Tag Archives: Sophos

Spear Phishing Attacks Increase

Spear phishers continue to pierce even well-defended networks, causing grave financial wounds.

Spear phishers lure a specific individual to click on a viral email attachment or to navigate to a corrupted Web page. Malicious code typically gets embedded on the victim’s computing device, giving control to the attacker.

A recent survey of 300 IT decision-makers in the U.S. and the U.K.—commissioned by threat-protection solutions provider Cloudmark—found that a spear-phishing attack penetrated the security defenses of more than 84% of respondents’ organizations.

Free resource: Planning ahead to reduce breach expenses

Spear phishing continues to turn up time and again as the trigger to massive network breaches, including widely publicized attacks on JPMorgan Chase., eBay, Target, Anthem, Sony Pictures and the U.S. Office of Personnel Management.

“Criminals have achieved high success rates with spear-phishing attempts, and that success is breeding even more attempted attacks,” says Angela Knox, Cloudmark’s senior director of engineering and threat research.

knox
Angela Knox

Respondents to Cloudmark’s survey said that, on average, their organizations lost more than $1.6 million from spear-phishing attacks during the 12 months before the survey.

Spear phishers install malware, seek privileged access accounts and scour breached networks for confidential business plans, information about current negotiations and other valuable data. And the attackers are in a position to manipulate, disrupt or destroy systems.

Related video: CEO fraud caper nets $450,000

Attacks on banks, credit unions and professional services firms that help conduct financial transactions often focus on persuading employees to wire money to the phishers’ accounts.

“Even if the money can be recovered, it takes time and effort to recover it,” Knox says. “In one high-profile incident, a company lost $46.7 million due to email spoofing.”

Resist oversharing

One reason spear phishing persists is because people reveal a wealth of personal and behavioral data on the Internet. Attackers tap this information to profile victims and create email and social media messages crafted to appear to come from a trusted source—in a context that puts the targeted victim at ease.

The end game: Get the person to open a viral email attachment or click to a malicious Web page.

“Everyone is now a target, and users can no longer depend on spelling mistakes or random scams,” says Chester Wisniewski, senior security adviser at antimalware vendor Sophos.

Peter Cassidy, secretary general of the Anti-Phishing Working Group, an international coalition fighting cyber crime, says spear phishers in recent years have gone to greater depths in focus and planning.

Peter Cassidy, Anti-Phishing Working Group secretary general
Peter Cassidy

“These days, it’s not uncommon to see an attack that targets specific personalities for their access within an enterprise and loads a malware payload to execute an exploit that will open a pathway the attackers are waiting for—and will use to gain access to data they prize,” Cassidy says. “Talk about orchestration! Stravinsky and these guys would have a lot to talk about.”

Employees part of solution

A primary defense is to continually train employees to be vigilant, and a cottage industry of training services and technologies has arisen in recent years to assist companies of all sizes. But even trained employees remain susceptible to sophisticated trickery.

Nearly 80% of organizations surveyed by Cloudmark reported using staff training to prevent attacks. Of organizations that test their employees’ responses to spear-phishing attacks, only 3% said that all employees passed. Respondents estimated that 16% of staff members failed their organizations’ most recent spear-phishing tests.

“Humans are flawed,” Wisniewski says. “You can never stop spear phishing entirely,” because “it is not a technical problem that can be solved.”

It’s human nature for employees who spot something wrong or who believe they may have been tricked to hesitate reporting the incident. Yet quick reporting is a key to remediation. “Accidents happen, but detection and remediation are more successful the less time the criminal has to take advantage of your errors,” Wisniewski says.

info

This post was written by Gary Stoller.

How to Keep Malware in Check

Firewalls are superb at deflecting obvious network attacks. And intrusion detection systems continue to make remarkable advances. So why are network breaches continuing at an unprecedented scale?

One reason is the bad guys are adept at leveraging a work tool we all use intensively every day: the Web browser. Microsoft Explorer, Mozilla Firefox, Google Chrome and Apple Safari by design execute myriad tiny programs over which network administrators have zero control. Most of this code execution occurs with no action required by the user. That’s what makes browsers so nifty.

A blessing and a curse

But that architecture is also what makes browsers a godsend for intruders. All a criminal hacker has to do is slip malicious code into the mix of legit browser executable code. And, as bad guys are fully aware, there are endless ways to do that.

Stay informed with a free subscription to SPWNR

The result: The majority of malware seeping into company networks today arrives via infectious code lurking on legit, high-traffic websites. The hackers’ game often boils down to luring victims to click to an infected site, or simply just waiting to see who shows up and gets infected.

So if browsers represent a wide open sieve to company networks, could inoculating browsers be something of a security silver bullet? A cadre of security start-ups laser-focused on boosting browser security is testing that notion. The trick, of course, is to do it without undermining usability.

spike

Branden Spikes, Spikes Security founder and CEO

ThirdCertainty recently sat down with one of these security innovators, Branden Spikes, to discuss the progress and promise of improving Web browser security. Spikes left his job as CIO of SpaceX, where he was responsible for securing the browsers of company owner Elon Musk’s team of rocket scientists, to launch an eponymous start-up, Spikes Security. (Answers edited for clarity and length.)

3C: The idea of making Web browsing more secure certainly isn’t new.

Spikes: Let me break it down by drawing a line between detection and isolation. Browser security has been attempted with detection for many, many years, and it’s proven to not work. McAfee, Symantec, Sophos, Kaspersky and all the anti-virus applications that might run on your computer became Web-aware a while back. They all try to use detection mechanisms to prevent you from going to bad places on the Web.

Then you have detection that takes place at secure Web gateways. Websense, Ironport (now part of Cisco), Blue Coat, Zscaler and numerous Web proxies out there have security features based on the concept of preventing you from going to places that look malicious or that are known to be bad. Well, hackers have figured out how to evade detection, so that battle has been lost.

3C: Okay, so you and other start-ups are waging the browser battle on a different front?

Spikes: When you realize that detection doesn’t work, now you have to isolate. You have to say, :You know, I don’t trust browsers anymore. Therefore, I’m not going to let my stuff interact with the Web directly.” In the past five years, newer products have started to offer browser isolation technology. We’ve taken a very no-compromise approach to isolation technology.

Free IDT911 white paper: Breach, Privacy, And Cyber Coverages: Fact And Fiction

3C: So instead of detecting and blocking you’re isolating, and sort of cleansing, browser interactions?

Spikes: Yes, and much like with detection technology, isolation can exist in either the endpoint or on the network. Some examples of endpoint isolation might be Invincea or Bromium, where you’ve got your sandboxes that do isolation on the endpoint. I applaud all the efforts out there. It spreads the whole gamut from minimal amount of isolation to sandbox technologies built into browsers. There’s quite a bit of investment going into this.

3C: Your approach is to intercept browser activity before it can execute on the worker’s computer.

Spikes: If you come at the problem from the assumption that all Web browsers are fundamentally malware, you can understand our technology. We essentially take the malware off the endpoint entirely, and we isolate the execution of Web pages on a purpose-built appliance. What goes to the end user is a very benign stream of images and sound. There’s really no way for malware to get across that channel.

3C: If browser security gets much better, at least in the workplace, how much will that help?

Spikes: If we successfully solve the browser malware problem, we could, I think, allow for more strategically important things to occur in cybersecurity. We could watch the other entry points that are less obvious. This sort of rampant problem with the browser may have taken some very important attention away from other entry points into the network: physical entry points, social engineering and some of the more dynamic and challenging types of attacks.