September | 2011

The September 26, 2011 edition of the Wall Street Journal contained a special section dedicated to information security. In an article entitled What’s a Company’s Biggest Security Risk? You., reporter Geoffrey A. Fowler details the security gaps that are created by people. Fowler writes:

We are the weakest link.

Hacking attacks against companies are growing bigger and bolder—witness a string of high-profile breaches this year at Sony Corp., Citigroup Inc. and others. But gone are the days when hackers would simply find holes in corporate networks to steal valuable data. Large companies have grown wise to the threat of hacking, and have spent the past 30 years hardening the perimeters of their networks with upgraded technology.

These days, criminals aren’t just hacking networks. They’re hacking us, the employees.

“The security gap is end users,” says Kevin Mandia, chief executive of security firm Mandiant Corp. The majority of corporate security breaches his firm is currently investigating involve hackers who gained access to company networks by exploiting well-intentioned employees.

The article provides details on how hackers use personal data which is now readily available on the internet to craft highly personalized emails which trick the recipient into compromising their systems — a hack called spearphishing. The article describes the compromise of information at RSA in which the email was so convincing, the employee recovered it from the “junk mail” folder and acted upon it.

The article concludes with the importance of training people so that they are not enticed by fraudulent emails.

Unfortunately, training people to avoid suspicious emails is essentially impossible because, as Lt. Col. Gregory Conti, IT professor at West Point observed in the New York Times,

“What’s ‘wrong’ with these e-mails is very, very subtle,” he said, adding: “They’ll come in error-free, often using the appropriate jargon or acronyms for a given office or organization.”

The tools to improve the criminals’ craft are becoming more robust every day. A little internet research yields substantial personal information that can be used to deceive the recipient. Email is the ideal medium for deception because the attacker has at his command all of the human factors needed to deceive the recipient. Given the ability of criminals to craft and deliver deceiving emails, email recipients are essentially unarmed in this battle of wits with spearphishers.

Social engineering deceives the users into becoming the agents of the criminals. What can be done to defend the enterprise against spear-phishing? The enterprise can adopt a tool that identifies trusted email so that the target of the spear-phishing attack can distinguish real email from fake email. That tool is SP Guard from Iconix.

SP Guard Inbox

SP Guard provides the recipient with three confirmations that a message is real:

List View. There is an integrity indicator in the list view of the email client.
Message. The open message has a further indicator of authenticity.
Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard now offers a fraud filtering enhancement. This additional protection is becoming increasingly important given the latest generation of highly targeted spear-phishing emails which are so well crafted that users cannot tell real from fake.

SP Guard is available now from Iconix. For further information, contact us at 408-727-6342, ext 3 or use our online form.

ICONIX, Inc., the industry leader in visual email solutions, announced today that it has added fraud filtering capability to SP Guard^TM, its spear-phishing defense product. Now, in addition to highlighting legitimate messages with an icon in the inbox, enterprises will be able to block fraudulent messages pretending to be from their organization or their trusted partners.

Recent security breaches at many major enterprises have been widely reported in the press. Cisco’s June 2011 study, “Email Attacks: This Time It’s Personal“, reported that suspicious emails with suspicious links are being replaced by highly targeted emails that do not rely on obvious ploys to steal credentials. McAfee documented many of these breaches in an August 2011 white paper entitled “Revealed: Operation Shady RAT“, which highlighted more than 70 targeted intrusions into governments, corporations and non-profits.

The common thread in these security breaches was spear-phishing emails that allowed malware to gain entry into the systems. Criminals are moving from high volumes of ineffective emails to small numbers of well-crafted highly personalized messages that are indistinguishable from legitimate email. The problem is no longer recipient gullibility, but the inability to tell good emails from bad emails.

“At Iconix our core expertise is combining email authentication methods with display technology to identify legitimate email senders,” said Jeff Wilbur, vice-president of marketing at Iconix. “Our customers have asked us to extend this capability to actually block fraudulent messages from being seen, which further protects users and their organizations from being compromised, so we have added fraud filtering to SP Guard to do just that. This additional protection is becoming increasingly important given the latest generation of highly targeted spear-phishing emails which are so well crafted that users cannot tell real from fake.”

This is a typical Outlook inbox. The last message is fraudulent. It employs the frequently used scheme of spoofing a trusted internal email address to deliver a malicious attachment. It is nearly impossible to distinguish the real HR email that is being previewed from the fraudulent email.

This is the same Outlook inbox, this time with SP Guard marking confirmed real messages and deleting the fraudulent message.

after SP Guard

SP Guard with fraud filtering is available immediately from Iconix, Inc.

In two companion articles appearing in tomorrow’s edition (9/24/11) of The Sydney Morning Herald, reporter Dylan Welch describes international cyber spying. The first article, Code red: the cyber spy threat, discusses the wide-ranging problem of cyber espionage. The article describes a large number of cyber attacks against many governments and international organizations. Of course, spearphishing plays a prominent role in the story. These are just two of the incidents reported:

On June 1, 2009, messages with the heading ”China and Climate Change” dropped into the email inboxes of five US State Department officers. The five officers, working in the Office of the Special Envoy for Climate Change, were involved in preparing for delicate bilateral climate change talks in Beijing in several days.

The email appeared to be from a respected economics columnist at a well-known US journal and contained information designed to be of particular and direct relevance to the five staff.

Germany has similar problems:

The BfV
[the German domestic security agency] told its top-secret audience that in the 12 months to October 2007 it had discovered 500 such operations conducted against a range of targets including military, economic, science and technology, commercial, diplomatic, research and development, as well as high-level government systems.

”The socially engineered email messages delivered to German computer systems were spoofed to appear to come from trusted sources and contain information targeted specifically to the recipient’s interests, duties, or current events,” the diplomat noted.

The article ends with a warning that this problem has rapidly grown from a nuisance to a strategic threat.

The second article, Foreign spies with cyber eyes on our government, focuses on the threat to Australian security. This article contains an extensive discussion of cyber espionage against Australia. While many incidents are reported, this one is particularly alarming:

Earlier this year it was revealed that foreign spies – suspected to be Chinese – had hacked into the Australian Parliament House network and stolen thousands of emails from computers, including those of the PM [Prime Minister] and the ministers of foreign affairs and defence.

Next week Iconix will announce a new product specifically designed to defend against spearphishing attacks. Subscribe to this blog or our Twitter so that you can be among the first to learn of this exciting new protection.

Check Point just released a survey conducted by Dimensional Research about the security threat posed by social engineering. The survey found:

The threat of technology-based security attacks is well understood, and IT organizations have tools and processes in place to manage this risk to sensitive corporate data. However, social engineering attacks are more challenging to manage since they depend on human behavior and involve taking advantage of vulnerable employees.

The survey found that breaches initiated by social engineering attacks were costly, particularly to large organizations:

48% of large companies and 32% of companies of all sizes have experienced 25 or more social engineering attacks in the past two years

48% of all participants cite an average per incident cost of over $25,000

30% of large companies cite a per incident cost of over $100,000

The leading social engineering attack profile was phishing. The survey defined phishing as pretending to be a trustworthy entity in an electronic communication. As this graph from the survey report shows, phishing predominates the attack profile, almost equaling all the other social engineering schemes combined.

The BBC reports that Mitsubishi Heavy Industries, a major Japanese defense contractor, is the victim of a cyberattack.

Mitsubishi Heavy Industries said viruses were found on more than 80 of its servers and computers last month. As is often the case, the systems were compromised by spearphising. Spearphishing is when hackers send highly customized and specifically targeted messages aimed at tricking people into giving away login details or loading malware onto their systems.

The BBC reports that the viruses targeted a shipyard in Nagasaki, where destroyers are built, a facility in Kobe that manufactures submarines and parts for nuclear power stations, and a plant in Nagoya, where the company designs and builds guidance and propulsion systems for rockets and missiles.

PC World is reporting that the malware which was used in the spearphishing attack that compromised the RSA security token may have been used to attack US defense organizations.

PC World quotes Bernardo Quintero, the founder of malware analysis site VirusTotal. “According to our data, RSA was just one of the targets.

[Attackers] used the same malware to try to penetrate other networks.” The report continues:

VirusTotal is a popular site with security professionals who use it to get a quick industry consensus take on suspicious files. It runs any file through a battery of antivirus scanning engines and spits out a report within minutes. Someone at EMC used the service on March 19 to analyze an email message that contained that spearphishing attack that was used to break into RSA.

But according to Quintero, before the attack was publicly disclosed in mid-March, the same maliciously encoded Excel spreadsheet had already been uploaded to VirusTotal 16 times from 15 different sources. The first was on March 4 — the day after the message was sent to RSA — and the malware was detected by none of the site’s 42 antivirus engines.

Because it relies on anonymous submissions, VirusTotal won’t say who uploaded the documents. But according to Quintero’s analysis, two of the targets were entities related to U.S. national security.

The malware was introduced into the targeted victims by spearphishing — cleverly constructed emails that are designed to deceive the recipient into action.

According to Dmitri Alperovitch, McAfee’s vice president of threat research, McAfee’s research shows that other defense organizations were targeted with the attack, although not necessarily at the same time as the RSA incident. He said, “After that vulnerability became known a lot of people started leveraging it, and that continued through April.”

Sophos reports on a new email scam. In this scam, the bad guys are sending emails that claim to offer a refund for erroneous hotel billings. In order to claim the refund, you must use the attached zip file. The zip file contains malware which loads a Trojan Horse onto your system. This Trojan Horse can be used to take control over your computer, giving the bad guy the ability to steal your personal information or turn your machine in spam zombie.

What can you do to protect yourself? You should use the latest version of a reputable security product and install all the security patches for your operating system and applications. But you need to do more. You need a product that will identify legitimate emails from many of the leading consumer brands. Distinguishing real email from fake email is hard. Unless you have the right tool.

Know Who. No Doubt. Use eMail ID.

The Wall Street Journal’s Tech Europe reports that cybercriminals are using information they mine from the internet to create very credible fake emails to deceive recipients.

Oliver Crofton, CEO of Vigilante Bespoke, self-described as the world’s first personal digital security company, reported that one of his celebrity clients received an email that appeared to be from the U.K.’s Driving and Vehicle Licensing Agency. The email was linked to a fake website. According to Crofton:

It
[the website] looked exactly like the DVLA website, it had the right branding. It looked absolutely legitimate. It said the tax for his car was up for renewal.

The email had the correct details of his number plate, his home address, his telephone number and his date of birth.

It had so much detail specifically for him. There were no spelling errors, there were none of the normal tell-tale signs of a normal phishing email.

Iconix recently released a whitepaper about the growing threat created by these highly personalized spearphishing attacks.

You Are A Security Risk — Wall Street Journal

Iconix Adds Fraud Filtering to SP Guard to Block Spear-Phishing Attacks

Cyber Espionage — It’s Worse Than You Think!