May 20, 2013
The New York Times is reporting that Unit 61398, the Chinese cyber-espionage unit that has stolen vast amounts of data from western governments and industry, has returned to its old tricks. Following the release of the Mandiant report in February 2103, the unit disappeared from the internet. However, they have now returned to the web, operating at 60% to 70% of the level there at which they were working before Mandiant exposed them. Quoting Crowdstrike, the NYT reports that it is “business as usual” for the Chinese hackers.
Reporting on the same story, Computerworld observes that what the Unit 61398 is doing is not technically sophisticated. And this is the real lesson to be learned from Unit 61398. The Chinese are not using advanced cybertechnology to infiltrate our systems and steal our secrets — they are using simple, but effective tools. Quoting John Pescatore, director of emerging security trends at the SANS Institute:
It’s not that the Chinese have some unbeatable way of breaking into a network. What is innovative is their targeting.
What is that targeting? This diagram shows how it works:
Simple, but effective.
At Iconix, our goal is to make this threat vector less effective. Spearphishers deceive employees into making bad email decisions that compromise security. IT needs to help employees make better email processing decisions. That is where SP Guard comes into play. Using SP Guard, IT can determine a list of trusted senders and provide this information to staff in a simple and highly effective manner.
You can contact us at 408-727-6342,ext 3 or use our online form.
November 16, 2012
Websense has release a comprehensive prediction of the security threats for the coming year. We recommend that anyone interested in the evolving threats and tactics being used to attack systems should read this comprehensive report.
Because Iconix is an email security company, we focused on the email predictions. Websense predicts that email will continue to be a favorite means of attack. For consumers, this means more deceptive emails that leverage important recurring events (tax time, elections, etc.), current events and clever trickery to lure people into giving up money or credentials. On the enterprise side, spearphishing will be used to deliver more technically advanced malware that evades detection. Websense provides this foreboding warning:
There are a number of other reasons behind the CSOs’ concern about spear-phishing. For example, most security solutions are designed around a “sacrificial lamb” model where some user, somewhere, must become the first victim. Even behavioral and next-gen technology lacks enough information in the early stages to tell if the “result” will be bad, so they have to wait for something “bad” to happen. Only then do they evaluate the events that led up to the first breach. For normal mass-market threats, the chance that someone in your own organization will be the first victim is small. For a spear-phishing attack, it is 100 percent.
At Iconix, we don’t subscribe to the sacrificial lamb model. We believe that prevention is an important layer in the multi-layer defensive strategy. SP Guard from Iconix provides the ability to distinguish real email from spearphishing attacks. You can contact us at 408-727-6342 ,ext 3 or use our online form.
March 5, 2012
Today Iconix released its whitepaper, “DMARC – Less Than Meets The Eye.” In this whitepaper, Iconix discusses the limitations of DMARC in solving the problem of deceptive emails.
In the whitepaper, Iconix focuses on Section 2.2 of the DMARC spec. Iconix discussed how, while the DMARC standard is important, it addresses only one technical avenue exploited by the creators of deceptive email.
You can download a copy of the whitepaper here.
January 12, 2012
Today the IRS issued Tax Tip 2012-08 warning about phishing attacks. We reproduce it here as a public service.
Don’t be Scammed by Cyber Criminals
|IRS TAX TIP 2012-08, January 12, 2012The Internal Revenue Service receives thousands of reports each year from taxpayers who receive suspicious emails, phone calls, faxes or notices claiming to be from the IRS. Many of these scams fraudulently use the IRS name or logo as a lure to make the communication appear more authentic and enticing. The goal of these scams – known as phishing – is to trick you into revealing your personal and financial information. The scammers can then use your information – like your Social Security number, bank account or credit card numbers – to commit identity theft or steal your money.
Here are five things the IRS wants you to know about phishing scams.
- The IRS never asks for detailed personal and financial information like PIN numbers, passwords or similar secret access information for credit card, bank or other financial accounts.
- The IRS does not initiate contact with taxpayers by email to request personal or financial information. If you receive an e-mail from someone claiming to be the IRS or directing you to an IRS site:• Do not reply to the message.
• Do not open any attachments. Attachments may contain malicious code that will infect your computer.
• Do not click on any links. If you clicked on links in a suspicious e-mail or phishing website and entered confidential information, visit the IRS website and enter the search term ‘identity theft’ for more information and resources to help.
- The address of the official IRS website is www.irs.gov. Do not be confused or misled by sites claiming to be the IRS but ending in .com, .net, .org or other designations instead of .gov. If you discover a website that claims to be the IRS but you suspect it is bogus, do not provide any personal information on the suspicious site and report it to the IRS.
- If you receive a phone call, fax or letter in the mail from an individual claiming to be from the IRS but you suspect they are not an IRS employee, contact the IRS at 1-800-829-1040 to determine if the IRS has a legitimate need to contact you. Report any bogus correspondence. You can forward a suspicious email to firstname.lastname@example.org.
- You can help shut down these schemes and prevent others from being victimized. Details on how to report specific types of scams and what to do if you’ve been victimized are available at www.irs.gov. Click on “phishing” on the home page.
December 23, 2011
IID has released its predictions of the big cyberattacks for 2012. Of the 5 predicted cyberthreats, 4 depend upon phishing scams for their evil success.
Here’s the IID predictions:
1) Phishing – London Summer Olympics cyber attacks — Cybercriminals will try to capitalize on the Olympics by tricking people into installing malware with phishing scams impersonating the Summer Olympics official website and/or official Summer Olympics vendors. Once malware is on a victim’s computer, the miscreants can monitor or control both personal and business computer activity — enabling them to steal data, send spam, and commit fraud.
2) Phishing – Elections altered — The 2012 U.S. presidential election year will create opportunities for deceiving voters and other skullduggery. Cybercriminals are expected to impersonate voting websites and political emails with phishing and malware attacks. Many U.S. states allow military and overseas voting via the Internet — creating the opportunity to alter votes. There are also concerns about the security of voting machines.
3) Phishing – 12/21/2012 danger — The Mayan “end of times” of December 21, 2012 will allow bad guys to play into this fear through targeted phishing and malware attacks playing on people’s heightened awareness surrounding 12/21/2012.
4) Internet infrastructure attacks for financial gain — While hacktivism will persist, expect DNS (Domain Name System) and BGP (Border Gateway Protocol) attacks for financial gain to grab headlines in 2012. The December 2010 DNS hijacking of large European payment processor ChronoPayis an example of this theat. More details surrounding this attack can be found at www.internetidentity.com/images/stories/docs/ecrime_trends_report-q4-2010_by_iid.pdf.
5) Spearphishing - Infrastructure Attacks. IID predicts attacks on physical infrastructure attacks. The Stuxnet hack caused substantial damage to the Iranian nuclear program. The recently discovered DUQU hack is distributed by spearphishing.
This is an interesting forecast. While it is hard to predict the precise events and vulnerabilities that the badguys will use, there is little doubt that clever criminals will use current events and zero day exploits to cause havoc.