RSA 2013: Anatomy of a 'Longlining' attack

Proofpoint study describes a "new" industrial phishing technique that's becoming increasingly popular among attackers.

I'm always skeptical when a vendor claims it has discovered a new kind of attack technique. More often than not, it turns out to be a not-so-new attack that has simply been given a new, catchy name by the vendor.

I haven't made up my mind yet on what Proofpoint calls "Longlining," so I'll share the details and leave you to decide.

According to the report, released during RSA Conference 2013, Longlining -- named after the industrial fishing practice of deploying miles-long fishing lines with thousands of individual hooks -- "combines successful spear phishing tactics with mass customization. Using these techniques, attackers are now able to rapidly deploy thousands of unique, malware laden messages that are largely undetectable to traditional signature and reputation-based security systems."

The findings:

• With longlining attacks, attackers can cost-effectively send 10,000 or even 100,000 individual spear phishing messages, all capable of bypassing traditional security

• On Oct. 3, 2012, Proofpoint observed a Russia-based attack with 135,000 emails sent to more than 80 companies in a three-hour period. To avoid detection, the attacker employed approximately 28,000 different IP addresses as sending agents, 35,000 different ‘sender’ aliases, and more than twenty legitimate websites compromised to host drive-by downloads of zero-day malware.

• Ten percent of the email messages containing embedded malicious URLs that escaped perimeter detection were clicked on by the receiving employees

• All the longline attacks employed so call “drive-by downloads” installed on compromised web-sites. These attacks leverage browser, PDF and Java vulnerabilities to install “rootkits” invisibly with no user action required beyond clicking on the emailed URL and visiting the infected web-site

• Almost one out of every five clicks on malicious URLs embedded in email occurred ‘off network’ when employees accessed their email from home, on the road, or via mobile devices where they were outside corporate perimeter protection.

I find the fishing analogy interesting, but in terms of the technique and reach, I feel like we've been here before. But that's merely my initial gut reaction.

With that, I open the floor for discussion.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Healthcare records for sale on Dark Web