Recent news reports have discussed the FireEye Advanced Threat Report for the Second Half of 2012, specifically the finding that “On average, a malware event occurs at a single organization once every three minutes”. That’s a shocking statistic to be sure, but to those of us in computer security, a big part of the issue is, “what are these attacks?” It turns out that a lot of them are spear phishing.
So, what’s spear phishing? To answer that we need to first define phishing: phishing is attempting to acquire information (e.g. usernames, passwords, etc.) by masquerading as a trusted or authorized entity to get that information. Spear phishing (sometimes spearphishing) is when that attempt is targeted to a particular company or individual.
One way people accomplish the spear phishing is to send email to the targets with malicious links or attachments. According to the FireEye report, the attachments tended to use business terms in these filenames. The top phrase in the malware attachment filenames was “UPS”. It is interesting to note, however that the top 20 file names covered just under 30% of the actual file names used! That means there is a lot of variety in what attackers use. However, “UPS” showed up in 17% of all those names. “details” showed up in almost 14%. You should read the report to find out the rest.
Another interesting, but hardly surprising, finding in the report was that zip files carried most of the malicious payloads.
Phishing is serious business. And while financial theft is one goal, other phishing attacks have targeted intellectual property and defense related technologies.
What can we do to prevent being phishing victims? Well, first, don’t open any email attachments from people you don’t know! Second, have a good anti-virus/anti-malware tool or tools, and third, learn to think like a security pro.
The first is an awareness issue. Many corporate employees just aren’t aware of the issues. When I teach a security class I often ask, “How many of you know what phishing is?” While many do not , keep in mind that these are security people not average employees. Security awareness efforts need to make the issues of phishing and spear phishing known to all employees. How can they be expected to act properly if they don’t know there is an issue?
Most organizations have good anti-virus/anti-malware tools. These tools work at both the mail server and at the desktop to ensure that mail messages and their attachments do not contain malware. The tools (should) also check websites to ensure that they don’t cause users to unintentionally download any malware. This is often accomplished by extracting compressed (e.g. zip) files in a sandbox – and area of the computer where software monitors all attempts to access other resources, thus ensuring the extracted files don’t modify system files or resources.
Thinking like a security pro is a little more difficult. Keeping that “what evil can this do?” attitude around in one’s head takes a lot of practice. Fortunately Learning Tree has multiple security courses to help with this. Our curriculum begins with an Introduction course and builds from there. I hope to see you or one of your co-workers in that introductory course soon.