Hoax Subpoena E-Mails Shine Light on 'Spearphishing'

Last week, hundreds of executives at some of America's most well-known companies received e-mails that they probably didn't want to get--even if those messages weren't a hoax.

It was revealed Wednesday that as many as 2,000 top managers at high-profile corporations nationwide received e-mail messages early in the week that looked like an official subpoena from the Uited States District Court in San Diego, CA.

Though this hoax could have been worse, it still brings attention to the growth of a certain modus operandi among many of the world's most sophisticated hackers: targeted attacks under the guise of a friendly overture.

"As phishing attacks go, this one has been comparatively small. By some estimates, the Monday wave tricked about 2,000 people and the second attack on Wednesday scammed another 100," said Andrew Storms, director of IT security operations at San Francisco, Calif.-based nCircle Network Security. "Though, despite the small numbers here, this attack does highlight the new trend of 'spearphishing.' Spearphishing is the term used to denote a highly targeted and incredibly customized version of the daily-seen phishing attack."

Since the incident, the real federal court for the Central District of California has posted an advisory on its Web site alerting users of the nature of the attacks and admonishing them to report such incidents. Even the IT security think tank SANS Institute got in on the act with notes on its homepage urging users who receive subpoenas via e-mail to take them immediately to the company's in-house counsel, private lawyers or federal law enforcement.

Security patches that guard against such attacks have also been relatively prevalent in recent Patch Tuesday releases, more evidence that phishing is a concern that isn't going away.

It All Started with Spam
Security experts say that at its roots, phishing is merely an appendage of an age-old confidence scheme where curious, interested or greedy parties are reeled in (hence the term "phishing") and their privileged information stolen.

Like many others, Don Leatham of Scottsdale, Ariz.-based Lumension Security traces the method back to the days of AOL, when dialing up to get on the Internet sounded like fingernails scratching a chalkboard and the pages loaded slowly.

"The history can go way, way back," said Leatham, who is Lumension's director of solutions and strategy. "The electronic, network version of this con is typically traced back to the early '90s when access to online services like AOL, Genie and CompuServe were fairly expensive."

However, today's attacks are more targeted and less random. They're less like fishing and more like hunting with a spear through the water--the water being the network, in this case. Thus, spearphishing attacks are tailored e-mails that include some level of personalized data from a trusted Web address that has been hacked and configured to invite specific individuals.

The main challenge, security experts say, is that these narrow attacks can fall well below the radar of Internet security systems, circumvent networks and blend into Web-based applications, unlike the more obvious spam-blast e-mail.

Storms contends that the difference between 1990 and 2008 is that phishing is now a full-time business with a real economic potential.

"When we think of phishing as a business, the attackers are putting dollars into their business just like any other well-run entity," Storms said. "They deal with supply and demand and they spend money on research and development. As such, their tactics are becoming much more refined. However, because the root of the problem is a human trust relationship, it's difficult to develop technical products to mitigate the threat."

Responding to the Threat
In an e-mail to Redmondmag.com, Microsoft Senior Product Manager Mike Chan said that as customers face external threats, they also face growing complexity, security and privacy concerns within their own IT environment.

"As a result, IT managers don't have a complete view into the health of their networks, which can actually breed vulnerability and security breaches. Some employees may visit phishing sites out of curiosity, and they need to be told in no uncertain terms: 'Don't,'" Chan wrote. "Just visiting a phishing site can lead to malware being downloaded on to a company workstation without the employee even realizing it, infecting the entire network."

Chan added that Microsoft thinks about this with a "defense in-depth approach, and we offer an array of products designed to help in this regard."

Chan and others suggest that from an application-security standpoint, adopting an "allow only the known good" or whitelisting approach is the only way to completely stop malware or remote code execution bugs that have eluded anti-virus detection. Moreover, shoring up firewalls and using whole hard disk encryption can guard sensitive documents from such attacks.

Still, what's been leaving IT pros scratching their heads is something that has nothing to do with computers: social engineering and the habits of users in the workplace. Rank-and-file workers--and even IT administrators--aren't beyond checking personal e-mails and opening attachments at their workstations on a whim, without thinking about the implications.

This is why Leatham and others say that having an undetected botnet that gathers keystrokes and data from multiple executives' computers in a specific company is considered one of the IT risks that organizations might face in the near future.

As he has been known to do, Leatham emphasizes that if he were a security administrator at a company, he would cut the situation down to brass tacks and lay out the danger in plain English: "User education must go beyond telling people, 'Don't open attachments' or 'Don't click on any links in an e-mail.' E-mails are for reading. Period. No downloading. No clicking."

Featured