Читать книгу Phishing Dark Waters - Fincher Michele - Страница 8

I'm not sure about you, but both Chris and I learn best by example. This section covers some high-profile compromises that started with phish and some of the most prevalently used phish on the market today. We also discuss why they work so well.

First of all, this section would be incomplete if we didn't mention the Anti-Phishing Working Group (APWG —www.apwg.org). We could fill pages about how amazing these folks are, but the thing to know is that the APWG is a global coalition of security enthusiasts who study, define, and report on how phishing is working around the world.

According to the APWG's report dated August 2014, phishing numbers continue to be staggering. In the second quarter of calendar year 2014, there were 128,378 unique phishing sites reported and 171,801 unique e-mail reports received by APWG from consumers.9 This was the second-highest number of phishing sites detected in one quarter since the APWG started tracking these statistics. Payment services and the financial industry were the most targeted sectors, accounting for 60 percent of the total, but within that, there was also a new trend in which online payment and crypto-currency users were targeted at an increased rate.

Now that you've seen the bird's-eye view of the numbers, it's time to examine some specifics.

High-Profile Breaches

Target Corporation is probably one of the highest-profile breaches to date. It has affected close to 110 million consumers – an estimated 40 million credit cards and 70 million people with stolen PII; with those numbers, you might have been one of them.10 The interesting thing about this story, however, is that it appears as though the attack wasn't specifically aimed at Target.11 This is a prime example of attack escalation. Target became a victim of opportunity after the real breach. The initial victim in this case was an HVAC vendor for Target that had network credentials. A person at the HVAC company received a phishing e-mail and clicked a link that loaded malware, which in turn stole login credentials from the contractor. The contractor network had connections to the Target network for things such as billing and contract submission. Not all of the attack details are known, but after attackers had access to snoop around, they eventually found entry into Target's corporate servers and compromised the payment system.

Although the final hit to consumers is still to be determined, the Target breach has already cost more than $200M for financial institutions to reissue compromised credit cards – and that's before taking into account any charges for fraud, which consumers aren't liable for. All in all, this was a dramatic and expensive lesson in the dangers of phishing.

Another notable breach that you may not even remember involved RSA. At this point, any mention of RSA probably relates to the encryption controversy it experienced in connection to the National Security Agency starting in late 2013. That story was so big that it practically overshadows the corporate breach the company experienced in 2011.12 Unlike the opportunistic Target attack, this one appears to have been a very deliberate action taken against RSA employees. It was apparently the result of a malicious Excel spreadsheet attachment to an e-mail sent to low-level RSA users (see Figure 1.4).

Figure 1.4 RSA phish

RSA's spam filters reportedly caught the e-mails, sending them to users' Junk folders. The interesting point here is that humans overrode technical controls that worked the way they should have. At least one recipient opened the e-mail and clicked the attachment. This gave attackers entry into the internal network and enabled them to eventually steal information related to some of RSA's products. It was reported that in the quarter that followed the breach, parent company EMC spent $66M on cleanup costs, such as transaction monitoring and encryption token replacements.

One more product-based company breach worth noting involved Coca-Cola in 2009.13 This case originated as a very targeted spear phish directed at Coca-Cola executives with the subject line “Save power is save money! (from CEO).” The e-mail subject line is pretty bad, to be sure, but consider a couple of things: First, the e-mail appeared to come from an exec in the legal department at Coca-Cola. Second, at the time of the attack the company was promoting an energy-saving campaign. (The attackers really had done their homework.) The exec opened the e-mail and clicked the link, which was supposed to lead to more information about the energy program. Instead, he ended up loading a bunch of malware, including a key logger that tracked everything he typed in the weeks to come. This breach allowed the Chinese attackers to gain access to the internal corporate network and mine data for weeks before being discovered.

This breach occurred in February 2009, and Coca-Cola wasn't aware of it until the FBI informed the company in March. By then a great deal of sensitive data had been stolen. This was days before Coca-Cola's $2.4B attempt to purchase a Chinese soft drink manufacturer, which ultimately failed. It would have been the largest acquisition of a Chinese company by a foreign entity to date. There are conflicting reports as to why the acquisition failed, but at least one security organization claims it was due to critical information regarding strategy and pricing being leaked to the opposite side, which deprived Coca-Cola of the ability to negotiate the deal.

As mentioned earlier, the hack of the AP was impressive based solely on the sheer impact that one tweet had on the stock market.14 The way the attackers got in, however, was a simple spear phish that was sent to select AP staffers from what appeared to be a colleague (see Figure 1.5).

Figure 1.5 Associated Press spear phish

Although this e-mail is pretty vague, consider that it came from a “known” source and appeared to point to a legitimate page on The Washington Post site. Victims who clicked the link in the message were sent to a spoofed website that collected their login credentials. There's speculation that the spoofed site allowed victims to authenticate with their Twitter credentials, which led to the feed compromise.

Corporations are clearly as vulnerable to phishing as regular people are despite all of their technical controls and security policies. So what about phish that hit a little closer to home? The following section describes common examples that you may have seen.

Phish in Their Natural Habitat

We would be doing the topic of phishing a disservice if we didn't start with the Nigerian 419 scam. Also known as the advance-fee fraud, this con is apparently more than 200 years old in practice (as you can imagine, it took a lot longer to get scammed over snail mail, but it still happened). It gets its most modern name because of Nigeria's notoriety as supposedly being a large source of these scams. The number 419 refers to the Nigerian criminal code that addresses fraud.

You have probably seen a number of variations of this scam. For example, a rich prince has been deposed and needs your help in transferring his vast wealth, or a dying man is trying to make up for being generally unpleasant and needs your help in disbursing funds to charity organizations. Whatever the cover story, a few components are consistent:

• The amount of money in question is vast.

• They are trusting you, a complete stranger, to transfer, disburse, or hold the money.

• You get a cut for your trouble, but you need to do one of the following:

• Provide your bank account information so they can transfer the money

• Assist them by paying transfer fees, mostly due to some sort of precarious political or personal situation