Advanced Phishing Tactics Beyond User Awareness

Posted by david b. on February 11, 2013

Accuvant LABS’ Senior Security Consultant Martin Bos and the Company’s Principal Security Assessor Eric Milam spotlight the issues related to spear phishing from the pentester’s perspective during their session at Hack3rCon event.
Martin Bos: Hi everybody! We’re here from Accuvant LABS; we’re talking about some advanced phishing tactics. The main basis of our talk is, basically, why user awareness is not working.

Things to cover on the subject

So, this is the obligatory table of contents (see left-hand image). Basically, we’re talking about what spear phishing is. Just a disclaimer: we actually wrote this talk for some more corporate type conferences, and we’re just recycling it. We like it, we hope you all do, too; but some of the stuff is a little bit elementary in the beginning, because there were some more corporate type people we were talking to, so bear that in mind. We’re going to talk about how people are spear phishing us, what we can do about it, and why the current methods are not working. Who here has been phished? Who here is related to the Prince of Nigeria? Awesome, so we all know what a phishing email is.

Getting to know the authors of the study

So, my name is Martin, I’m Senior Security Consultant, also work on the Backtrack Linux project, and I’m a co-founder of a little conference like this one called Derbycon in Louisville, Kentucky. Eric Milam: And I’m Eric Milam, I’m Principal Security Assessor at Accuvant, also participate in the Ettercap project as well as a number of other initiatives.

Defining spear phishing

Martin Bos: Alright, just in case anybody doesn’t know – what is spear phishing? What’s the difference between phishing and spear phishing? Phishing is when you get an email like, you know, that you’re related to the Prince of Nigeria; everybody’s got one of those. Spear phishing is, basically, when we as attackers – and when I say “We as attackers,” I mean pentesters, not attackers for real – are trying to target a specific organization, group of people, business unit, and sometimes an individual, although I’ve got really big qualms about how good spear phishing one person works. However, it’s happened. So, when we’re talking about spear phishing, we’re talking about targeting an organization.

Spear phishing is one of the most popular externally facing attacks on the Internet today.

They all fell victim to spear phishing

Here are some victims of spear phishing attacks (see image). I don’t know if anybody reads the news, but, apparently, the White House was the victim of a phishing attack, and this is to let you know that this type of attack is alive and well. Obviously, we don’t really know what happened, but somebody in the White House clicked an email that they weren’t supposed to. And that just goes to show you that, I bet you, the people at the White House have been through extensive security training. I’m sure they’ve sat through all kinds of “Don’t click this” seminars by Boris, and it’s clearly not working, right? Some other big victims of these attacks are RSA, Epsilon, another big one was these Nitro spear phishing attacks that targeted 50 chemical and defense companies; Mitsubishi Heavy Industries, who is a defense contractor, and there’re hundreds more pretty much all over the place. I would almost venture to say that this is one of the most popular externally facing attacks on the Internet today.

Justifying the attacks

Alright, this is basically my validation for why we pentest (see left-hand image). I actually got into several arguments at the last conference that we were at about people that said that pentesting was pointless and that there was no reason to do it. If anybody knows me, I like to argue, but if I get up and leave, I’m really mad. Well, I got up and left this dude’s conversation. We do these spear phishing attacks against ourselves so that we can test our clients’ security systems. We’re not just testing their users, we don’t just want to make the users look stupid. What we’re doing is we’re testing all of their controls that are in place to prevent this type of thing: you know, egress filtering, network segmentation, incident response – I mean, there’s a whole chain of things that need to be tested by a successful spear phishing attack.
Embarrassing users is not the goal, and showing users that they’ll click on anything is not the goal. Obviously, there is a little subsection for user awareness, I’m not against it, but I’m just saying that I don’t think we need to put all our eggs in the user awareness basket.
Eric Milam: And if you guys think about someone clicking a link – until the shell gets out there’re several layers of defense, and that’s what we’ll talk about as well.
Read next: Advanced Phishing Tactics Beyond User Awareness 2: Anatomy of a Spear Phishing Attack