Spear Phishing Attacks: a Real-World Example
Spear phishing attacks aimed at popular email service vendors and large companies have been abundant as of late. Google blogged1 about its recent Gmail incident, in which a spear phishing campaign selectively targeted senior U.S. government officials, Chinese political activists, officials in several Asian countries, military personnel and journalists. Yahoo! Mail and Windows Live Hotmail reported2 similar spear phishing attempts against their users, which were intended to serve up malicious code or steal email account passwords. The security breaches of RSA3 were also traced to a successful series of spear phishing activities.
Spear phishing is the practice of using fraudulent emails to lure unsuspecting users to fake websites in an attempt to gain unauthorized access to their personal information, communications and other online activities, and/or their computers. Unlike traditional spam, spear phishing is by no means random – it is a highly-targeted operation. In spear phishing emails the sender impersonates a friend or colleague of potential victims in order to trick them into opening malware-ridden files or into visiting malicious websites.
Spear phishing has a high success rate largely because of the vast amounts of personal data readily available online and in social networking communities. Traditional forms of phishing have resulted in a modest five-percent success rate, whereas spear phishing achieves a much higher rate of nineteen-percent4. It is difficult to defend against these types of threats because the vulnerabilities are not technology-based but rather a result of user error instead.
To provide detailed insight into how spear phishing attacks are deployed, zvelo staged itself as a hypothetical target. Hackers must first harvest as much information about zvelo as is available online. After a little snooping and some hacker know-how, numerous email addresses of key personnel within zvelo were obtained:
Illustration 01: Valid e-mail addresses harvested
As depicted in illustration 1, email addresses were pulled for zvelo's Web Media Manager (acarrillojr) and CEO (jfinn), which function as perfect starting points. The hacker must next decide who to target (we will use myself as a victim). A simple Google search for Miguel Gomez reveals a non-zvelo email address found on an academic website. With a personal Gmail address in-hand the phisher then drafts a clever and fictitious email to attempt to trick the victim.
Several tools exist that allow malicious users to devise and transmit fraudulent emails within a matter of minutes. Illustration 2 is an example of a fake spear phishing email.
Illustration 02: Victim's e-mail address
Illustration 03: Fake e-mail message
By itself, the email is harmless. The real damage occurs when an attached file is opened or after a link is launched. As shown in illustration 3, the email message is not your run-of-the-mill spam. The sender appears to be Armando, a legitimate zvelo employee. The email subject and body are representative of the tasks typically associated with the would-be victim. In this case, the email pertains to a “report” supposedly sent from the company CEO to be used as possible subject matter for a new zveloBLOG™.
From this point the malicious sender can either lure the email recipient to a website where their credentials can be stolen or where a known vulnerability can be exploited in order to gain access to the victim's system. Considering how common it is for corporate users to check personal messages at work, this is a popular approach. As shown in illustration 4, the perpetrator utilized a key logger to capture my password. After a password is obtained other possibilities arise, including but not limited to the installation of backdoors, screen-capturing the desktop environment and activating web cameras and built-in microphones.
Illustration 04: Compromised system
The best defense against spear phishing attacks for most organizations is awareness and education. Training users to be cautious and skeptical about unsolicited emails should counter the majority of these threats. The information systems used by organizations should also be kept up-to-date to prevent the risk of compromise through known attack vectors.
1. Eric Grosse, Engineering Director, Google Security Team. (June 01, 2011). Ensuring your information is safe online. The Official Google Blog. Retrieved June 09, 2011 from http://googleblog.blogspot.com/2011/06/ensuring-your-information-is-safe.html.
2. Robert McMillan. (June 03, 2011). Hotmail and Yahoo users also victims of targeted attacks. ComputerWorld.com. Retrieved June 09, 2011 from http://www.computerworld.com/s/article/9217278/Hotmail_and_Yahoo_users_also_victims_of_targeted_attacks.
3. Robert Westervelt, News Director. (April 04, 2011). RSA SecurID breach began with spear phishing attack. SearchSecurity.com. Retrieved June 08, 2011 from http://searchsecurity.techtarget.com/news/1529523/RSA-SecurID-breach-began-with-spear-phishing-attack.
4. Unknown Author. (n.d.). Ready for some spear phishing. SearchSecurityChannel.com. Retrieved on June 08, 2011 from http://searchsecuritychannel.techtarget.com/feature/Ready-for-some-spear-phishing.