Spearphishing Targeted Canada’s Finance Department, Treasury Board

The Ottawa Citizen reports that cybercriminals used spearphishing emails to gain access to the Canadian Government’s Finance Department and Treasury Board networks.

The intruders sent emails to high-ranking department officials containing a link to a webpage infected with a sophisticated virus. They also sent infected PDF files that, when opened, unleashed more malicious code to target and download government secrets.

Quoting unnamed government sources, the article says that the cybercriminals were after information about Canada’s potash industry.  A January 31, 2011 government memo said,  “data has been exfiltrated and that privileged accounts have been compromised.”

Read more: http://www.ottawacitizen.com/business/Potash+lured+hackers+classified+data/5625792/story.html#ixzz1cOXMcrjA

Cybercriminals Hit Japanese Parliament

The networks of Japan’s parliament were compromised for more than a month and hackers may have stolen sensitive emails and documents from 480 lawmakers and their staff, according to a Japanese national daily newspaper.

The Asahi Shimbun today reported that the lower house of the Japanese legislature has been compromised by a spearphishing attack.  The breach began in July, when a representative opened a malicious email, and continued until late August.  The article reports that the attackers had access to documents and email of the Diet’s 480 lower house members and other personnel.  The attack appeared to target confidential information on foreign and defense policy.  Although investigators have found no evidence that data was stolen or altered, the newspapers sources also said, “the hackers were able to view the data using the stolen ID codes and passwords without leaving any trace of illegal access.”

SEC Issues Guidance on Cyber Risk Disclosure

On October 13, 2011, the United States Securities and Exchange Commission (SEC) issued formal guidance on how U.S. publicly traded companies should disclose cybersecurity risks and data exposure.  In the guidance, the SEC states:

Depending on the registrant’s particular facts and circumstances, and to the extent material, appropriate disclosures may include:

• Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
• To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
• Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
• Risks related to cyber incidents that may remain undetected for an extended period; and
• Description of relevant insurance coverage.

A registrant may need to disclose known or threatened cyber incidents to place the discussion of cybersecurity risks in context. For example, if a registrant experienced a material cyber attack in which malware was embedded in its systems and customer data was compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur. Instead, as part of a broader discussion of malware or other similar attacks that pose a particular risk, the registrant may need to discuss the occurrence of the specific attack and its known and potential costs and other consequences.

Of course,  Iconix is not in the business of giving legal advice and we suggest that anyone interested in this topic should read the SEC formal guidance and consult with their attorneys.  We are in the business of providing technology that improves the integrity of email. For email correspondence with customers, we offer our Truemark service.  For internal email correspondence, we offer our SP Guard solution.

For further information on our email solutions, contact us at 408-727-6342, ext 3 or use our online form.

Malware — Life Imitates Art

The news is full of stories of crucial systems being infiltrating by malware.   The Stuxnet code caused Iranian nuclear centrifuges to self-destruct.  The U.S. Predator and Reaper drones have been infected with malware.  Malware attacks are not limited to the Earth — the International Space Station has been infected more than once.  The White House considered cyber attacks on Libya.

Some of these incidents, such as Iranian centrifuges self-destructing, seem like something from a spy novel or James Bond movie.  It made us wonder about life imitating art.  We found the case of a laser satellite being sabotaged by infiltration of malicious code.

This is from the control room scene in Diamonds Are Forever, in which James Bond (played by Sean Connery) and his accomplice, Tiffany Case (played by Jill St. John, pictured above), attempt to substitute a tape recording of music for the tape carrying the code.

Do you know of other malware incidents in books or movies?  Tell us about them using this form.  We will post the best of them on this blog.

IBM X-Force® 2011 – Mid-year Trend and Risk Report

IBM has just released its IBM X-Force® 2011 – Mid-year Trend and Risk Report.  The IBM Press Release provides a good summary of the 92 page report.

For those of us who are interested in phishing and spearphishing, IBM’s report provides some interesting insights.

The report draws a clear distinction between phishing and spearphishing.  The report reminds us that while the terms are similar, the schemes are vastly different.  In phishing, the bad guy is playing a game of numbers:

Phishing derives its name from the analogy of fishing in a large lake. You cast your line into that lake and you do not care if there are 10,000 fish in there that do not find your bait tasty. You also do not care if you catch the biggest fish in the lake. All you care about is the half a dozen or so reasonably sized fish who will take the hook and make your dinner. Your dinner is in numbers, not size.    …

Phishing relies on mass mailings with relatively little personalization beyond, possibly, a customized address in the “to” field and maybe a name in the subject and message body. They are often sent in bulk from botnets and mass mailers. Phishing may look rather unprofessional with a number of spelling or grammatical errors. It may appear to come from an institution with which the recipient may or may not have a business relationship. Many of these types of things may serve as red letter warnings that this email is not legitimate. Often, phishing attacks lead the users to malware, like fake Anti-Virus and Trojans, or malicious URLs run by attackers trying to hijack connections. Because they are mass mailings, the various security organizations and services rapidly pick up on the malicious sites, URLs, and software and it is quickly detected. The people behind phishing really do not spend a lot of time preparing these messages and their sites may only be up for a few hours before they are taken down by security organizations. Senders of phishing emails really do not care if 99.99 percent of the people receiving the email trash them.

In spearphishing, the bad guy is playing a patient game of precision targeting:

Spear phishing is highly directed and targeted at relatively few and very specific individuals within an organization. Spear phishing is deeply customized and personalized to make it appear as though it has come from a legitimate friend or business colleague. The attackers know the targets well and may spend considerable time and effort in studying these targets and crafting the attacks. It probably will not appear to be a generic message from a large institution. Rather, it may seemingly come from an individual friend or colleague with whom there has been frequent past messages. It may even relate to recent events or activities both individuals would know about. The message itself may not even be “spoofed” but may actually come from the other individual’s compromised account. The malware or malicious site the email leads to will not have been mass mailed so the security and anti-virus organizations may be unaware of the sites and software. In short, these people have picked their targets and tools carefully. The attackers have decided they want you and have put a great deal of effort into getting you. Consequently, it must be worth the while of the attackers. The yield percentage must be much higher, 0.01 percent success is just not going to cut it. The attackers require a significant percentage of the targets to fall for the trap. The value of the target also must be much higher, to provide a better “return on investment”.

To extend the fishing analogy, this is the fisherman standing, spear in hand, in the water, on a dock, or in a boat, watching a really big fish he wants. He waits patiently while watching the fish’s movements and learning those movements. When the time is right, the spear phisher acts quickly and decisively either getting the fish or not. If not, he picks another fish or another spear. A lot of time and effort goes into this type of fishing. His dinner is more about the size of the fish rather than the number of fish.

Later in the report, IBM discusses one of our favorite subjects — the fallacy that in phishing and spearphishing the real problem is stupid users.

When the subject of phishing and spear phishing comes up, invariably someone will ask “how could anyone be so stupid?” That question may be understandable for common phishing. It is not quite so applicable to spear phishing and APTs, however. Spear phishing and APTs are highly sophisticated. They are not so easy to identify.

We have many common derogatory terms used in cases where someone makes a mistake and falls for a trap such as “operator headspace,” “the nut that holds the keyboard,” “PEBKAC” (Problem Exists Between Keyboard And Chair, or “PICNIC” (Problem In Chair, Not In Computer). These terms are summed up in a comment we see in a lot of presentation slides when it comes to human error—“There is no patch for stupid.” But, these terms may disregard the sophistication of a number of these attacks and doing an injustice to some of the individuals ensnared. They may even be making the problem worse.

By categorizing these problems as such we may be giving people a false sense of confidence that they would never fall for something like that. They won’t be stupid. But the attackers are not stupid either and they are picking their targets carefully and crafting their attacks. The person who falls for these may not have been stupid but merely unprepared and they may have been unprepared because of excessive references to these being stupid.

By categorizing these problems as such, we may put victims on the defensive. They have heard the snide remarks and here they are or they suspect (but are not sure) that something bad might have happened to them. Do they dare tell anyone and risk ridicule for falling for a trap? They should be encouraged to report anything out of the ordinary. We should be cautious about terminology and emphasize that some of these attackers are good and getting better.

The social engineering discussion ends with the admonition that defense includes training, monitoring and remediation. While we certainly agree with that, the evidence is clear that training is inadequate to deal with sophisticated social engineering schemes.

Social engineering deceives the users into becoming the agents of the criminals.  What can be done to defend the enterprise against spear-phishing?  The enterprise can adopt a tool that identifies trusted email so that the target of the spear-phishing attack can distinguish real email from fake email.  That tool is SP Guard from Iconix.

SP Guard provides the recipient with three confirmations that a message is real:

1. List View. There is an integrity indicator in the list view of the email client.
2. Message. The open message has a further indicator of authenticity.
3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard now offers a fraud filtering enhancement.  This additional protection is becoming increasingly important given the latest generation of highly targeted spear-phishing emails which are so well crafted that users cannot tell real from fake.

SP Guard is available now from Iconix. For further information, contact us at 408-727-6342, ext 3 or use our online form.

Trend Micro Exposes LURID Spearphishing Attacks

Trend Micro, a leading security company and distributor of the Iconix products, has uncovered a massive and ongoing series of cyber attacks dubbed Lurid.  Trend Micro provided this overview of Lurid:

Trend Micro has discovered an ongoing series of targeted attacks known as “LURID,” which has successfully compromised 1,465 computers in 61 different countries. We have been able to identify 47 victims, including diplomatic missions, government ministries, space-related government agencies, as well as other companies and research institutions.

The countries most impacted by this attack include Russia, Kazakhstan, and Vietnam, along with numerous other countries mainly Commonwealth independent states (in the former Soviet Union).

This particular campaign comprised over 300 malicious targeted attacks that were monitored by the attackers using a unique identifier embedded in the associated malware. Our analysis of the campaigns reveals that attackers targeted communities in specific geographic locations as well as specific victims. In total, the attackers used a command-and-control (C&C) network of 15 domain names and 10 active IP addresses to maintain persistent control over the 1,465 victims.

How are these bad guys introducing the malware into the targeted computers?

More and more frequently, targeted malware attacks such as these are being described as advanced persistent threats. A target receives an email that encourages him/her to open an attached file. The file sent by the attackers contain malicious code that exploits vulnerabilities in popular software such as Adobe Reader (e.g., .PDFs) and Microsoft Office (e.g., .DOCs).

Spearphishing.  Again.  Just like “Revealed: Operation Shady RAT,” in which McAfee highlighted more than 70 targeted intrusions into governments, corporations and non-profits.  Just like the attack that compromised the RSA security token. The common thread in these security breaches was spearphishing emails that allowed malware to gain entry into the systems. Criminals are moving from high volumes of ineffective emails to small numbers of well-crafted highly personalized messages that are indistinguishable from legitimate email. The problem is no longer recipient gullibility, but the inability to tell good emails from bad emails.

In order to provide a defense against spearphishing, Iconix has added fraud filtering capability to SP Guard^TM, its spear-phishing defense product. Now, in addition to highlighting legitimate messages with an icon in the inbox, enterprises will be able to block fraudulent messages pretending to be from their organization or their trusted partners.  You can read the entire press release at http://iconix.com/corp/pr-20110926.php.