal defence – you are an easy target and your IT infrastructure might well have already been compromised by an email supposedly from a colleague in another office.