Security Laboratory

Security Laboratory

Security Laboratory: Methods of Attack Series

These papers introduce you to the most common attack methods against computer systems and networks and the basic strategies used to mitigate those threats.

Other Related Articles in Security Laboratory: Methods of Attack Series

Spear Phishing

By Stephen Northcutt

Spear phishing is a pinpoint attack against some subset of people (users of a website or product, employees of a company, members of an organization) to attempt to undermine that company or organization. It isolates a specific group of people, as opposed to spamming the world, and attempts to get them to do something to gain access to proprietary data or company systems. It will often look real and appear to come from a legitimate member of the organization. For instance, a spear phish may appear to come from an executive of the company asking for login IDs and passwords.

As an example, the CIO of Acme Inc. is John Doe. The entire organization receives an e-mail from John Doe saying that everyone should send their user IDs and passwords to him because he is doing a system audit. Those who do not will get their access to the network terminated and may face disciplinary action. Employees then respond to the email thinking they are sending the email to John Doe, but it is really going to Joe Hacker.

A more recent example involved a recent 0-day Microsoft Word exploit reported at the Internet Storm Center. Organizations would get legitimate looking e-mails with signatures and all, that included a hostile Word document. The e-mail would encourage users to read the Word document which would happily infect the target machine. The Word document would install a bot that would do extensive system reconnaissance searching of (among other things) the My Documents Folder, patches that were installed on the machine, and the configuration of Internet Explorer. It would then leave a bot on the machine to allow for remote control of the host.

While spear phishing is unique in that it is highly customized to the recipient to increase the chance of exploitation, the defenses against spear phishing are largely the same. If a user gets a suspicious e-mail, they can simply call the sender and verify they sent it. Users should avoid sending confidential information over e-mail. Because spear phishing tried to imitate legitimate users, it is typically very easy to verify if an e-mail is legitimate by simply calling the apparent sender.[1]

Microsoft offers the following 5 tips to avoid phishing:[2]
  • Never reveal personal or financial information in a response to an e-mail request, no matter who appears to have sent it.
  • If you receive an e-mail message that appears suspicious, call the person or organization listed in the "From" line before you respond or open any attached files.
  • Never click links in an e-mail message that requests personal or financial information. Enter the Web address into your browser window instead.
  • Report any e-mail that you suspect might be a spear phishing campaign within your company.
  • Use Internet Explorer 7 or the Windows Live Toolbar, both of which contain Phishing Filter, which scans and helps identify suspicious Web sites, and provides up-to-the-hour updates and reporting on known phishing sites.
The Wall Street Journal carried a story about New York State CIO Will Pelgrin's use of fake phishing emails to test the awareness of some 10,000 New York state employees,

About 15% of the recipients tried to enter their passwords before being stopped by the automated program, which sent them a note explaining the exercise. An additional 3% tried to enter the Web address in their own browsers, a sound security practice that can deflect most attacks.

In July, a second message, purportedly from the employee's own agency, asked for help fixing an Internet problem "due to a suspected cyber security event." A link took employees to a Web page that asked their email address, agency, network user name and password, and phone number. This time, only 8% of the recipients tried to interact with the fake Web site, while 5% were careful enough to enter the Web address themselves.[3]

Awareness and education, while important, are not enough. "Educating e-mail users has had only limited success, according a West Point faculty member. The first test e-mail, sent to 400 West Point cadets, received an 80 percent click rate. Subsequent exercises with as many as 3,000 cadets produced lower, but not sharply lower, response rates."[4] Content filtering at the browser and network egress point is critically important.