Proofpoint polices email for ‘spear phishers’

Cybercriminals are increasingly launching drone-like attacks on companies, sending malicious emails tailored to specific executives or their underlings to go after high-value digital assets in the corporate network.

Proofpoint on Thursday unveiled a cloud service called Targeted Attack Protection (TAP) that defends against some forms of so-called advanced persistent threats. The service is aimed at intercepting hacker-sent emails that contain links to malicious websites that attempt to download malware or steal the victim’s credentials.

TAP is a proxy server that sits in the cloud or on a customer’s network, intercepting all email traffic before it reaches the mail sever. All emails are analyzed and links in those deemed suspicious are rewritten, so if someone clicks on them, the request first goes through Proofpoint’s server.

Once email is marked, the link remains altered, even if the recipient forwards the e-mail to someone else. It also doesn’t matter whether recipients click on links from their home network or a mobile device.

Besides analyzing email, Proofpoint’s server also checks the destination website for malware or web forms that would request a visitor’s user name and password. Hackers often wait to activate such sites, so Proofpoint monitors them and stands ready to intercept malware.

TAP includes a web-based dashboard for configuring alerts and to get more information on threats, such as whether they are targeting a single organization or a specific industry. Other information includes which individuals are being targeted and whether the attack is to download malware or steal credentials.

The shift to APTs is reflected in the steep decline in spam volume, which fell last year to the lowest level since 2007, according to Cisco’s latest state-of-security report. Rather than send out massive amounts of spam to trap a small percentage of recipients, hackers are targeting specific people in organizations with information that fetches the best price in the black market. Those organizations include defense contractors, government agencies and international research groups.

To get the names of executives, hackers search regulatory filings and social media, such as Facebook and LinkedIn, said David Knight, executive vice president of product management and marketing at Proofpoint. Getting passwords to social media, such as in the recent break-in at LinkedIn, are particularly valuable in so-called spear-phishing campaigns.

“Not only do I have names, but I know who is related to whom, because I can log in as you and I can see all your friends,” Knight said. “Once I know who your associates are, I can send a message from an account that appears to be from trusted people in your network.”

Proofpoint’s TAP service is scheduled for release in the third quarter. An annual subscription will start at $18 per user.

While Proofpoint is focusing on APT, CloudPassage has introduced an authentication service for companies with applications running on virtual servers in cloud platforms, such as those run by Amazon and Rackspace.

GhostPorts SMS is an agent that is installed on a virtual server. When someone logs in with his or her user name and password from a browser, the agent sends a onetime password to the person’s mobile phone. The temporary password has to be inputted to gain access to the application.

GhostPorts SMS, also released Thursday, is available as part of the NetSec and Professional editions of CloudPassage’s Halo cloud security platform, which also includes firewall automation, vulnerability scanning, intrusion detection and multi-factor authentication.

A basic version of Halo is available for free. The paid editions start at 3.5 cents per hour during the time a virtual server is active in the cloud.