Better phishing makes email an unclosable hole in security

cyberthief

There's a warning in the news this week about how much to trust the electronic systems you and people at your company communicate: Not at all.

The warning becomes clear by combining two examples. The first is the story of how an NSA snooping tool code-named AURORAGOLD helped to get Libyan dictator Muammar Gaddaffi killed in a particularly brutal way by compromising the email of geeks behind the scenes of Libya's mobile phone networks.

The goal of Project AURORAGOLD was to find ways to both compromise mobile-phone network controls and to find ways to listen to voice or text conversations by tapping the email accounts of admins who routinely exchanged technical documents about the inner workings of those networks.

Access to the information admins used to maintain the network gave the NSA the tools it needed to do pretty much what it wanted inside that network.

What the NSA did with that access was to help the U.S. military Africa Command listen in on the texts and phone calls of senior Libyan officials during the early days of a 2011 rebellion against Gaddaffi's rule, according to the Intercept, an independent news site that continues to publish secret NSA documents released by whistleblower Edward Snowden.

By May 15, 2012, according to the Snowden documents, the NSA had penetrated 70 percent of the world's GSM systems and was well on its way to doing the same to 4G LTE systems as well.

The documents didn't specify how access to the text networks of Libyan officers helped when  NATO and the U.S. eventually intervened on the side of the rebels, however, or whether the information helped limit the downside of an air war that eventually cost a reported $1 billion and may have made the situation on the ground worse.

The key to the strategy behind AURORAGOLD, however, was the realization that it is easier to spy on people making critical decisions if you first compromise the far-less-intense security surrounding lower-level people who don't make critical decisions but are trusted to run the system or provide information directly to those who do.

In the case of AURORAGOLD that meant targeting admins who used email to exchange information on the encryption and authentication of International Roaming, which is designed to let an unknown phone log in to a secure mobile phone network in a way that allows the user to make calls and the network to bill for them. Understanding how that's done gave the NSA access to instructions on authentication, encryption, directory services, routing and call functions -- pretty much anything required to compromise a foreign country's phone system -- all revealed in someone else's "secure" email.

It is probably just a coincidence that news about AURORAGOLD came out just a couple of days after the FireEye security firm reported that a group called FIN4 was also extracting valuable information from the fog of chatter that fills up the routine of modern workdays with information that, usually, is not important enough to safeguard.

In this case, a group called FIN4 used spear-phishing and malware to take control of the email boxes of staffers who rarely had access to potentially valuable information about upcoming mergers or other stock-price catalysts. Using that access, the group gathered email addresses, confidential documents and other information that would make their efforts to crack the emails of higher-level executives more credible.

Fin4 attacked about 100 companies, 68 in the pharmaceutical or biotech businesses and about 20 percent in support or advisory services of the kind that would be pulled in to help with a merger or acquisition.

Fin4 was unique among spear-phishing/malware-using attackers because it worked so hard and was so effective at sounding authentic to the victims it targeted. The messages used jargon and colloquialisms native to Wall Street, lulling victims' suspicion by sounding like a boss rather than a perpetrator.

Many of the emails contained Visual Basic macros designed to steal the usernames and passwords of high-level targets, but also had links to fake Outlook web login pages to capture those of the initial target. The emails also often contained "what appeared to be stolen documents form actual deal discussions that the group weaponized and sent to individuals directly involved in the deals," to look even more authentic the report read.

In one case Fin4 penetrated an advisory firm, gathered information about an acquisition involving a client of that firm FireEye called Public Company A. Fin4 then used the compromised account to infect the client company and gather more information. Then it waited for an opportunity to put money down on stock deals whose value would change – positively or negatively – based on information Fin4 got directly from the negotiators.

Fin4 has been operating since at least mid-2013, and was still at work when the FireEye report was posted, according to the company.

Its apparent success has little to do with the technology it used, but a lot to do with the depth of its research on potential victims, ability to use "authentic" documents about deals that were actually in the works and on which the victim actually worked to make an approach seem legitimate at every level from the least to the most sensitive, according to FireEye.

That level of targeting and effort at verisimilitude raises the bar for anyone trying an email scam, according to FireEye, which warned readers there are likely to be other research-driven, authentic-sounding spear phishers out there also trying to dig for insider information for companies in any market in which stock is particularly volatile.

The problem isn't Fin4's ability to fake its way past a receptionist, however,

The problem is that it's not all that hard to get the information or even the documents required to make an email look authentic enough that most office workers would open an attachment without a second thought.

Every company in America, and most elsewhere, are surrounded by a fog of emails and texts and What'sApp messages and Tweets and Facebook updates and Follows and Shares and LookAtThisDammits – and every one of them tells an eavesdropper something about the people who work there and how to sound or look just like one of them.

What Fin4 and AURORAGOLD prove is that it is possible to overhear discussions about nearly every important decision and find copies of almost every important document by compromising just a few key email accounts.

The success of Fin4 shows that compromised email creates a path from outside the firewall right to the heart of the enterprise. It also shows that the security of that path depends largely on the decisions of humans who don't know they're responsible for it, can't do their jobs if they shut down that line of communication,  and can be fooled thoroughly enough by credible-sounding impostors that even rigorous training doesn't help them reliably spot wolves among the sheep. 

Both stories show there is a huge security flaw inherent in technology that most companies would have trouble living without.

What neither story shows is what anyone can do to fix that.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.