Phishing.  It’s been a hot topic and the focus of IT security services companies for a long time.  What is it?  Phishing is a way of acquiring information including, usernames, passwords, and credit card details, as well as other personal information through methods that are masquerades for trustworthy entities.  For example, emails meant to look like official emails from a bank or other official business are intended to make the recipient “log on” to the phisher’s website and provide user names and passwords.

A more advanced type of phishing is what is termed spear phishing.  This type of phishing has led to a lot of concern from the IT security services market.  With spear phishing, the phishing emails target specific organizations in an attempt to gain unauthorized access to confidential data.  With traditional phishing, the emails typically appear to come from large, well-known companies such as eBay or Paypal; conversely, spear phishing emails appear to come from an individual within the recipient’s company and often from persons holding authority.

IT security assessment services and IT security watchdogs have discovered yet another highly targeted email attack using phony conference invitations to garner information from recipients.  These spear phishing attempts are targeting government related organizations around the world, specifically those related to the defense industry.  The focus of the attacks is to try to use existing security flaws in various Adobe programs to place a Trojan on vulnerable computers, thus providing backdoor access for hackers to hijack the system.

The malware, once placed, becomes undetectable by disguising itself as a Windows Update utility.  Security researchers from IT security services companies, Seculert and Zscaler ThreatlabZ, uncovered this particular spear phishing method.  After joining forces to analyze the incidents involving the malware, they issued a joint warning.  Similar spear phishing attacks were tracked back to 2009.   The most recent targets of these attacks are companies (foreign and domestic) that own intellectual property related to geospace, aerospace, and defense industries.  Of particular concern is the level of sophistication of the malware.  Malware that infiltrates into virtual machine environments will simply exit the machine.  In suitable environments, the malware is implanted and the infected machine connects with the command-and-control (C&C) server then transmits system information such as the type of operating system and identifiers that allow the zombie to authenticate with the server.  After the initial connection is successfully completed, the infected system gains the potential to download and upload files, as well as executing commands.

With this latest method of spear phishing, recipients receive emails that contain PDF attachments from phony companies, inviting recipients to various conferences.   Once opened, the PDF files contain malware that implements zero-day vulnerabilities resident in Adobe Reader, allowing for installation of the RAT (Remote Access Trojan) malware.    Because the malware hides itself as a Windows Updater, the Trojan is named the MSUpdater Trojan.

At this time the people responsible for these attacks are unknown.  Given that the targets are all specific government related organizations, there is suspicion that the attackers are high-profile entities, and could possible even be a country.

IT security service integrators have long believed and warned that attachers responsible for spear phishing attacks start by researching their victims through professional networking sites.  This way, the attacks can be customized in ways that gain the interest of the target recipient.  For example, conference invitations include invitations to industry conferences relevant to the recipient and his or her job or interests.

IT security services consulting personnel advise that targeted victims should understand that the attacks are advanced threats and tend to be persistent.  Not only have the attacks continued undetected for quite a length of time, but they will continue on in the future.

Spear phishing takes many forms.  A recent example is the Sony PlayStation Network hack.  While it is unknown how much personal information was hijacked through this attack, it is believed it was much worse than the Epsilon and PSN breaches.    It is possible that the attackers may have gained credit card information.  Whether this is actually the case or not, it is of major concern because any information gained can subsequently be used to personalize future spear phishing attacks.  Spear phishing attempts are much more convincing when they contain personalized information and whether or not the original attacks garner the desired information, with personalization, the odds of gaining further information go up when more personal information is available to include in future spear phishing efforts.

What is known at the present time is that the attackers appear to be very patient and take the time to thoroughly research their targets.  Tending to target organizations whose intellectual property and assets have high value, the malware campaigns constantly evolve with frequent changes in binaries, which serves to allow the malware to continue to fly under the radar.

Law enforcement agencies such as the FBI take spear phishing seriously.  Organizations such as the US Secret Service and the investigative agencies related to the various Departments of Defense actively work to uncover and contain it.  In the meantime, people and organizations must be wary.  The keys for combatting spear phishing attempts are vigilance, IT security risk assessment services and, where necessary, outsourcing IT security services.  Education is vital and includes methods to determine whether URLs are legit, not clicking on email links, and keeping security tools active – and current!  It is money well spent to employ IT security services consulting companies to perform risk assessment and education, and to consider managed IT security services.

read more