Saturday, February 23, 2013

Spear Phishing



  • Spear Phishing

Phishing attempts directed at specific individuals or companies have been termed spearphishing.
Attackers may gather personal information about their target to increase their probability of success.
http://en.wikipedia.org/wiki/Phishing

  • Spear Phishing: Scam, Not Sport
The latest twist on phishing is spear phishing. No, it's not a sport, it's a scam and you're the target. Spear phishing is an email that appears to be from an individual or business that you know. But it isn't. It's from the same criminal hackers who want your credit card and bank account numbers, passwords, and the financial information on your PC.
http://us.norton.com/spear-phishing-scam-not-sport/article


  • spear phishing is a targeted form of phishing in which fraudulent emails target specific organizations in an effort to gain access to confidential information. Its tactics include impersonation, enticement and access-control bypass techniques like email filters and antivirus. The objective of spear phishing and phishing are ultimately the same—to trick a target into opening an attachment or click on a malicious embedded link.

How does Spear Phishing work?

Spear phishing focuses on specific individuals or employees within an organization and social media accounts such as Twitter, Facebook, and LinkedIn to specifically customize accurate and compelling emails. These emails contain infected attachments and links. Once the link is opened, it executes malware that leads the target to a specific website. The attackers can then establish their networks and move forward with the targeted attack.
https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/spear-phishing-101-what-is-spear-phishing

  • Spam Filters

Spam filters are the first line of defense that protects organizations from phishing attacks. These filters can be configured to alert on anything from keywords to untrusted sending domains or IP addresses, depending on your spam-filtering solution
Whenever feasible you should whitelist trusted domains and sandbox all others for human review

Firewall / Proxy

so if an attacker can create an attack that bypasses spam filters, then they are confident that the network is allowing inbound SMTP, so now they just need to test the firewall and proxy
A common method used for such testing is to host HTML images on the malicious web server, and embed those images into the phishing message. This allows the attacker to view the GET request of the embedded image, which confirms that the firewall and proxy are allowing communication back to the malicious web server.


The Attack

Now the attacker is confident that his messages are bypassing spam filters and the payload is bypassing firewalls and proxies. The image below represents a typical message that has utilized these pre-attack methods.


At a minimum, security teams should not allow the download images within messages, which will help prevent the attacker from knowing if his malicious message was delivered.
Another option is to set proxy servers to deny requests to domains that have been registered within the last 30 days. Most phishing campaigns rely on categorized domains that have expired and subsequently been purchased and repurposed by the bad guys for their phishing campaigns.

http://resources.infosecinstitute.com/please-volunteer/#gref