Spearphishing Attack Exploits Spearphishing News

Hackers use socially engineered emails in order to deceive targeted email recipients into compromising their systems.

In order for a socially engineered email to deceive, it must contain a call to action that is compelling to the recipient. A current attack on Tibetan organizations demonstrates how clever hackers are able to use the news — even news that discloses attacks — to create a compelling call to action.

Two weeks ago, SC Magazine reported that hackers in China were sending highly targeted emails to organizations in Tibet. The spearphishing message used a Tibetan religious festival as the call to action. The email had a PDF attachment which installed malware which is a variant of the GhostRAT command and control APT. The attack was discovered and reported by security experts at AlienVault.

This week, SC Magazine is reporting that the hackers are sending socially engineered emails which claim to be from AlienVault. These fake AlienVault emails demonstrate the opportunistic nature of social engineering. The hackers are exploiting the news of their own attacks by masquerading as AlienVault.

The emails were sent from ‘admin@alienvault.com’ with a subject line of “Targeted attacks against Tibet organisations” and contain a malicious payload that loads a Java applet, which exploits CVE-2011-3544.

In order to prevent social engineering from deceiving the email recipient,  SP Guard from Iconix modifies the email client’s display to provide a visual indicator of the identity of the sender of email. This is an example from Outlook, the popular business email client, in which a company called “MyCo” is marking their internal messages as well as those from trusted partners such as their law firm.  Note especially the last message, though seemingly benign, is a spear-phishing message and is not marked as authentic:

SP Guard Inbox

SP Guard provides the email recipient with three easy to recognize confirmations that a message is really an internal email or from a trusted counterpart:

  1. List View. There is an integrity indicator in the list view of the email client.
  2. Message. The open message has a further indicator of authenticity.
  3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard is available now from Iconix.  For further information, contact us at 408-727-6342, ext 3 or use our online form.



Comments are closed.