Massive Global Spearphishing Attack Nets Millions

McAfee and Guardian Analytics have released a new whitepaper entitled, Dissecting Operation High Roller.  In the whitepaper, they describe a massive global attack that is stealing tens of millions of dollars banks, institutions and wealthy individuals.

Unlike standard SpyEye and Zeus attacks that typically feature live (manual) interventions, we have
discovered at least a dozen groups now using server-side components and heavy automation. The
fraudsters’ objective in these attacks is to siphon large amounts from high balance accounts, hence
the name chosen for this research: Operation High Roller.

With no human participation required, each attack moves quickly and scales neatly. This operation
combines an insider level of understanding of banking transaction systems with both custom and off
the shelf malicious code and appears to be worthy of the term “organized crime.”

The report describes the automation techniques used to increase the speed and efficiency of the new attacks:

Where transactions required physical authentication … in the form of a smartcard reader (common in Europe), the system was able to capture and process the necessary extra information, representing the first known case of fraud being able to bypass this form of two-factor authentication. Within 60 seconds, a script navigated to the GIRO transfer page, retrieved mule account information from a remote database, and initiated a transfer. No human interventions, no delays, no data entry errors.

The attackers use spearphishing as a means to install their malware. The report includes this sample spearphishing email:

The report details the measures the attackers have taken to avoid detection by anti-malware detection software and then how the thieves cover their tracks after stealing the money.

Finally, the report describes how to protect against these thefts. These techniques boil down to faster response after suspicious activity is detected.  At Iconix, we agree that fast response is important.  AND, we think that prevention is important.

How can a spearphishing attack be prevented?  Clearly, training is not the answer. The new DMARC standard is not the answer.  What is needed is a method to deprive the attacker of his ability to deceive. Spearphishers deceive by masquerading as trusted senders.  At Iconix we identify trusted senders. Our identification system makes it easy for users to distinguish trusted senders from attackers masquerading as trusted senders.  SP Guard from Iconix provides the ability to distinguish real email from spearphishing attacks.  Click here to learn more.  You can contact us at 408-727-6342, ext 3 or use our online form.

Know who.  No Doubt.  SP Guard from Iconix.

Homeland Security Demonstrates Spearphishing

On June 14, 2012, Mark Weatherford, DHS’s deputy under secretary for cybersecurity, provided at least the third formal cybersecurity presentation to the United States Senate.  The demonstration was part of the Obama Administration’s efforts to pass cybersecurity slated to come to the Senate floor in the next three weeks.  This demonstration again focused on a spear phishing attack against the Homeland Security Department. The demonstration reflected the reality of the recent attack against the U.S. Natural Gas Pipeline infrastracture.

Secretary Weatherford said the purpose of the demonstration was not to scare Senators and staff, but to enlighten them about how easy it is to conduct a spear phishing attack. Weatherford’s team from the U.S. Computer Emergency Response Team (U.S. CERT) used free open source tools found on the Internet.  Weatherford explained the demonstration:

Anyone can do them. Many of them are point and click.  It’s to use a very simple spear phishing attack, craft an email, get someone to open and email. The email then compromises the computer, gives the attacker control of that computer to do whatever he wants on that computer, download files, violate the integrity of files and use that computer as a pivot point to go somewhere else. These are very common techniques and tactics that are used to do these kinds of things.

In less than five minutes, the demonstration showed how an attacker could attach malicious code to a PDF document — in this case a copy of the pending cybersecurity legislation — and send a fake email that seemed to go from a manager to an employee at DHS.  When the victim opened the attachment, the victim’s computer was compromised.  The demonstration showed how the attacker was able to get the victim’s passwords and then was able to download, delete, upload and change files. The hacker could turn on the computer’s microphone and record  audio, and turn on the PC’s Web camera.  You can see a similar demonstration at Spearphishing – The Movie.

Homeland Security officials said agencies can protect themselves by updating software patches often, which look for certain known attack codes in attachments.  You can hear an interview with Secretary Weatherford at FederalNewsRadio.com.

Keeping your software patched is important.  However, patches work against known malware, not new zero day exploits. At Iconix we believe prevention is also important.  SP Guard from Iconix provides the ability to distinguish real email from spearphishing attacks.  Click here to learn more.

Spearphishing Attack on Industrial Control Systems Security Firm

This week DigitalBond, a firm that specializes in security for Industrial Control Systems (ICS), reported that it had been the victim of a spearphishing cyberattack.  Demonstrating the clever personalization that social engineering requires, DigitalBond reported:

It’s a bit concerning that a company whose sole focus is securing industrial control systems should be spear phished.  The attacker clearly went to enough trouble to try to understand ICS security lingo to get the employee to open the link, and had to compromise a DNS server.

This is the spearphishing email:

Security Week  reports that this attack was part of a series of attacks:

The potential (and likely) list of victims and confirmed targets are a diverse group. In addition to DigitalBond, the list includes NJVC (a DOD Contractor), the Chertoff Group, customers of Equifax’s Anakam two factor authentication, attendees of the IT SCC meeting, Carnegie Mellon University, Purdue University, and the University of Rhode Island.

Spearphishing warnings are important.  However, as important as detection and remedial action are, prevention is also important.  SP Guard from Iconix provides the ability to distinguish real email from spearphishing attacks.  Clear here to learn more.

American Banker Reports on Spearphishing

In a new video, American Banker discusses the ease with which hackers can deceive email recipients.

In the video, the reporters discuss how a security expert crafted an email from one reporter to the other.  The recipient, being deceived into believing that the hacker was a colleague, opened the fake email.  Why?  Because it is impossible to easily determine that the fake email was fake.

American Banker concludes:

Social engineering attacks — also known as phishing and spear-phishing — are on the rise against banks and their corporate customers. The stakes are high and rising for both.

Social engineering deceives users into becoming the agents of the criminals.  How can you defend your organization against hackers impersonating co-workers?  The enterprise can adopt a tool that identifies trusted email so that the target of the spear-phishing attack can distinguish real email from fake email.  That tool is SP Guard from Iconix.

SP Guard provides the recipient with three confirmations that a message is real:

1. List View. There is an integrity indicator in the list view of the email client.
2. Message. The open message has a further indicator of authenticity.
3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard is available now from Iconix. For further information, contact us at  408-727-6342, ext 3 or use our online form.

Iconix Named to OTA 2012 Online Trust Honor Roll

ICONIX, Inc., has been named to the Online Trust Alliance (OTA) 2012 Honor Roll.  This designation is based on a composite trust score of security and privacy measures at hundreds of online sites. Designed to recognize leadership, the Honor Roll distinguishes Iconix as a “North Star” to inspire others. Of the companies evaluated by the non-profit, member-based OTA, less than 30% made the grade.

As part of the 2012 study, released June 6, 2012, OTA analyzed the adoption of key security and privacy initiatives, providing benchmark reporting and comparisons between key industry sectors including leading internet retailers, FDIC Top 100 Banks, and social networking sites. Other companies recognized by OTA include financial institutions such as Bank of America, PayPal and Wells Fargo, social networks such as Twitter and Zynga, online retailers such as Amazon.com, Apple, Buy.com, Costco and Walmart, and technology providers such as Microsoft and Symantec.

“Today’s businesses are stewards of ever-increasing amounts of users’ personal and sensitive data that necessitate the implementation of privacy and security best practices,” said Craig Spiezle, executive director and president, Online Trust Alliance. “Being a member of the 2012 OTA Online Trust Honor Roll means ICONIX has demonstrated exceptional leadership and commitment towards online safety, to enhancing the vitality of the internet, and, most importantly, to consumer trust.”

“From the inception of ICONIX our focus has been to increase trust in online interaction, especially in email,” said Jeff Wilbur, vice-president of marketing at ICONIX. “We are proud to be recognized by OTA for the 2012 Online Trust Honor Roll, and we are committed to ongoing efforts to implement and promote technologies that will continue to improve users’ safety online.”

You can read the press release here.

Iconix Whitepaper – Defending Against Spoofed Domain Spearphishing Attacks

Today Iconix released its whitepaper, “Defending Against Spoofed Domain Spearphishing Attacks.”  In this whitepaper,  Iconix discusses the ease with which hackers can use spoofed email addresses to deceive email recipients.

Spoofed domain spearphishing is occurring because technology favors the social engineering schemes employed in spearphishing that are used to deceive recipients.  It is technically easy to fake the sending email address that is displayed to the recipient.  You can see a demonstration of how easy it is to spoof a sending domain at Spearphishing — The Movie.  A little internet research yields substantial personal information that can be used to deceive the recipient.  Email is the ideal medium for deception because the attacker has at his command all of the human factors needed to deceive the recipient.  Given the ability of criminals to craft and deliver deceiving emails and use deceptive domains, email recipients are essentially unarmed in this battle of wits with spearphishers.

Social engineering deceives the users into becoming the agents of the criminals.  What can be done to defend the enterprise against spearphishing?  The enterprise can adopt a tool that identifies trusted email so that the target of the spear-phishing attack can distinguish real email from fake email.  That tool is SP Guard from Iconix.

SP Guard provides the recipient with three confirmations that a message is real:

1. List View. There is an integrity indicator in the list view of the email client.
2. Message. The open message has a further indicator of authenticity.
3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard is available now from Iconix. For further information, contact us at 408-727-6342, ext 3 or use our online form.