Keeping Up with the PhishersBy David F. Carr | Posted 2006-02-06 Email Print
As network attacks become more sophisticated, companies must constantly sharpen their security strategies to compensate.
The message addressed to Hudson Valley Federal Credit Union executives read, "I was recently logging into my account to view my account details when I realized the site I was visiting was a well-done duplicate of your Web site. I am unsure if this Web site is affiliated with your institution, but here is the link for you to check it out."
The e-mail arrived just after 7 p.m. on Jan. 3, a day when Microsoft had posted an updated security bulletin on a worrisome flaw in the viewer for Windows Meta File graphics, for which it had not yet released a patch. A click on the link in that e-mail would take users to a bogus Web site designed to use the wmf's vulnerability to download malicious code onto the user's computer.
It was exactly the sort of attack the credit union's security manager, John Brozycki, had been fearing as a follow-up to a similar attack targeting credit unions that was reported in December. It was a "zero day" attack that exploited a security hole for which no software patch was yet available, as well as a "spear phishing" attempt aimed at specific executives with a semi-credible business-related message, rather than one of the more obvious "please update your PayPal account"-type messages aimed at consumers.
Some of the credit union's executives did click on the link, Brozycki says—even though he had warned them of this sort of danger after the December incident, in which some of the bank's directors had been tricked into visiting the Web site of a fictional credit union. That Dec. 12 attack also tried to exploit an unpatched vulnerability in Microsoft Internet Explorer's script execution.
In both cases, fortunately, the Symantec Norton AntiVirus software on the executives' desktops managed to block the malicious software. Even though no specific antivirus signature for the attack was yet available, the Symantec software was able to spot suspicious patterns in the code, according to Brozycki.
"The second one they clicked on, knowing that it was suspicious but thinking, hey, I'm going to get some info about this—I think they were trying to help," Brozycki says. He adds that if the attackers had not been hurrying to act before Microsoft released a patch for the wmf flaw, they might have tested their code against current antivirus products and found ways to sneak past them.
Those executives were lucky—but chief information and security officers can't always count on luck. They need to make sure they have strong software defenses and that their users are educated on computer security protocols.
The problem isn't going away. Last month, the Federal Bureau of Investigation released a security survey that found more than 90% of 2,000 public and private organizations polled said they had installed firewalls and antivirus software. Still, 87% of those had experienced a security incident in 2005. And 84% said they had been hit in the past 12 months by a virus or worm.
Many of the attacks have as much to do with social engineering as with software engineering. Traditionally, "social engineering" was the non-technological part of hacking: An attacker would make a phone call and con some employee into giving out passwords or other information that could be exploited to gain access. But more automated attacks that spread by
E-mail also seek to manipulate users, often with crude appeals to greed, lust or fear.
Promises of sex remain popular, as with an e-mail worm in January that carried subject lines like "Fwd: Crazy Illegal Sex" or "*Hot Movie*." The following week, a group of security researchers warned that an e-mail promising Kama Sutra photographs was spreading a worm designed to delete every document it could access in popular file formats such as Microsoft Word and Excel.
You might hope that none of your employees would fall for such prurient appeals. But someone who knows better than to open an attachment on a spammy-looking e-mail might be duped by a more targeted attack—for example, with an e-mail that appears to come from a regulatory body in his firm's industry.