|Issue:||Asia-Pacific II 2012|
|Topic:||Spear Phishing in the Cloud|
|Author:||GOH Hock Beng|
|Title:||Vice President, Channel Sales Asia|
GOH Hock Beng is Vice President, Channel Sales Asia in TrustSphere. MrBeng brings over 15 years of experience in Information Technology management in the private sector and Asian government roles.
Prior to joining TrustSphere, MrBeng served as the sales lead for Oracle Singapore, where he was responsible for the first deployed SOA suite in Southeast Asia markets.
MrBeng’sexperience includes serving as Client Director for Singapore Computer Systems, where he oversaw the successful deployment of several national database systems for the Singapore government, and served as CSC Singapore’s Principal Consultant for Homeland Defense.
The high potential of the Cloud is marred by the prospects of cybercrime-made-easy. Phishing is perpetrated by masquerading as a trustworthy entity via emails that request sensitive, valuable information, later used for fraud. While mass-email phishing can be easily ‘unmasked’, Spear Phishing is harder to recognise. This is individual targeted attacks onchosen victims, using social engineering techniques to build highly credible andrelevant emails.It may take just one employee slipping up to let in the scammers, as happened at SecureID, and can result in large losses, e.g. US$8 fraud at the Vogue publishers. Advanced techniques to authenticate incoming emailsmust be deployed and constantly updated as both users and cyber-criminals are getting moresophisticated.
It seems that everyone is buzzing about “The Cloud”. If the hype is to be believed – and there is no reason not to – it represents a tremendous business opportunity valued in the tens of billions of dollars, and the promiseof changing IT dramatically.However, despite the enormous positive potential of the Cloud, it does have a possibly serious downside: cybercrime. In particular, the threat of spear phishing looms large.
Specifically, spear phishers have taken advantage of the impeccable reputations of companies like Google to stage their attacks. For instance, criminals have used Google Docs, the company’s cloud-based collaboration service, to give their attacks the appearance of authenticity they need to dupe victims into opening a malware-laden document.Spear phishing is a very real threat with very real and serious consequences for businesses, governments and even non-profit organisations the world over.
A recent series of high profile spear phishing attacks originated last year in the city of Jinan in Eastern China, which is quickly becoming ground zero for Chinese cyber-attacks. The targets of these attacks have included Chinese activists, Tibetan independence groups and senior officials in the South Korean and U.S. governments.
In each case, the method of attack has been the same: the target receives a legitimate looking email offering a free report relevant to the recipient. All the recipients have to do to get the report is fill out a standard looking subscription form – and include their Gmail login details. With the login details in hand, the cybercriminals have access to their victims email accounts.
A recent attack launched from targeted U.S. government and military officials with an email offering a free copy of Blinded: The Decline of U.S. Monitoring Capabilities and its Consequences for National Security, a must-have report for the criminals’ intended targets. Not only did the email appear legitimate and not only was it sent to people who might actually want such a report, the cybercriminals were smart enough to use the name of a real report published by the Center for a New American Security, a well-known and respected U.S. think tank.While the damage of compromised email accounts could be substantial, no official figures or estimates have been published yet for this attack.However, we don’t have to look too far to see the impact of spear phishing.
By the time Quad/Graphics approached Condé Nast, for payment in December 2010, the media giant (publishers of Vogue, Golf Digest, GQ, Vanity Fair, The New Yorker, Wired, etc) had already paid nearly US$8 million into the account of a spear phisher. The company’s accounts payable department had received a single email claiming to be from Quad/Graphics, a company that prints Condé Nast’s magazines, instructing them to send payments to a bank account specified in the email, accompanied by an electronic payment authorisation form. Once the form was authorised, Condé Nast effectively gave permission for their bank, JP Morgan Chase, to deposit funds in the account – which turned out to be fake.
The increasing use of email for the transmission of valuable information and the prevalence of online financial and other transactions has seen a corresponding increase in cyber-crimes. As more secure means of communication are devised, and as users become savvier, the criminal element has had to develop more sophisticated deceptions in order to perpetrate online crime.
Phishing, a way of attempting to acquire sensitive information by masquerading as a trustworthy entity in an electronic communication, is an often-used technique. Conventional phishing attacks typically involve sending messages that purport to be from reputable institutions or government departments to a large number of people in order to fool them into clicking on fraudulent links. These links lead to websites that look legitimate (e.g. bank or credit card sites) but are instead designed to harvest the information (user IDs, credit card numbers, passwords, etc.) that is entered into them, or install malware on the unsuspecting user’s computer. Criminals use this technique to collect credentials which can be used for a variety of purposes, notably identity theft or transferring modest amounts of money out of accounts held by the victims.
Spear phishing is a more targeted form of phishing, which refers to targeted attacks on specific individuals in an organisation designed to steal valuable data. Recent high-profile breaches in several listed corporations and government departments have caused growing concerns about the use of fraudulent email as part of targeted attacks. RSA, a division of EMC Corp. and one of the world's pre-eminent security and encryption companies, was hacked in March 2011, rendering many of its popular SecurID tags rather less secure. Attackers simply sent e-mails with the subject line "2011 Recruitment Plan" to selected RSA employees. One of the targeted employees opened the Excel file attached to the e-mail setting loose a program that let the attacker control the employee's PC.
In general, spear phishing attacks aim to achieve high value outcomes such as the disclosure of commercially sensitive information, manipulation of stock prices, corporate or national espionage, or gaining access to secured systems.
As the email messages required for conventional phishing attacks are sent unsolicited and in bulk, conventional spam detection techniques can be used to identify them relatively successfully. Spear phishing attacks, however, are more carefully crafted: the attacker studies an individual victim – usually an executive in a large organisa¬tion or government department - and builds an email message specific to that victim using social engineering techniques. The spear phishing email typically appears to be from someone known to the victim and on a topic that the person and the victim are likely to discuss.
The highly-specific nature of the spear phishing email makes it particularly difficult to detect. The key to identifying spear phishing attacks is to increase the ability of individuals at risk to recognise a potentially fraudulent email. Training everyone in an organisation to check every incoming email individually is a resource-intensive and time-consuming task. Even so, the risk of even one employee slipping up is significant and can have disastrous consequences for the company.
Users need technology that can clearly identify known, trusted email senders that combine authentication and reputation technologies to determine if the sender of an email is legitimate. This information can be used by the email client to highlight known verified correspond¬ents, perhaps through colour (marking the message in green) or with some sort of trust mark displayed against the message.
If the email purporting to be from Quad/Graphics had not been marked as recognised, staff in Condé Nast’s accounts payable department would have been alerted to its suspicious nature, and could perhaps have verified its authenticity through a phone call or other means – and would likely have saved the company millions of dollars.
The application of identity verification technology to email would go a long way towards mitigating the spear phishing problem. Senior executives or staff in sensitive areas (IT or security, for example) could be trained to treat with caution a regular correspondent’s email which suddenly ceases to be marked as recognised. Using advanced techniques to verify the authenticity of incoming email can protect against even the highly-targeted emails crafted by spear phishing scammers.
Clearly The Cloud is still in its infancy and security issues are bound to be discovered and exploited by cyber-criminals, but as the technology matures, these gaps should be closed. However it is necessary to note that despite on-going advances in security, IT organisations and even individuals must remain ever vigilant as spear phishers and other cyber-criminals will always look for new avenues of attack.