Phishing emails have been the scourge of the computer world for decades, defeating even our best efforts to combat them. Most of us can easily spot them by their subject lines and delete without even opening. If we’re not entirely sure and end up opening them, we can immediately identify a phishing attempt by its overly formal greetings, foreign origins, misspellings, and overly solicitous efforts to send us millions of unearned dollars or to sell us dubious products. Most of the time, phishing attempts are a minor menace we solve with a Delete key.
Enter spearphishing: a targeted approach to phishing that is proving nefariously effective, even against the most seasoned security pros. Why? Because they are crafted by thoughtful professionals who seem to know your business, your current projects, your interests. They don’t tip their hand by trying to sell you anything or claiming to have money to give away. In fact, today’s spearphishing attempts have far more sinister goals than simple financial theft.
Here’s a look at what sets today’s most sophisticated spearphishing attempts apart -- and how to keep from falling prey to their advances.
The attack is handcrafted by professional criminals
Traditionally, phishing emails have been created by low-end scammers who have opted for the buckshot approach: slap together a sloppy message and spam en masse. You’re bound to get someone. In fact, the more obvious the phishing attempt, the better, as this would ensure ensnaring the most gullible of dupes.
Somewhere along the way this changed. Professional criminals and organized crime realized that a lot of money could be made by sending out better spam. Brian Krebs’ 2015 bestseller "Spam Nation" traces the rise of professional criminal gangs in Russia that made tens of millions of dollars each year and supported multiple large companies, some of which pretended to be legitimate and were traded on stock exchanges.
Then nation-states got in the game, realizing that a handful of thoughtfully crafted emails could help them bypass the toughest defenses, simply by targeting the right employees. Today, the vast majority of advanced persistent threats (APTs) gain their first foothold inside victim companies by sending a few emails.
Today’s professional Internet criminals work 9-to-5 days, pay taxes, and get weekends and holidays off. The companies they work for often have dozens to hundreds of employees, pay bribes to local law enforcement and politicians, and are often seen as the employer of choice in their region. Working for companies that break into companies in other countries is often proudly worn as a patriotic badge.
These professional hacking mills employ divisions of labor. The marketing team, often led by executives, seeks customers willing to pay to hack a particular company for information, although the mills will often attack any company on spec, then market the information afterward.
The research and surveillance teams gather information about the target company’s org structure, business partners, Internet-accessible servers, software versions, and current projects. They obtain much of this information by visiting the target company’s public website and breaking into a few of its weaker-protected business partners.
This research is passed along to a team of initial compromisers, which establishes anchors inside the target organization. This team is the most important team at the mill, and it is broken down into several skilled subgroups, each focused on a particular domain: breaking into servers, launching client-side attacks, performing social engineering attacks, or spearphishing. The spearphishing team works hand in hand with the research team, mixing relevant topics and projects with their cadre of boilerplate email templates.
There are other teams as well. Backdoor teams come in after the initial entry is secured to help ensure easy future entry by inserting backdoor Trojans, creating new user accounts, and vacuuming up every log-on credential in the compromised organization.
Then, like any good consulting company, a longer-term team is dedicated to this “client.” This team roots around looking for important information, detailing the organization’s structure and VIPs. Within a short amount of time they know every defense system the company has in place and how to bypass it. When some new project or big piece of data comes online, this team is among the first to know about it. Any potentially interesting info is copied for safekeeping and future sale.
If that sounds a little different than a script kiddie whipping together a sloppy email at an Internet café, you’ll know why today’s phishing attempts are that much more effective. It’s a day job -- won by interview -- with a salary, benefits, and project bonuses. It even comes with a nondisclosure agreement, HR hassles, and departmental politics.
Make no mistake: Phishing emails went pro.
The attack is sent by someone you know
Today’s spearphishing emails often originate from someone you email with on a daily basis, not a Nigerian prince. They often appear to be from a boss, team leader, or some other authority figure up the management chain to ensure the victim opens the email and is more likely to do whatever the email says.
The email could be from an outside, sound-alike email account meant to resemble the authoritative person’s personal email account. After all, who hasn’t received a work-related email from a co-worker who accidentally used his or her personal account? We accept it as a common mistake.
It might arrive from a sound-alike account name from a popular public email server (Hotmail, Gmail, and so on), with the sender claiming to be using this previously unknown account because they are locked out of their work email. Again, who hasn’t been through this before?
But more likely than not, the fake phishing email appears to arrive from the other person’s real work email address, either because the phishing organization is able to send fake email origination addresses from the outside, or it has successfully compromised the other person’s email account. The latter is becoming the most popular attack method -- who wouldn’t click on a link sent by their boss?
That attack includes a project you are working on
Many spearphishing victims fall prey to the fact that the malicious sender seems to know what projects they are working on. This is because spearphishers have spent time researching them or have been in control of a colleague’s email account for a while. The email may include a subject line like “Here is that report on XYZ you’ve been waiting on,” or “Here are my edits to the report you sent,” with an attached copy of a report originally sent by the receiver, but with an updated autolaunch malicious link. It might also allude to a project’s viability, asking, “Do you think this will impact our project?” or exclaiming “Someone beat us to it!” with a link to a malicious news article that appears related to the project.
I’ve seen emails purporting to be from lawyers seeking increases in child support to individuals going through a divorce. I’ve seen phishing emails from leaders of professional organizations sent out to their membership lists. I’ve seen emails to C-level officers claiming to have pending lawsuit information, which ask the receiver to run the executable to “unlock” the attached confidential PDF file. I’ve seen bogus updates sent to IT security pros purporting to contain a security update from a vendor, about a product they recently bought and installed.
The email subjects and body contents aren’t “Look at this!” generic ruses. Nope, today’s spearphishing email comes from someone you trust on a project you are working on. After you read a few of these you start wishing all we had to worry about was fake dying relatives and Viagra ads.
Your attacker has been monitoring your company’s email
These days corporate attackers are monitoring dozens of email accounts in your company. It’s where they get the necessary context to fool your co-workers and where they can monitor the most sensitive and valuable information in your company.
If you find out your company is compromised, assume that all C-level employees and VIP email accounts are compromised and have been for a long time. Even the initial reporting of the bad guy’s possible detection is probably in front of their eyes. They know what you know.
When faced with this sort of adversary the only solution is a completely “out of band” network, including brand-new computers and new email accounts. Anything else will probably be a waste of time.
Your attacker can intercept and change emails as needed
Today’s adversary isn’t merely a passive reader. They intercept and change emails, albeit slightly, when the need arises. Yes decisions may become no; no may become yes. Sometimes key recipients will be removed from the email’s receiver list. More receivers may be added. Email groups may be modified. Encryption and signing may be turned off.
In one of the most notorious examples I've ever read, a company knew it was badly compromised with an APT. In an attempt to reclaim the network, the help desk sent out an email asking every recipient to change their password. Certainly, that would make it harder for the malicious intruders to hang out -- except that the intruders had control of the help desk’s email account. Right before the email was sent, the intruders changed the embedded link so that it took users to a perfect copy of the company’s password-change website hosted under the intruder’s control. Users followed the help desk directions, but in doing so allowed intruders to capture every password change.
Your attacker uses custom or built-in tools to subvert antivirus software
For decades, phishing emails used everyday malware tools as attachments. Today, they use custom tools, forged and encrypted expressly for you, or programs built into the operating system you are running. The result is the same: Your antimalware scanner doesn’t pick up the malicious file or commands. And when the bad company is on your network, they are careful to run only the same.
Malicious scripts written in the victim’s built-in scripting languages (PowerShell, PHP, and so on) are fast becoming a tool of choice. PowerShell is even showing up in malware toolkits, which end up making PowerShell-only malware programs, as evidenced here and here and here.
Fueling this trend is the fact that it’s much harder for antimalware software, or even forensic investigators, to determine whether a legitimate tool is being used for nefarious purposes. Take Remote Desktop Protocol (RDP) connections, for example. Nearly every admin uses them. When the bad guy does too, it can be difficult to determine when the RDP connection is doing something malicious. Not only that, but it could be difficult to impossible to remove the legitimate tool to thwart the attacker without also removing the tool the good guy needs to clean up the system.
Your attacker uses military-grade encryption to tunnel your data home
The days of malware using randomly picked ports to copy data off of your network are long gone. So too are the days of using popularly reserved ports (such as IRC port 6667) to send commands and control malicious creations remotely.
Now every malware program works over SSL/TLS port 443 and uses industry-accepted, military-approved AES encryption. Most companies have a hard time seeing into port 443 traffic, and most don’t even try. Companies are increasingly using firewalls and other network security devices to see into 443 traffic by replacing the intruder’s 443 digital certificate with their own. But when the data in the 443 stream is further encrypted by AES, it does forensic investigators no good. It’s impenetrable gobbledygook.
Malware writers use of standard encryption is so good that even the FBI is telling ransomware victims to simply pay up. In fact if you find a malware program running on any port but 443 and not using AES encryption to cover its tracks, it’s probably by a script kiddie. Alternately, it’s been in your environment for a long time, and you only now discovered it.
Your attacker covers their tracks
Until the past few years, most companies never bothered to enable their log files, or if they did, they didn’t collect them and alert on suspicious events. But times have changed and now IT defenders would be considered negligent if they didn’t enable and check logs on a routine basis.
The bad guys have responded by using techniques, such as command-line and scripting commands, that are less likely to be picked up by event logging tools, or they simply delete the logs when they are finished. Some of the more sophisticated attackers use rootkit programs, which maliciously modify the operating system to skip any instance of their malicious tools being executed.
Your attacker has been in your environment for years
The average time a professional criminal organization has been in the victim’s company before being noticed is usually measured in months to years. I frequently work with companies that have multiple professional gangs in their company, and some have been inside for as long as eight years.