Share

Related Links

  • Solera Networks
  • Reed Exhibitions Ltd is not responsible for the content of external websites.

Top 5 Stories

News

Spear phishing: more effective when it uses social engineering

09 November 2011

Spear phishing may be something of a buzzword in the latest IT security forums, but Solera Networks' director of threat research says that the targeted attack technique can be highly effective if it harnesses the power of social networking.

In his latest security posting, Andrew Brandt wrote that a trojan was sent to some of his colleagues, trying to exfiltrate data from a locked-down testbed.

“In the course of investigating the attack, I’ve assessed the social engineering aspect of the attack, and described the fundamental behavior of the initial infection and its subsequent payloads – I have to admit, I limited my description only to some of that behavior”, he said.

While analyzing the initial malware – which came as an invoice attachment – Brandt says that the installer downloaded a file from deleted-host.zapto.org, a domain which resolves to an IP address of 108.59.252.112, which pointed to a suspicious-looking domain, athleta-support.info.

That is, he said, an interesting choice of a domain name, and it reveals something about the spear phisher(s)’ tradecraft in social engineering: Athleta, a women’s fitness clothing brand owned by retailer The Gap, has its own online store.

“If you’re not a female, outdoor-fitness enthusiast, and haven’t heard of this brand (I didn’t until I did this research), a cursory Google search would validate the existence of a company by this name if you were to, for instance, receive an order confirmation email linking back to something called Athleta”, he said, adding that recipients will think the link is from a real company and click on it.

The athleta-support.info domain, he noted, was registered on September 30th, 11 days prior to the second Yesasia campaign’s arrival in Solera's inboxes and, he said, by the time he discovered it, the domain was inactive – at this time, the domain has been blackholed and no longer points to 108.59.252.112.

“All the domains hosted on that 108.59.252.112 IP address share a single reverse-lookup: technetium. The domain is privately owned, according to the domain WHOIS data, by one Markus Vogt of Landau, Germany. That is, if you believe the WHOIS data. It’s all too common for malicious domains to be registered using bogus data, or real information strip-mined at random from the internet”, he said.

Markus Vogt, he added, can be traced to Blackfiber.net, which provides DNS services for itself, HTCNET, vogt.la, and yesasia-invoices.com.

Back on the malware decoding front, however, and Brandt reported that, after a few minutes of inactivity, the malware code carries out a DNS lookup of more zapto.org subdomains, later pulling down a payload named windefender.exe.jpg.

“This was, like the original invoice.exe and the newegg.exe payload, an executable that had originally been composed in Visual Basic. Also like the first two payloads, this application used what we’ve come to describe as Proper Name Salad values in the properties sheet. The program describes itself as Kepler Clemson ChippendaleParks ScotsmanMac Lexington. It also uses the internal name of hcri.exe”, he says.

The appearance of this program, he adds, coincided with nine new files appearing in the %temp% directory, all with .bss file extensions - and which appear to be plugins designed to extract data from the caches of various applications.

And here's where it gets interesting, Infosecurity notes, as the malware pulled down a plain-text list of 71 web sites targeted for credential theft by the malware, and which included banks, cellular phone companies and a wide variety of useful sites such as social networks and hacking forums.

“Clearly, the files involved in this infection campaign were dangerous, if allowed to run at will on a victim’s computer, despite the relative lack of sophistication. In the end, the social engineering trick employed by this targeted spam message isn’t much different than fake IRS emails or shipping confirmation messages that have been floating around for years”, he said.

This article is featured in:
Internet and Network Security  •  Malware and Hardware Security

 

Comments

Scott Gréaux, Product Manager, PhishMe says:

11 November 2011
This is a perfect example for the need for improved security awareness training with a specific focus on Phishing. While phishers go through a lot of trouble to make their emails seem legit, if a person knows what to look for they greatly decrease their chance of becoming a victim. Companies that run mock spear phishing exercises will often find 58% of first time recipients to be vulnerable to such emails. That’s 58% of employees that will let their guard down and open up their internal systems to hackers to steal client account or credit card and login information or to gain access to protected internal company systems. With half of the victims of phishing scams typically responding to the fraudulent email within four hours of receipt, even companies with the most vigilant and aggressive IT departments and monitoring systems are vulnerable to the latest attacks. This is where inline training comes into play – organizations must educate employees and customers, especially susceptible ones, on how to spot spear phishing attacks and avoid being the next victim.

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×