Targeted Spear Phishing Attacks and ‘watering – holes’

Targeted spear-phishing attacks are going after not just individuals but entire websites that function as “watering holes” for groups of people with focused interests, according to security company Websense.

“Spear-phishing is most associated with targeted attacks, typically via malware-loaded email, intended to take over an individual’s computer to spy or steal something important from the victim. But a more recent trend in spear-phishing is the targeting of entire websites in order to have a crack at a community of individuals whose computers you’d like to compromise”, says Chris Astacio, security research manager at Websense.

Websearch Research found that the majority of phishing attacks are sent on Mondays and Fridays.

Top phishing days of the week (percentage): *Based on July-August 2012 research

Friday (38.5%)

Monday (30%)

Sunday (10.9%)

Thursday (6.5%)

Tuesday (5.8%)

Wednesday (5.2%)

Saturday (3.2%)

In an interview with PC Magazine Carl Leonard, senior security research manager, EMEA at Websense, said that spear phishing is not about sending 500,000 malicious emails in the hope that ten per cent of recipients will click on it, but it is targeted and dependent on timing.

Leonard went on to say: “The attacker doesn’t do any emails at all; they are waiting like an alligator to jump out. We see this being used in the last six months and it is efficient to me, as people can be targeted with spear phishing messages and social engineering techniques are used in these ‘watering hole’ attacks. The user sees something and thinks it is for them and clicks on it.”

New phishing attacks are more targeted and contain information that makes the recipient believe the information is legitimate. There is invariably a specific intention in mind.

Targeted spear-phishing attacks are going after not just individuals but entire websites that function as “watering holes” for groups of people with focused interests, according to security company Websense.

Spear-phishing is most associated with targeted attacks, typically via Malware-loaded email, intended to take over an individual’s computer to spy or steal something important from the victim. But a more recent trend in spear-phishing is the targeting of entire websites in order to have a crack at a community of individuals whose computers you’d like to compromise, says Chris Astacio, security research manager at Websense.

In this “watering hole” attack, the goal is to compromise a website to understand who visits it and why, and place Malware on it to try and target these visitors, Astacio says. For the attackers, “the idea is that they lie in wait,” he says, watching what individuals do in order to target them.


Vishing or Phishing

E-mail is the preferred method used by hi-tech criminals when delivering spam, as well as viruses and phishing messages – in which an e-mail and/or website purports to be that of a bank or financial institution.

Some criminals are now using net phone systems in a bid to make their invites look more legitimate and convince people to hand over useful details such as credit card numbers, bank account details or personal information.

The scam has been dubbed “Vishing”.

Vishing as defined by Wikipedia is the criminal practice of using social engineering over the telephone system, most often using features facilitated by Voice over IP (VoIP), to gain access to private personal and financial information from the public for the purpose of financial reward. The term is a combination of “voice” and phishing. Vishing exploits the public’s trust in landline telephone services, which have traditionally terminated in physical locations known to the telephone company, and associated with a bill-payer. The victim is often unaware that VoIP makes formerly difficult-to-abuse tools/features of caller ID spoofing, complex automated systems (IVR), low cost, and anonymity for the bill-payer widely available. Vishing is typically used to steal credit card numbers or other information used in identity theft schemes from individuals.

Vishing is very hard for legal authorities to monitor or trace. To protect themselves, consumers are advised to be highly suspicious when receiving messages directing them to call and provide credit card or bank numbers. When in doubt, calling a company’s telephone number listed on billing statements or other official sources is recommended instead of calling numbers from messages of dubious authenticity.

The criminal either configures a war dialler to call phone numbers in a given region or accesses a legitimate voice messaging company with a list of phone numbers stolen from a financial institution.

Typically, when the victim answers the call, an automated recording, often generated with a text to speech synthesizer, is played to alert the consumer that their credit card has had fraudulent activity or that their bank account has had unusual activity. The message instructs the consumer to call the following phone number immediately. The same phone number is often shown in the spoofed caller ID and given the same name as the financial company they are pretending to represent.

When the victim calls the number, it is answered by automated instructions to enter their credit card number or bank account number on the key pad.

Once the consumer enters their credit card number or bank account number, the visher has the information necessary to make fraudulent use of the card or to access the account. The call is often used to harvest additional details such as security PIN, expiration date, date of birth, etc.

Vishers generally prefer to use automated responders and war diallers. There have been reported instances where human operators have played an active role in trying to convince the victims to part with important personal information. Data collected from a study done in the United States in 2009 by Federico Maggi found that the most recurrent words used in automated, recorded scams are different from those leveraged by human scanners.

For example, automated voices frequently contain words such as “press” (a button) or “number”, while humans typically resort to more complex social engineering techniques.

In a common variation, an email “phish” is sent instead of war-dialling – the victim is instructed to call the following phone number immediately, and credit card or bank account information is gathered.


Phishing and Spear Phishing

In case you have no idea what phishing is, Wikipedia defines it as ”the act of attempting to acquire information (and sometimes, indirectly, money) such as usernames, passwords, and credit card details by masquerading as a trustworthy entity.”

Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse, defines ‘spear phishing’ as:

“Spear phishing is when a criminal sends you an email that sounds and looks like it’s from a company you have an existing relationship with,” Stephens said. “For example, a spear-phishing message might address you by name.

Alternatively Spear phishing is an attack predicated on targeting a specific person, or group of people with a malicious email that encourages them to open an attachment.

Phishers tend to send an email pretending to be someone or some business you recognize and, as the definition above states, get you to reveal private data. Usually, if you’re reasonably suspicious, these attempts are easy to spot and avoid being taken in but often we click on the email out of natural curiosity.

Recently I received a direct message on Twitter from a follower:

Hey this person is making up dreadful posts that are about you http://xxxx????

The idea that someone would be making up “terrible posts” about me seemed far-fetched but that someone would inform me in this way was even more of a give-away. But not so for the link which takes you to a Web site, via a couple of redirections and looks exactly like the Twitter login page with the message “Your session has timed out, please re-login.”

If you just came from Twitter by clicking on the link in the direct message you might well think that such a thing was normal and provide your login credentials which would be, given that the site is in China and obviously fraudulent, a very bad idea.

The link resolves to (I recommend you DO NOT visit this link, there may be other exploits involved) and while the root of the site,, is identified by Chrome as a phishing site and a warning immediately displayed, the full link is not identified!

What happens to the information that is collected in this manner is certainly not being used for your benefit. Your personal information could be used for many reasons and one of them could be to ensnare more victims.

The more sophisticated and alluring these phishing attacks become the more people will get tricked. Remember that whilst the current messages are poorly written they are effective. To quote the Sergeant from Hills Street Blues “be careful out there”.


Cyber Attacks – How Seriously Do We Treat Them?

I was reading an article in an On-line PC Magazine where certain companies stage Mock Phishing Attacks in order to monitor how their staff react. It appears that no matter how many security systems companies have in place such as  your PC and Mobile devices being securely locked down with a strong complex password when not in use, a  cross-device security tool in order to block unwanted traffic on both your PC and Mobile device as well as protecting your sensitive data.  There appears to be one weak link irrespective of how good all the security measures are, and unfortunately the Achilles Heel is YOU.

We go to great lengths to physically protect our home with security gates and burglar bars that are strong and sturdy which almost guaranteed once installed to keep burglars OUT and our property securely and safely protected. Some additional security can be included such as electronic beams and alarm systems which will be set off whenever an unwanted intruder try’s to enter our home without our approval.

In both situations the potential intruders will try different methods in order to gain your trust with the aim of obtaining your approval in order to gain access to either your property or your PC and Mobile systems. These criminals are continuously looking for different ways to illegally obtain your possessions, whether they are physical or personal. In both situations we need to be aware that this can and does happen and that we need to be more diligent in who and what we trust.

We need to remember that we are in general the weakest link when it comes to digital security.The tools that we and our companies have in place can guard against known threats and can even identify and block suspicious activity from many unknown threats. But if we click on a malicious link in a phishing scam email, then our security tools are more likely to view the activity as legitimate because we were the ones to initiated it. If you open an attachment from an email that claims to be from the Bank or any other trusted source, and fill in sensitive, personal information as requested, there is little these security tools can do to protect us.