“Social Engineering” Attacks Against Corporations At Record Pace

According to a June, 2008 press release by IDefense Labs, a social engineering attack called “spear phishing” has skyrocketed over the months of April and May.  “Spear phishing”, also known as “whaling”, is an attack where an email is sent that contains personal information about the recipient to get them to believe that the email is legitimate.  The purpose is to get you to click on links or open attachments that compromise your system or steal your identity. 

IDefense reports over 15,000 known corporate users that have been attacked over the past 15 months.  The intended victim is typically senior executives and other high profile individuals in the organization.  Law firms are among those entities that have reported being compromised.   

In these attacks, the goal is to gain access to corporate banking information, customer databases and other information to facilitate cyber crime.

Most of the attacks were carried out by one of two groups.  The first group used what is called a “browser helper object” and the other installed a web server and a key logger (a tool that records all things a user types, including banking information).

The key statistics noted in the report are:

• 66 distinct spear phishing and whaling attacks between February 2007 and June 2008
• Over 15 different templates have been used including Better Business Bureau (BBB), Internal Revenue Service (IRS), Federal Trade Commission (FTC), US District Courts, Department of Justice (DoJ) and Proforma Invoices
• 95 percent of the attacks emanate from two cyber crime groups
• Signature-based anti-virus detection ranges from 5 to 40 percent for each attack
• Victim losses can exceed $100,000
• Malicious code from these attacks targets over 50 financial institutions in the US
• Attacks are often well timed to coincide with events such as tax day, Microsoft Patch Tuesday and month-end processing
• Malicious payload split 50/50 between links and attachments
• For more than 12 months, the malicious code is capable of defeating most two-factor authentication systems
• Over 15,000 corporate victims in 15 months of attacks
• Attack volume reached new highs in April and May with 10 and 9 attacks, respectively
• Recent Attacks have netted over 2,000 victims in May alone
  • May 29, 2008 – IRS / US Treasury Tax Court – 600 victims
  • May 12 – 22, 2008 – IRS Tax Court – 800 victims
  • May 1 – 7, 2008 – BBB Complaint – 800 victims

How can you defend yourself against such attacks?  First you need to understand what “social engineering” attacks are.  Social engineering is one of the most effective tactics at compromising security.  The reason is that it uses prima facie legitimacy to gain access.  Common examples of social engineering attacks are when thieves pose as cleaning crews or IT personnel and walk into offices with no objection and steal passwords, install malicious software on computers, or steal laptops.  (To learn more about social engineering, please click here). In this case, the tactic is to convince you that the email is legitimate by posing as an email from the US Courts or the Better Business Bureau, using legitimate-looking graphics and using personal information that is publicly available about you (such as your full name and address or other information you may share publicly) to fool you.

IDefense cautions that there is no simple solution to protect from attack:  “No single technical defense is likely to prevent these attacks; however, most can be prevented using a layered defense that includes desktop and gateway anti-virus, URL filtering, vigilant monitoring of anomalous network activity and the use of non-administrative user accounts.”

In my opinion, it is a red herring to believe that the non-use of administrative accounts can protect you.  It is easier than you would think to perform what is called a “privilege escalation attack“.  It is always a good idea to look at multi-layered protection when it comes to security, however, and not using administrative accounts does serve to lessen your exposure.  One thing is certain:  anti-virus protection and a firewall is not enough.  Microsoft has more information on how to defend yourself against phishing attacks:

•  Never reveal personal or financial information in a response to an e-mail request, no matter who appears to have sent it.
• If you receive an e-mail message that appears suspicious, call the person or organization listed in the From line before you respond or open any attached files.
• Never click links in an e-mail message that requests personal or financial information. Enter the Web address into your browser window instead.
• Don’t post any information on your blog or social networking site that could be used by identity thieves to target you, your family or friends, or your company. 
• Report any e-mail that you suspect might be a spear phishing campaign within your company.

Click here for more information from Microsoft.  There are also other software and hardware defenses against such attacks.  Employing a pro-active approach to security increases your odds against being a victim, but the best defense is knowledge.