Stratfor — The Other Shoe Drops

Just before Christmas 2011, Stratfor was hacked by Anonymous.
The means of that attack are unknown.

Government Computer News is now reporting that the stolen Stratfor data are being used to send deceptive targeted emails to government email addresses. Microsoft has published technical details of the attack, including this sample fake email:

The fake email delivers a malicious attachment in the form of a pdf file with a virus.  Microsoft elaborated on the attack:

The link displayed in the emails appears legitimate at first glance, but looking closely at the target address, you notice that it doesn’t originate from the address in the email text. Stratfor is based in Texas, United States however the download URL is located somewhere in Turkey. A sample of another PDF file contained a download link for yet another compromised site, this time in Poland.

Microsoft researchers may notice the subtle difference between real and fake link addresses.  Most people will not.  People need a tool that allows them to effectively process a lot of email quickly.  Such a tool is available now from Iconix. That tool is SP Guard.

SP Guard provides the recipient with three confirmations that a message is real:

1. List View. There is an integrity indicator in the list view of the email client.
2. Message. The open message has a further indicator of authenticity.
3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard now offers a fraud filtering enhancement.  This additional protection is becoming increasingly important given the latest generation of highly targeted spear-phishing emails which are so well crafted that users cannot tell real from fake.

SP Guard is available now from Iconix.  For further information, contact us at 408-727-6342, ext 3 or use our online form.

Spearphishers Attack During Holidays

FireEye has just released research showing that spearphishers increase their attacks during holidays.  This graphic from FireEye shows the number of incoming malicious email attachments that evaded detection by the initial Anti-Virus and Anti-Spam defenses.

FireEye says that the trend to mount attacks during national holidays suggests that the bad guys are attacking at times when IT operations are lightly staffed, thereby increasing the probability of avoiding detection.  Firewire observed that the national holiday attacks are well-coordinated:

Prior to the start of the actual holiday, attackers appear to experiment with multiple campaigns, as illustrated by the smaller spikes in traffic, leading up to the relative maximal peak. After measuring initial success, their final techniques are refined and corresponding attacks are significantly amplified during the 3 days around the national holiday.

Why isn’t this trend observed over the Christmas holiday?  FireEye believes that the bad guys did not focus on Christmas because very few employees go to work over that period, providing fewer targets to attack.

The FireEye research emphasizes the point that spearphishing attacks the people, not systems.  Employees must be empowered to defend against cyberattacks. When the cyberattacks target the human, the human must be hardened. A tool that hardens the human  is available now from Iconix. That tool is SP Guard from Iconix.

SP Guard provides the recipient with three confirmations that a message is real:

1. List View. There is an integrity indicator in the list view of the email client.
2. Message. The open message has a further indicator of authenticity.
3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard now offers a fraud filtering enhancement.  This additional protection is becoming increasingly important given the latest generation of highly targeted spear-phishing emails which are so well crafted that users cannot tell real from fake.

SP Guard is available now from Iconix.  For further information, contact us at 408-727-6342, ext 3 or use our online form.

MSUpdater Trojan Installed by Spearphishing

After Zscaler and Seculert independently identified targeted attacks that used  Remote Access Tool (RAT) malware to compromise  several government-related organizations, the firms collaborated to analyze the attacks.  Using their combined resources, Zscaler and Seculert were able to link the current attacks to previous  targeted attacks that have been occurring since early 2009.  They identified the threat vector as highly targeted spearphishing emails with malicious attachments, providing several examples of the social engineering that went into creating a compelling email.  They announced their findings in a January 31, 2012 blog posting.  They also issued a detailed joint technical report.

Zscaler and Seculert termed this new class of malware “MSUpdater” Trojan because the malware  attempts to avoid detection by network security products through the use of fake “Microsoft Windows Update” HTTP requests. The fake http requests were found to operate in conjunction with other malware which used a file named “msupdater.exe”.

Because this is a particularly insidious RAT which cleverly avoids detection, Zscaler and Seculert advise:

Use these [technical] indicators to help provide detection and remediation of this threat within your enterprise. This was the overall goal of releasing this information. Note however, that the overall targeted threat will likely adapt and remain a constant adversary – that is, if your particular organization is the target of an attack it is likely that it will continue to be targeted. Use this knowledge to adapt your organization’s security policies and resources appropriately.

We agree that detection and remediation are important responses to the MSUPdater Trojan.  But note the opportunities for PREVENTION:

Based on the information available, the threat arrives in phishing emails with a PDF attachment, possibly related to conferences for the particular targeted industry. The PDF exploits vulnerabilities within Adobe (for example, a 0–‐day exploit was used against CVE–‐2010–‐2883) and drops a series of files to begin communicating with the command and control (C&C).

Spearphishing attacks the people, not systems.  Employees must be empowered to defend against cyberattacks. When the cyberattacks target the human, the human must be hardened. A tool that hardens the human  is available now from Iconix. That tool is SP Guard from Iconix.

SP Guard provides the recipient with three confirmations that a message is real:

1. List View. There is an integrity indicator in the list view of the email client.
2. Message. The open message has a further indicator of authenticity.
3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard now offers a fraud filtering enhancement.  This additional protection is becoming increasingly important given the latest generation of highly targeted spear-phishing emails which are so well crafted that users cannot tell real from fake.

SP Guard is available now from Iconix.  For further information, contact us at 408-727-6342, ext 3 or use our online form.

 

FBI Embarrassed by Hacked Email Account

The press is widely reporting on Anonymous eavesdropping on a phone call between the FBI and Scotland Yard and other non-U.S. police agencies.  The sixteen minute phone call is currently posted here.

How did Anonymous do it?  The FBI sent the link to the conference call to more than three dozen people at the FBI, Scotland Yard, and agencies in France, Germany, Ireland, the Netherlands and Sweden. One of the people who received the conference call log-in data forwarded the email to his personal account. That personal account had been hacked by Anonymous.  By accessing the hacked email account, Anonymous obtained the log-in credentials required to participate in the phone call.

The New York Times reports on the FBI reaction to the compromised phone call,

“It’s not really that sophisticated,” said the official, who would discuss the episode only on condition of anonymity. He said no Federal Bureau of Investigation system was compromised but noted that communications security was more challenging when agencies in multiple countries were involved.

The unnamed FBI official’s observation that the attack was not that sophisticated and no systems were compromised missed the crucial lesson of this incident — a successful cyberattack doesn’t have to be technically sophisticated in order to be successful.  This incident demonstrates an important principle of security — attack the people because it is easier to hack people than systems.

How hard is it to hack a person?  As we noted in our posting Hackers for Hire,  all that is needed is a little information about the target to trick the target into unwittingly being compromised.  As we noted in our posting How To Infiltrate A Network Using Spearphishing, all that is needed to successfully attack an enterprise is the compromise of a single person.  And, as we noted in Social Media Outs CIA Agent, using widely available internet resources, even the identity of CIA agents can be discovered.  In this phone call case, a successful attack on the FBI was accomplished by compromising the personal email account of a person who collaborates with the FBI.

Employees must be empowered to defend against cyberattacks. When the cyberattacks target the human, the human must be hardened. A tool that hardens the human  is available now from Iconix. That tool is SP Guard from Iconix.

SP Guard provides the recipient with three confirmations that a message is real:

1. List View. There is an integrity indicator in the list view of the email client.
2. Message. The open message has a further indicator of authenticity.
3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard now offers a fraud filtering enhancement.  This additional protection is becoming increasingly important given the latest generation of highly targeted spear-phishing emails which are so well crafted that users cannot tell real from fake.

SP Guard is available now from Iconix.  For further information, contact us at 408-727-6342, ext 3 or use our online form.