Tag: phishing

Automated spear phishing – a perfect storm?

Back in January one of my 2011 predictions for “cyber fraud story of the year” was having more targeted yet massive phishing attacks. Two biggest news trends in cyber security seem to be indicating that this threat can actually become real in 2011:

  1. highly effective attacks targeting what one would expect to be the most impenetrable companies whose bread and butter is cyber security – RSA and Oak Ridge National Lab. The frequently used term to describe these attacks is “Advanced Persistent Threat” – but in reality what hides behind is a successful spear phishing attack.
  2. repeated exposure of massive amounts of user personal data – names, emails, addresses, and in some cases even dates of birth, credit card numbers (!) and SSN (!!). Just a couple of breaches in recent months exposes the scale of the problem:

Spear phishing attacks have always been considered a highly targeted version of a cyber attack tailored to the potential victim’s profile (root – phishing with a ‘spear’ rather than a ‘wide net’). RSA and Oak Ridge National Lab breaches are yet another confirmation of the efficiency of such attacks. Typically targets of spear phishing attacks are senior executives (sometimes spear phishing is referred to as ‘whaling’ for that particular reason) or companies which represent a hefty prize to the fraudsters community.

Could usually hand-crafted spear phishing attacks be automated and put on a massive scale? I don’t see why couldn’t they (most probably to some extent they already are). As common knowledge in the industry goes, a simple addition of victim’s name in the phishing email’s opening line drastically increases the probability of the end user trusting the message (and then clicking the link). Add to it the knowledge of the companies the victim has an established relationship with, the phone (BTW, has anybody thought of automated phone attacks?), address – and the attack can be personalized to a degree that an ‘average Joe’ stands no chance of distinguishing it from the email communication coming from the real business.

To be sure exposure of user data in itself is a very dangerous phenomena. In addition to “old-fashion” identity theft, stolen user data can be applied in other types of attacks – such as password guessing (your name is John and you were born in 1970? Chances that you use one of ‘john1970’, ‘Johny70’, ‘JOHN70’, etc. are infinitely higher than a dictionary-based random gibberish). However, marrying phishing attacks with intimate knowledge of victim’s data may prove to have the most severe and widespread impact.

What will happen when spear phishing goes massive? Hopefully, it’ll speed up the adoption of well-known counter-measures. For businesses – discipline storing user data and adoption of 2FA. For end users – a practice of using different passwords across different sites (should be as weird as using the same key for unlocking your house, car and the office), not clicking on links in your emails (should be as weird as opening your door to a stranger) and keeping your personal data away from the rest of the World.

Cyber security trends for 2011

Well, it’s this time of the year again. Scores of well-known gurus, security companies as well as some simple mortals come out with their prediction on how the cyber fraud will evolve in coming 12 months. Sometimes these “prognosis” is limited to attaching “security threat” or “attack vector” to general emerging technologies – e.g. “more fraud on smart devices”, “cloud security threats” etc. – such predictions are based on common principle of any new functionality is a potential security threat, and the fraud attempts are proportional to its popularity. Naturally, like any generalization, this approach has its limits… indeed, if a new functionality proves to have a higher bar for penetration than the existing ones, the fraudsters will happily stick to the old known methods without complicating their lives.

Having said that, I couldn’t resist the temptation myself – and came out with some prognosis of my own:

  • Trojans will become more mature and deadly. User machines are becoming both Holy Grail and the Weakest Link in the defense against the cyber criminals. With the client machine compromised most of the server-side anti-fraud technologies are useless – even in some cases 2FA may be circumvented (naturally, this is true for client-side attacks like XSS or XSRF). There’s little hope that a remedy is within reach – the trend of fraudsters to shift their attention from relatively hardened OSes to application layer (such as browser plugins, but also stand-alone ones like PDF reader) will continue to grow in 2011 resulting in a race which good guys may not be able to win.
  • Phishing – i.e. tricking netizens to reveal their passwords, PII, SSN, and other information – the problem is going to get more severe – taking spear attacks to mass production. Indeed, taking into account the volume and availability of mass information (enough to mention alleged 100 mln Facebook accounts information put on torrent) it’s only a matter of time before massive old-style phishing attacks (with the low success rate of around 0.1-0.3%) become more personal and targeted and thus much more effective (success rate may jump to 1-3%).
  • Information Security – how long it’ll take governments and corporations to move to close environments – with machines which have no burnable DVD drives or USB ports, hard drives living in clouds and isolated access to the public net (not even mentioning having our smartphones banned at workplace – as we could still take a picture of the screen and email it right away?). My take – forever. So WikiLeaks will continue making headlines and more copycats of it will proliferate in 2011.
  • IPv6 – most probably 2011 will be the first year where IPv6 starts to be used in wild (as IPv4 free space will finally be depleted). Taking into account general procrastination of big businesses (for whom security is an afterthought until it bites them in the a*s) they are going to be less prepared (to put it mildly) to the transition to IPv6 than the fraudsters community. Now imagine all the IP3 filters, IP geolocation and other techniques which became mainstream, all the infrastructure tuned to IPv4 built on back-ends of the companies start behaving “strange” as soon as requests come in with IPv6 addresses. Subsequently, if these requests prove to be more effective in hiding fraud, guess how much (or little) time fraudster will need to jump on the opportunity.
  • Smartphones – if anything, Android – being inherently more open platform than iPhone OS – but overall I do not think we’ll witness any spectacular security breaches (including using smartphones as tools to commit fraud) because of obvious smartphones proliferation; generally speaking they are safer than our desktops and laptops, harder to get by, harder to infect and inherently easier to locate (tied to a geolocation).
  • Cloud computing – if anything, it’ll be increasingly leveraged by the bad guys to achieve their nefarious goals, rather than having breaches itself (e.g. stealing data from the cloud). Not that it’s impossible, I just think there are more available and easier to access means.
  • Virtual currency – as much as it’s volumes are going through some spectacular growth period, there’s a conceivable ceiling to their expansion, and so for the associated fraud. I don’t think that they will become the Big Story for 2011, although the fraud will grow proportionally to the volume of virtual goods and services.

All the above is more intuition than science, and naturally only time will show how right or wrong I am now (fortunately, we don’t have to wait too long). Plus, many reputable specialists would disagree with my relatively low risk ranking of smartphones, clouds and virtual currency – which makes it even more intriguing and worth looking forward to.