Websense has collected data from its worldwide ThreatSeeker Network and analyzed it with its own classification system to determine current trends. Phishing on its own uses mass spam campaigns to deliver un-targeted emails that tempt users to visit malicious or compromised websites. Because they are un-targeted they are generally easy to recognize; the recipient simply sees something that is not relevant and therefore suspicious.
Spear-phishing, however, is targeted and relevant to the recipient; and by design less suspicious. This is what makes it dangerous. “Spear-phishing by definition isn’t a widely cast net. Instead, the attackers use well-crafted lures that incite a group or an individual’s urge to click,” says Patrik Runald of Websense. Once the target has been persuaded to click the link, he or she is sent either directly or indirectly to an exploit site. This could involve something like Blackhole, or in a specifically targeted spear-phish it could be the criminals’ own zero-day exploit. Some of the most successful (and known) attacks that started with a spear-phish include the Aurora attack against Google, the Oak Ridge National Laboratory hack, and the RSA SecurID breach.
The Websense study notes two particular devices used in such attacks. Firstly, there is a huge uptick in attacks delivered on a Friday. The belief is that the criminals locate vulnerable URLs, but don’t compromise them. Then they deliver the spear-phish campaign on the Friday, with lures to those URLs. Being Friday, users are more concerned with the weekend than with their emails, so they don’t immediately respond. However, since the URLs haven’t been compromised, the emails are not affected by the company’s security filters. On Friday night or perhaps Saturday, the criminals compromise the URLs. Come Sunday afternoon when people are thinking of the next week – or perhaps Monday morning – the targets click on the links that have already evaded the company’s security defenses.
The second development noted by Runald is a linkage between spear-phishing and the watering hole attack. This attack compromises a site that will be of interest to the target. Spear-phishing could then suggest an article or report on that site to the target, or merely wait until the target visits it. It illustrates, says Runald, “how spam has evolved to phishing, which has evolved to spear-phishing, which in turn has evolved into sophisticated, targeted web compromises (watering holes), something unheard of just a short time ago.”
He suggests three ways to prevent spear-phishing: user education, inbound email sandboxing, and realtime analysis of web traffic. The first is empirically untrustworthy, the second will not prevent users compromising remote devices through private emails, while the last will stop malicious URLs getting onto the network.