• United States



by John P. Mello, Jr.

Spear phishing paves road for advanced persistent threats

May 29, 20133 mins
Access ControlAdvanced Persistent ThreatsData and Information Security

Specialized spam can be more than it seems — it sets up a beachhead for malware mischief

Cyber intrusions that remain undetected for long periods of time and leak information to hackers and online spooks are on the rise, spearheaded by an aptly-named form of spam called spear phishing.

Between 2010 and 2011, Advanced Persistent Threat (APT) attacks more than doubled, said Firmex, a provider of virtual data rooms. It also noted that 91 percent of APT attacks involved spearphishing.

Phishing and spearphishing are two distinct forms of spam. In fact, while conventional spam declines in favor among hackers, phishing and spearphishing continue to remain popular.

Phishing messages masquerade as communication from a trusted source — a bank or credit card company, for example — in order to obtain personal information, such as usernames, passwords or credit card numbers.

Spearphishers want that kind of information, too, and much more. However, their messages pretend to be from very trusted sources — a employee’s manager, the head of company’s IT department, a friend from Facebook or a headhunter someone’s done business with — making the recipient of them very likely to do what the message instructs them to do.

“Spearphishing is by far the most prevalent way that target systems are compromised by APTs,” said Paul Ferguson, vice president for threat intelligence at Internet Identity.

“It’s because it’s not that hard to social engineer their victims into clicking on the wrong link or opening the wrong attachment by masquerading as someone they know or something they’re expecting,” he told CSO.

Spearphishing is typically a key element in the first stage of an APT attack, said JD Sherry, director of public technology and solutions for Trend Micro. “It’s used to gain a foothold in the attack environment,” he said in an interview. “It’s what miscreants use to start the attack sequence.”

If the attackers can establish that beachhead in a network, they can become very difficult to dislodge. “It’s very hard to stop an initial infection,” said Jack Marsal, marketing director for ForeScout Technologies.

“Enterprises have trying to do this for 15 or 20 years,” he said, “but IT security managers know they can’t be 100 percent successful.”

“Over the last three or four years the situation has gotten worse because the new breed of attackers are using spear phishing techniques and zero-day exploits,” he said.

Firmex said the United States leads the world as a source for spear phishing, with 20.8 percent of the attacks originating from American soil, followed by Russia (19.1 percent) and China (16.3 percent).

No industry is spared from the attacks, either. “It’s a case of equal opportunity victimization,” IID’s Ferguson said, “though there does seem to be some industries targeted more than others.”

The top industry for APT attacks is defense and aerospace, garnering about 17 percent of the attacks, according to Firmex, followed by energy, oil and gas (14 percent) and finance (11 percent).

As potent as spearphishing has been in delivering APT payloads, its monopoly of the task may be challenged in the future.

“Over time, we’re still going to see spearphishing being a key factor, but it’s not going to be the sole first weapon used in an attack,” Trend Micro’s Sherry said. “It could be much more focused on social engineering and social media attacks.”

Those attacks could deploy fake LinkedIn profiles or Facebook Pages to gain the trust of targets, he added.

“Spearphishing is usually in the form of email direct campaigns,” Sherry said. “This would circumvent that and go directly to social media, which is becoming more popular to connect with people and find out pertinent information within your subject or industry.”