Enter spearphishing: a targeted approach to phishing that is proving nefariously effective, even against the most seasoned security pros. Why Because they are crafted by thoughtful professionals who seem to know your business, your current projects, your interests. They don’t tip their hand by trying to sell you anything or claiming to have money to give away. In fact, today’s spearphishing attempts have far more sinister goals than simple financial theft.
Here’s a look at what sets today’s most sophisticated spearphishing attempts apart -- and how to keep from falling prey to their advances.
Traditionally, phishing emails have been created by low-end scammers who have opted for the buckshot approach: slap together a sloppy message and spam en masse. You’re bound to get someone. In fact, the more obvious the phishing attempt, the better, as this would ensure ensnaring the most gullible of dupes.
Somewhere along the way this changed. Professional criminals and organized crime realized that a lot of money could be made by sending out better spam. Brian Krebs’ 2015 bestseller "Spam Nation" traces the rise of professional criminal gangs in Russia that made tens of millions of dollars each year and supported multiple large companies, some of which pretended to be legitimate and were traded on stock exchanges.
Then nation-states got in the game, realizing that a handful of thoughtfully crafted emails could help them bypass the toughest defenses, simply by targeting the right employees. Today, the vast majority of advanced persistent threats (APTs) gain their first foothold inside victim companies by sending a few emails.
Today’s professional Internet criminals work 9-to-5 days, pay taxes, and get weekends and holidays off. The companies they work for often have dozens to hundreds of employees, pay bribes to local law enforcement and politicians, and are often seen as the employer of choice in their region. Working for companies that break into companies in other countries is often proudly worn as a patriotic badge.
These professional hacking mills employ divisions of labor. The marketing team, often led by executives, seeks customers willing to pay to hack a particular company for information, although the mills will often attack any company on spec, then market the information afterward.
The research and surveillance teams gather information about the target company’s org structure, business partners, Internet-accessible servers, software versions, and current projects. They obtain much of this information by visiting the target company’s public website and breaking into a few of its weaker-protected business partners.
This research is passed along to a team of initial compromisers, which establishes anchors inside the target organization. This team is the most important team at the mill, and it is broken down into several skilled subgroups, each focused on a particular domain: breaking into servers, launching client-side attacks, performing social engineering attacks, or spearphishing. The spearphishing team works hand in hand with the research team, mixing relevant topics and projects with their cadre of boilerplate email templates.
There are other teams as well. Backdoor teams come in after the initial entry is secured to help ensure easy future entry by inserting backdoor Trojans, creating new user accounts, and vacuuming up every log-on credential in the compromised organization.
Then, like any good consulting company, a longer-term team is dedicated to this “client.” This team roots around looking for important information, detailing the organization’s structure and VIPs. Within a short amount of time they know every defense system the company has in place and how to bypass it. When some new project or big piece of data comes online, this team is among the first to know about it. Any potentially interesting info is copied for safekeeping and future sale.
If that sounds a little different than a script kiddie whipping together a sloppy email at an Internet café, you’ll know why today’s phishing attempts are that much more effective. It’s a day job -- won by interview -- with a salary, benefits, and project bonuses. It even comes with a nondisclosure agreement, HR hassles, and departmental politics.
Make no mistake: Phishing emails went pro.
Today’s spearphishing emails often originate from someone you email with on a daily basis, not a Nigerian prince. They often appear to be from a boss, team leader, or some other authority figure up the management chain to ensure the victim opens the email and is more likely to do whatever the email says.
The email could be from an outside, sound-alike email account meant to resemble the authoritative person’s personal email account. After all, who hasn’t received a work-related email from a co-worker who accidentally used his or her personal account We accept it as a common mistake.
It might arrive from a sound-alike account name from a popular public email server (Hotmail, Gmail, and so on), with the sender claiming to be using this previously unknown account because they are locked out of their work email. Again, who hasn’t been through this before
But more likely than not, the fake phishing email appears to arrive from the other person’s real work email address, either because the phishing organization is able to send fake email origination addresses from the outside, or it has successfully compromised the other person’s email account. The latter is becoming the most popular attack method -- who wouldn’t click on a link sent by their boss
Many spearphishing victims fall prey to the fact that the malicious sender seems to know what projects they are working on. This is because spearphishers have spent time researching them or have been in control of a colleague’s email account for a while. The email may include a subject line like “Here is that report on XYZ you’ve been waiting on,” or “Here are my edits to the report you sent,” with an attached copy of a report originally sent by the receiver, but with an updated autolaunch malicious link. It might also allude to a project’s viability, asking, “Do you think this will impact our project” or exclaiming “Someone beat us to it!” with a link to a malicious news article that appears related to the project.
I’ve seen emails purporting to be from lawyers seeking increases in child support to individuals going through a divorce. I’ve seen phishing emails from leaders of professional organizations sent out to their membership lists. I’ve seen emails to C-level officers claiming to have pending lawsuit information, which ask the receiver to run the executable to “unlock” the attached confidential PDF file. I’ve seen bogus updates sent to IT security pros purporting to contain a security update from a vendor, about a product they recently bought and installed.
The email subjects and body contents aren’t “Look at this!” generic ruses. Nope, today’s spearphishing email comes from someone you trust on a project you are working on. After you read a few of these you start wishing all we had to worry about was fake dying relatives and Viagra ads.
These days corporate attackers are monitoring dozens of email accounts in your company. It’s where they get the necessary context to fool your co-workers and where they can monitor the most sensitive and valuable information in your company.
If you find out your company is compromised, assume that all C-level employees and VIP email accounts are compromised and have been for a long time. Even the initial reporting of the bad guy’s possible detection is probably in front of their eyes. They know what you know.
When faced with this sort of adversary the only solution is a completely “out of band” network, including brand-new computers and new email accounts. Anything else will probably be a waste of time.
Today’s adversary isn’t merely a passive reader. They intercept and change emails, albeit slightly, when the need arises. Yes decisions may become no; no may become yes. Sometimes key recipients will be removed from the email’s receiver list. More receivers may be added. Email groups may be modified. Encryption and signing may be turned off.
In one of the most notorious examples I've ever read, a company knew it was badly compromised with an APT. In an attempt to reclaim the network, the help desk sent out an email asking every recipient to change their password. Certainly, that would make it harder for the malicious intruders to hang out -- except that the intruders had control of the help desk’s email account. Right before the email was sent, the intruders changed the embedded link so that it took users to a perfect copy of the company’s password-change website hosted under the intruder’s control. Users followed the help desk directions, but in doing so allowed intruders to capture every password change.
For decades, phishing emails used everyday malware tools as attachments. Today, they use custom tools, forged and encrypted expressly for you, or programs built into the operating system you are running. The result is the same: Your antimalware scanner doesn’t pick up the malicious file or commands. And when the bad company is on your network, they are careful to run only the same.
Malicious scripts written in the victim’s built-in scripting languages (PowerShell, PHP, and so on) are fast becoming a tool of choice. PowerShell is even showing up in malware toolkits, which end up making PowerShell-only malware programs, as evidenced here and here and here.
Fueling this trend is the fact that it’s much harder for antimalware software, or even forensic investigators, to determine whether a legitimate tool is being used for nefarious purposes. Take Remote Desktop Protocol (RDP) connections, for example. Nearly every admin uses them. When the bad guy does too, it can be difficult to determine when the RDP connection is doing something malicious. Not only that, but it could be difficult to impossible to remove the legitimate tool to thwart the attacker without also removing the tool the good guy needs to clean up the system.
The days of malware using randomly picked ports to copy data off of your network are long gone. So too are the days of using popularly reserved ports (such as IRC port 6667) to send commands and control malicious creations remotely.
Now every malware program works over SSL/TLS port 443 and uses industry-accepted, military-approved AES encryption. Most companies have a hard time seeing into port 443 traffic, and most don’t even try. Companies are increasingly using firewalls and other network security devices to see into 443 traffic by replacing the intruder’s 443 digital certificate with their own. But when the data in the 443 stream is further encrypted by AES, it does forensic investigators no good. It’s impenetrable gobbledygook.
Malware writers use of standard encryption is so good that even the FBI is telling ransomware victims to simply pay up. In fact if you find a malware program running on any port but 443 and not using AES encryption to cover its tracks, it’s probably by a script kiddie. Alternately, it’s been in your environment for a long time, and you only now discovered it.
Until the past few years, most companies never bothered to enable their log files, or if they did, they didn’t collect them and alert on suspicious events. But times have changed and now IT defenders would be considered negligent if they didn’t enable and check logs on a routine basis.
The bad guys have responded by using techniques, such as command-line and scripting commands, that are less likely to be picked up by event logging tools, or they simply delete the logs when they are finished. Some of the more sophisticated attackers use rootkit programs, which maliciously modify the operating system to skip any instance of their malicious tools being executed.
The average time a professional criminal organization has been in the victim’s company before being noticed is usually measured in months to years. I frequently work with companies that have multiple professional gangs in their company, and some have been inside for as long as eight years.
The very respected Verizon Data Breach Investigations Report frequently reports that most internal breaches are noticed by external parties. In most cases that’s because the external party was also compromised for years, and during its forensics investigation it noticed that its data or attackers were coming or going to another company as a staging point.
I’ve consulted at a few customers where the bad guy has been in the company for so long that the malware they were placing was part of the company’s gold image -- that is, every new computer included malicious software. I’ve seen Trojans and malware programs that were allowed to spread for years because the IT staff assumed it was a necessary software component placed by some other group within the same organization. Hackers love these sorts of assumptions.
It used to be that a phisher would get into your company, steal money or information, and be gone as soon as possible. Getting in and out as quickly as possible meant minimizing the chances of being caught, identified, and prosecuted.
Today’s attacker is likely based in a foreign country where your legal jurisdiction and warrants don’t work. You can even identify (using legal evidence) the hacking firm, its hackers, and its physical address to their local authorities, and nothing is likely to happen.
In most of the attacks I’ve been called in to remediate in the past 10 years, the hackers don’t run once they are found. To be sure, they don’t want to be found, but once they are, they hack even more freely and blatantly, as if the restraints have been pulled off.
Remediation ends up being a cat-and-mouse game where the mouse has all the advantages. At first you don’t know what they’ve compromised and how many ways they can get back in. And it all likely started because someone opened up a spearphishing email.
Remediation begins with educating all employees about the new reality of spearphishing attacks. Everyone should know that the old-style phishing emails, full of typos and promises of unearned millions, are no longer your main worry. Explain how the new spearphishing emails are handcrafted by professional criminal gangs that know exactly how to tailor their work to seem like a legitimate email coming from someone your colleagues trust.
Employees should be told to always ask for independent confirmation (such as a phone call or IM) before clicking and running any executable or opening any unexpected document. A quick confirmation is simply due diligence today. Tell employees to report anything suspicious. If they accidentally executed anything that they later became suspicious about, they should report it as well. It is important to remove the stigma and embarrassment of being fooled. Let them know that anyone, even security experts, can be tricked today, given the sophistication of the attacks.
Many companies aggressively test their employees with fake phishing attempts. These attempts should use phishing email templates that are more sophisticated and less like the phishing attempts of the past. Keep testing individual employees until you get a very low percentage of easily compromised employees. If you do it right, you’ll have your employees questioning any unexpected emails asking for credentials or to execute programs. Having employees question your legitimate emails is a welcome symptom of a good education program.
Lastly, if a spearphishing attempt is successful in your company, use the actual phish email and the compromised employee’s testimony (if they are well liked and trusted) to help teach others about today’s spearphishing environment. Anything that brings the new lessons front and center is welcome.
The key to prevention is getting everyone to see that today’s spearphishing email is not what they were used to in the past.