Targeted Phishing Attack Reels in 1,400 Executives

SecureWorks’ Security Research Group recently investigated a highly-targeted email phishing scam using messages that claim to be from the Better Business Bureau (BBB). The phishing email is being sent to upper-level managers and executives at a wide variety of companies, posing as a complaint notice filed against the victim’s company. When understandably concerned executives click on a link to learn more about the supposed complaint, they are sent to a webpage that asks them to download the “complaint details.” In reality, the downloaded file is a Trojan horse that steals all data sent from the victim’s browser.

Figure 1: Example of BBB Phishing Email

This approach is significantly different than the one used in typical phishing schemes. Most phishers attempt to gather specific information, such as account numbers, by randomly sending scam emails to hundreds of thousands of people. In the BBB scam detailed above, the phishers have narrowed their focus to a specific group of high-value targets (executives) and are collecting all of the data they transmit over Internet Explorer. Whereas most phishers have simply been after banking or credit card data in the past, the criminals behind this targeted phishing threat are intentionally gathering unfiltered data to gain a much broader scope of information. The information gathered from victims includes comprehensive details on everything they do on the Web, from the sites they visit to the prescriptions they refill online. Considering the targets of the BBB phishing emails and their high-profile roles, this information can be used for many illegal activities outside of the typical identity theft, including blackmail and industrial espionage.

Well-coordinated, targeted schemes, such as the BBB phishing emails, further reinforce the growing involvement of organized groups in Internet crime. Extra special care was taken by the phisher(s); from getting the names of executives and companies correct and sending the email to only one executive from each company, they were able to make the emails more convincing and less likely to be detected.

During the investigation into this threat, a site was found storing details on more than 1,400 executives who were apparently taken in by the phony emails. The site has since been taken down, but the fact that so many executives were tricked is a testament to the scam’s effectiveness.

SecureWorks has implemented countermeasures to protect our clients from the loss of confidential data by this phishing Trojan and its variants. In addition, we recommend:

1. Educating users never to click on a link or attachment in a message from an unverified source.
2. Verifying the source of any message that demands action on your part. Look up the phone number, and do not rely on any phone numbers in the message itself.
3. Enabling junk mail filters. Enable forgery-detection features found in some newer e-mail client programs such as Microsoft Outlook.
4. Utilizing IPS and web content filtering at the network perimeter.
5. Keeping anti-virus and anti-spyware signatures up to date.

What is Social Engineering?

Introduction

Social engineering is described as a collection of primarily non-technical intrusion techniques used to manipulate other people. Basically, social engineering is a new version of an age old con game that relies heavily on human interaction to break normal security procedures (fraud). Though any organization can be susceptible to the con, social engineers usually target larger entities including financial institutions, government institutions, and hospitals.

Social engineering is similar to hacking in that it is used to gain unauthorized access to systems or information to commit fraud, network intrusion, industrial espionage, identify theft or a simple disruption. However, social engineering is generally much easier than hacking, as it does not require the technical know-how or background to be completed successfully. Rather, it simply involves asking other people for information.  Phishing is one of the most common forms of social engineering, using technical subterfuge (fraudulent emails) to obtain usernames, passwords, credit card details, and other personal information.

Typical Scenarios

Listed below are a few common techniques used in social engineering attacks. Though sometimes an attacker may ‘get lucky’ and only need to utilize one method, more often than not, he will combine several of the following techniques to meet his objectives. This is often referred to as a hybrid attack.

1. Dumpster Diving or "Trashing" - The attacker waits for the victim to dispose of his/her trash and then rummages through it in search of valuable information. Surprisingly, many companies do not properly dispose of (shred) paperwork containing confidential personal and company information. Such items as organizational charts, calendars, manuals, etc. are often thrown in the trash, to be easily stolen for the attacker to use in countless ways.
   
   For instance, organizational charts provide the attacker with the various positions of authority and often their contact information. This information could be used to impersonate upper-level management with enough legitimate information to appear credible in the case he is challenged. Calendars can be used to determine when certain employees are going to be out of town, making it easier for the attacker to target their credentials or equipment. Manuals could provide the attacker with the various weaknesses within the system and/or certain passwords needed.

2. Disguising - The attacker physically disguises himself as an unthreatening visitor or someone authorized to gain access to restricted areas and information. The following are two examples:
   
   The following are two examples: 
   
   Example 1: The attacker disguises himself as maintenance staff entering through the back door (janitor, telecommunications employee, etc). Unnoticed, the attacker then sorts through items left by the printer and/or copier for valuable information. The amount of valuable information left for the wandering eye around the printer/copier machine is quite alarming in many companies.
   
   Example 2: The attacker claims to be with security "doing a test for upper level management" and is given direct access to the network. The attacker may be left alone with your network for hours unnoticed.
   
   This form of social engineering can be avoided by simply verifying the identity of everyone who enters your building, regardless of the uniform or verbal greeting.

3. Appealing to Curiosity - The attacker leaves digital storage media (i.e. - Floppy disk, CD, USB memory stick, etc) in a location where a curious employee may be tempted to pick it up. When the employee tests out the media, malicious software programs (trojans, backdoors, rootkits) are loaded onto her computer granting the attacker access to internal resources and information. This type of social engineering can be averted by establishing and enforcing a policy ensuring that outside storage media or devices are not plugged in unless approved by the company.

4. Phone Calling / Pretexting - Countless variations of social engineering using the telephone are being utilized today. Always take precautions when discussing confidential or sensitive information over all telecommunications lines, including company phones, cell phones, and home phones. Some examples of phone call attacks are listed below.
   
   Example 1: A popular form of social engineering that uses the phone is pretexting. The attacker is prepared with pieces of information (birth dates, etc.) gathered prior to the phone call to establish his perceived legitimacy. Pretexting is often used to retrieve customer information and records, or to impersonate authoritative figures. Pretexting will become easier as Voice Over IP (VOIP) becomes increasingly popular, because the return number is more difficult to trace with VOIP.
   
   Example 2: The attacker calls someone in the organization and tells her to visit a particular website, acting as a sales person. The website would then proceed to ask for her username and password "for an application," giving the attacker access to your network.
   
   Example 3: An attacker may call random numbers claiming to be a technical support representative. Many people will not have a technical problem, leaving him to call the next lead for attack. However, the attacker will eventually reach someone independently suffering from a technical problem within her organization and glad someone is "calling to help." The attacker will "help" solve the problem and in the process have the user type commands that give the attacker network access.

5. Appearing Helpful - The attacker sends out an email warning employees that someone is phishing around the network and encourages them to click on the provided link for more information. The link would trigger a browser-based exploit that compromises the victim's PC and provides the attacker access to your organization.

6. Friendship - The attacker becomes friends with an employee of the victim organization. Once trust is established, it is exploited for the attacker’s benefit. A key factor in social engineering is simply being friendly. Normally, an employee handling outside callers and/or visitors is usually in a position where she wants to help, so the hacker just needs to be believable.

7. Reverse Social Engineering - The attacker pretends to be a person of authority in such a way that the target begins asking the attacker questions that may lead to or contain confidential information. This technique is not used very often given that preparation for it is quite tedious and involves three stages: "sabotage, advertising, and assisting." For instance, the attacker may cause a network failure, show up as a technical support expert just at the right moment, and then help the network operator through the problem. The operator would think of the attacker as someone of high authority that she could trust and would willingly ask or answer detailed questions that include confidential information or a way to access it.

Primary targets of social engineering include new hires, administrative workers, and anyone located near an entry/exit. New hires are more vulnerable to social engineering tactics, because they are less familiar with the proper policies and procedures and may not know coworkers' names. Administrative workers often handle communications with outsiders. Employees located near an entry/exit may be the social engineer's gateway into the company or dead end back home.

Conclusion

Social engineering continues to be a powerful technique for computer criminals. Establishing sound security policies and providing ongoing training for your customers and employees about the most prevalent social engineering techniques will minimize the risk to your company.