Latest news
Longline phishing attacks rely on mass customization
Posted on 05 March 2013.
Proofpoint released a wide-ranging study that identified a new class of sophisticated and effective, large-scale phishing attack dubbed "longlining". Longlining, which is named after the industrial fishing practice of deploying miles-long fishing lines with thousands of individual hooks, combines successful spear phishing tactics with mass customization. Using these techniques, attackers are now able to rapidly deploy thousands of unique, malware laden messages that are largely undetectable to traditional signature and reputation-based security systems. Worse, despite their scale, these mass customized phish were effective enough to trick more than 10 percent of recipients into clicking on malicious content capable of taking complete control of PCs and compromising corporate networks.
Phishing meets mass customization
Unlike conventional mass phishing exploits, the "hooks" (email messages) used in longlining are highly variable rather than identical, making them largely undetectable to traditional signature and reputation-based security gateways.
The messages are typically varied by IP address of origination, subject line and body content. The body content also includes multiple mutations of an embedded destination URL, which typically leads to a site with a positive reputation that’s been successfully compromised prior to the attack. The compromised Web destinations are loaded with hidden malware either before, during or sometimes after the attack wave has begun.
Through the use of a distributed cloud of previously compromised machines and process automation to create high variance, attackers have been able to combine the stealth techniques and malicious payloads of spear phishing with massively parallel delivery. This means they can cost-effectively send 10,000 or even 100,000 individual spear phishing messages, all capable of bypassing traditional security. Attackers' ability to distribute thousands of email-borne malicious URL "hooks" in a matter of hours greatly improves their odds of success and their ability to exploit zero-day defects before corporate IT has time to patch vulnerable systems.
Typical attacks
As part of the six month study, which involved over one billion email messages, Proofpoint observed, documented and countered dozens of longlining attacks globally.
For example, on October 3, 2012, the company observed a Russia-based attack with 135,000 emails sent to more than 80 companies in a three-hour period. To avoid detection, the attacker employed approximately 28,000 different IP addresses as sending agents, 35,000 different "sender" aliases, and more than twenty legitimate websites compromised to host drive-by downloads of zero-day malware.
Because of the different agents, sender aliases, URLs and text, no single targeted organization saw more than three emails with the same characteristic. Overall, this attack represented less than 0.06 percent of the targeted companies’ mail flow (compared to 19 percent for spam and 11 percent for virus-laden email). The combination of mass customization and proportionally low volume made this longlining attack effectively invisible to traditional anti-spam products, enabling widespread access to corporate networks.
Similar attacks were documented throughout the fourth quarter of 2012 and early 2013. In another representative attack, approximately 28, 800 messages were sent in multiple one-hour bursts to over 200 enterprises. The campaign consisted of 813 unique compromised URLs sent from 2,181 different sending IPs. Again, each organization saw no more than three messages with identical content.
Alarmingly effective
Despite their relatively large scale, longline attacks were alarmingly effective:
- Ten percent of the email messages containing embedded malicious URLs that escaped perimeter detection were clicked on by the receiving employees
- All the longline attacks employed "drive-by downloading" from compromised web-sites.
- Almost one out of every five clicks (19%) on malicious URLs embedded in email occurred "off network" when employees accessed their email from home, on the road, or via mobile devices where they were outside corporate perimeter protection.
Spotlight
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
Is Microsoft is reading your Skype communications?
Posted on 15 May 2013. | The question of whether Skype allows U.S. intelligence and law enforcement agencies to access the communications exchanged by its users has still not been adequately answered by Microsoft.
Internet Explorer best at blocking malware
Posted on 14 May 2013. | While Chrome’s malware download protection improved significantly, Internet Explorer 10 continues to outperform the other browsers with a block rate of 99.96%.
Researcher refuses to help Saudi telco to spy on people
Posted on 14 May 2013. | You would think that a Saudi Arabian telecom firm interested in monitoring its users' mobile communications would not be asking a well-known pro-privacy researcher for help, but you would be wrong.
Malicious browser extensions are hijacking Facebook accounts
Posted on 13 May 2013. | Facebook users - especially those in Brazil - are being targeted with malicious browser extensions trying to hijack Facebook profiles, warns Microsoft.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
