Brian Krebs, the author of the must-read Krebs on Security Blog, has reported new information about the Anthem breach. Krebs reports two new facts:
- The breach actually started in April 2014, not December 10, 2014, as previously reported. Thus, the January 27, 2015, discovery represented a breach of many months instead of a few weeks.
- The method of intrusion was spearphishing.
This diagram from Crowdstrike is reproduced on Krebs on Security:
Krebs observed that in this detailed diagram of the attack elements (right down to the IP addresses), one element is redacted. What could this redacted item be? Krebs concludes that it is the method used by the attackers to gain the required toe-hold in the targeted systems. What great secret is hidden under that little black box? What is the genius that defeated Anthem’s defenses? That great work of genius is the email address that the attackers used to trick Anthem employees into admitting the bad guys into Anthem’s systems. Krebs pulls back the little black box to reveal:
we11point.com
A deceptive variant of the firm’s real email “wellpoint.com.” This visually similar domain name is an example of a “cousin domain.” This distills the method of the spearphishing attacker down to its essence — trick the recipient into believing the email came from a trusted source. This stolen trust is the problem that SP Guard addresses.