Flame – Malware on Steroids

Flame is in the news.  What is Flame?  It is a large piece of malware that is used to spy on its victims.  Flame takes numerous cyberspying techniques and packages them together into a comprehensive suite of bad news.  Flame can record keystrokes, screen shots and SKYPE sessions.  It can turn on your microphone and listen in on conversations.  It can hijack bluetooth devices.

You can watch a discussion about Flame between a former CIA official and a security expert on the PBS Newshour.

Flame also demonstrates the general problem with anti-virus.  Until the malware is identified, it operates undetected.  The Kaspersky blog notes:

Kaspersky has seen multiple versions of the Flame attack toolkit in the wild and called Flame “the most sophisticated cyber weapon yet unleashed.” If it’s been floating around for a couple years at least before discovery, it would seem possible there are even more advanced attack toolkits, more sophisticated cyber weapons lurking, working and awaiting discovery.

Iranian CERT reports that Flame went undetected by 43 different security programs.  The authors of Flame were able to do this by understanding how security software works and then avoided using the things that security software detects. No doubt, the authors of malware will use the new Flame detection software to create a new generation of malware that Flame detectors can’t find.

While the focus has been on the problems that Flame causes after it is installed, little has been said about how Flame enters a network.  Roel Schouwenberg, senior researcher at Kaspersky, speculates that Flame’s initial entry into a network is through a spearphishing email that delivers a zero-day exploit.  Spearphishing is a social engineering attack in which the attacker creates a highly personalized email that deceives the recipient into acting.  You can see how this is done by viewing “Spearphishing – The Movie.”

In order to prevent social engineering from deceiving the email recipient,  SP Guard from Iconix modifies the email client’s display to provide a visual indicator of the identity of the sender of email. This is an example from Outlook, the popular business email client, in which a company called “MyCo” is marking their internal messages as well as those from trusted partners such as their law firm.  Note especially the last message, though seemingly benign, is a spear-phishing message and is not marked as authentic:

SP Guard provides the email recipient with three easy to recognize confirmations that a message is really an internal email or from a trusted counterpart:

1. List View. There is an integrity indicator in the list view of the email client.
2. Message. The open message has a further indicator of authenticity.
3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard is available now from Iconix.  For further information, contact us at 408-727-6342 , ext 3 or use our online form.

Top Five Spearphishing Scams

KnowBe4 has released information about the most widespread spearphishing scams targeting businesses.

Spearphishing is the hacking technique in which highly targeted socially engineered emails are sent to a very small number of people.  The purpose of a spearphishing email is to deceive the recipient into taking an action, such as following a link or opening an attachment, that will compromise the security of the recipient’s systems.

KnowBe4 cites these five scams:

5. Better Business Bureau Complaint – The recipient receives an official-looking email that is made it appear the Better Business Bureau.  The recipient is instructed to click on a link to contest or respond to the claim. If the link is clicked,  malware is downloaded to the system.

4. Smartphone Security App – Using the resources of the web, cybercriminals find the name and email addresses of a company’s senior management. Using this information, the cybercriminals spoof an email from the CEO to the CFO instructing the CFO to follow a link.  When clicked, keystroke logger is installed on  the CFO’s computer. The cybercriminals have full access to the CFO’s account login credentials and control any two-factor text messages sent to the CFO.

3. Layoff Notice – Employees receive a spoofed email from the CEO or Human Resources informing recipients that they have been laid off. Employees are instructed to click a link to register for severance pay. The landing page looks just like the company’s website and asks users to enter their name and social security number to log in. The fake website triggers a malware download to the user’s system. If the victim entered any personal details, they are immediately at risk for identity theft.

2. Prize for Feedback – Using social media profiles, cybercriminals determine what organizations that targeted person supports or does business with, and their favorite local restaurants. The cybercriminal will send a fake email from one of those charities or organizations, requesting the recipient to download a PDF that describes an upcoming campaign or event.  The email offers a free dinner at the local restaurant providing feedback. When the PDF is downloaded, malware is installed on the system – giving the cybercriminals direct access to the network.

1. Lawsuit – Cybercriminals use the web to find the email addresses of a company’s executives and lawyers. The cybercriminals send a fake email pretending to be from the lawyers to the executive team.  A malicious PDF describing pending litigation is attached. When the attachment is opened, malware is installed and the network is compromised.

The solution to these attacks proposed by KnowBe4 is caution and training.  While we at Iconix support caution and training, the sad reality is that caution and training are ineffective against well-crafted highly-targeted spearphishing attacks.  Reliance upon spearphishing training is driven by three assumptions:

1. People pay attention to subtle clues about email authenticity.
2. People do not engage in automated responses driven by habit.
3. Spear-phishing emails contain clues that betray their nefarious purpose.

These assumptions are invalid.  Groundbreaking research led by  Arun “Vish” Vishwanath, PhD, demonstrated conclusively that people do not pay attention to subtle clues about email authenticity.  Dr. Vishwanath’s research demonstrated that when reading email, people are creatures of habit.  The examples cited by KnowBe4 are typical of the clever methods used in highly targeted attacks to imbue email with authenticity and hide the nefarious purpose.

People need a way to tell real email from fake email. SP Guard from Iconix provides your staff with the ability to distinguish real email from spearphishing attacks.  Clear here to learn more.

Spearphishing Attacks U.S. Gas Pipelines

In a story first reported by The Christian Science Monitor, The United States Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued a warning about an active “spear phishing” campaign targeting companies in the natural gas pipeline sector.

The article cites an April 13 confidential ICS-CERT alert:

ICS-CERT has recently identified an active series of cyber intrusions targeting natural gas pipeline sector companies.  Multiple natural gas pipeline organizations have reported either attempts or intrusions related to this campaign. The campaign appears to have started in late December 2011 and is active today.

The public ICS-CERT report states:

Analysis shows that the spear-phishing attempts have targeted a variety of personnel within these organizations; however, the number of persons targeted appears to be tightly focused. In addition, the e-mails have been convincingly crafted to appear as though they were sent from a trusted member internal to the organization.

Spearphishing is the hacking technique in which highly targeted socially engineered emails are sent to a very small number of people.  The purpose of a spearphishing email is to deceive the recipient into taking an action, such as opening a malicious attachment, that infiltrates the targeted network.  Spearphishing is an infiltration tactic heavily favored by sophisticated attackers.

The Department of Homeland Security warned of the threat of spearphishing when it conducted a mock cyberattack against U.S. infrastructure for the United States Senate earlier this year.

Spearphishing warnings are important.    However, as important as detection and remedial action are, prevention is also important.  SP Guard from Iconix provides the ability to distinguish real email from spearphishing attacks.  Clear here to learn more.

British Defense Firms Targeted in Spearphishing Attack

ZDNet UK is reporting that British defense firms are being targeted by spearphishing attacks.

Cabinet Office Minister Francis Maude Discloses Spearphishing
Photo credit: BIS

Cabinet Office Minister Francis Maude stated that British defense contractors were being targeted by a sophisticated campaign that uses highly targeted emails to compromise systems.  The Minister announced that these attacks had been identified through a data sharing arrangement between business and government under the new UK cybersecurity strategy that was announced in November of 2011.

The Minister noted, “UK government networks continue to be regularly targeted by foreign intelligence agencies, or groups working on their behalf.”

At Iconix we strongly support efforts to quickly discover these “spy-phishing” attacks against government and industry.  However, as important as detection and remedial action are, prevention is also important.  While the Cabinet Office advanced education to fight this problem, the fact of the matter is that education is not effective against these highly targeted email attacks.

SP Guard from Iconix provides your staff with the ability to distinguish real email from spearphishing attacks.  Clear here to learn more.