Targeted Spear Phishing Attacks and ‘watering – holes’

Targeted spear-phishing attacks are going after not just individuals but entire websites that function as “watering holes” for groups of people with focused interests, according to security company Websense.

“Spear-phishing is most associated with targeted attacks, typically via malware-loaded email, intended to take over an individual’s computer to spy or steal something important from the victim. But a more recent trend in spear-phishing is the targeting of entire websites in order to have a crack at a community of individuals whose computers you’d like to compromise”, says Chris Astacio, security research manager at Websense.

Websearch Research found that the majority of phishing attacks are sent on Mondays and Fridays.

Top phishing days of the week (percentage): *Based on July-August 2012 research

Friday (38.5%)

Monday (30%)

Sunday (10.9%)

Thursday (6.5%)

Tuesday (5.8%)

Wednesday (5.2%)

Saturday (3.2%)

In an interview with PC Magazine Carl Leonard, senior security research manager, EMEA at Websense, said that spear phishing is not about sending 500,000 malicious emails in the hope that ten per cent of recipients will click on it, but it is targeted and dependent on timing.

Leonard went on to say: “The attacker doesn’t do any emails at all; they are waiting like an alligator to jump out. We see this being used in the last six months and it is efficient to me, as people can be targeted with spear phishing messages and social engineering techniques are used in these ‘watering hole’ attacks. The user sees something and thinks it is for them and clicks on it.”

New phishing attacks are more targeted and contain information that makes the recipient believe the information is legitimate. There is invariably a specific intention in mind.

Targeted spear-phishing attacks are going after not just individuals but entire websites that function as “watering holes” for groups of people with focused interests, according to security company Websense.

Spear-phishing is most associated with targeted attacks, typically via Malware-loaded email, intended to take over an individual’s computer to spy or steal something important from the victim. But a more recent trend in spear-phishing is the targeting of entire websites in order to have a crack at a community of individuals whose computers you’d like to compromise, says Chris Astacio, security research manager at Websense.

In this “watering hole” attack, the goal is to compromise a website to understand who visits it and why, and place Malware on it to try and target these visitors, Astacio says. For the attackers, “the idea is that they lie in wait,” he says, watching what individuals do in order to target them.

 

Phishing and Spear Phishing

In case you have no idea what phishing is, Wikipedia defines it as ”the act of attempting to acquire information (and sometimes, indirectly, money) such as usernames, passwords, and credit card details by masquerading as a trustworthy entity.”

Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse, defines ‘spear phishing’ as:

“Spear phishing is when a criminal sends you an email that sounds and looks like it’s from a company you have an existing relationship with,” Stephens said. “For example, a spear-phishing message might address you by name.

Alternatively Spear phishing is an attack predicated on targeting a specific person, or group of people with a malicious email that encourages them to open an attachment.

Phishers tend to send an email pretending to be someone or some business you recognize and, as the definition above states, get you to reveal private data. Usually, if you’re reasonably suspicious, these attempts are easy to spot and avoid being taken in but often we click on the email out of natural curiosity.

Recently I received a direct message on Twitter from a follower:

Hey this person is making up dreadful posts that are about you http://xxxx????

The idea that someone would be making up “terrible posts” about me seemed far-fetched but that someone would inform me in this way was even more of a give-away. But not so for the link which takes you to a Web site, via a couple of redirections and looks exactly like the Twitter login page with the message “Your session has timed out, please re-login.”

If you just came from Twitter by clicking on the link in the direct message you might well think that such a thing was normal and provide your login credentials which would be, given that the site is in China and obviously fraudulent, a very bad idea.

The link resolves to http://twitvter.com/log.in/h/?&session_timed_out (I recommend you DO NOT visit this link, there may be other exploits involved) and while the root of the site, http://twitvter.com/, is identified by Chrome as a phishing site and a warning immediately displayed, the full link is not identified!

What happens to the information that is collected in this manner is certainly not being used for your benefit. Your personal information could be used for many reasons and one of them could be to ensnare more victims.

The more sophisticated and alluring these phishing attacks become the more people will get tricked. Remember that whilst the current messages are poorly written they are effective. To quote the Sergeant from Hills Street Blues “be careful out there”.