'Hybrid' spear-phishing may lead next wave of major hacks; don't pick up the phone

Fraudsters phoning for more information to really hook their phish anti-fraud expert warns

It may be the IT industry's equivalent of "Employees Must Wash Hands Before Returning to Work," but "Don't Open Attachments You're not Expecting," is a less on with far more dire consequences for failure than the possibility of making a few customers sick.

Of the long list of stratospherically successful hacks on governments and major corporations this year, nearly all began with a series of emails designed to sound like genuine requests from genuine employees but carrying attachments with malware that would give fraudsters free remote access to the secure network.

That's why corporate security is going crazy trying to retrain employees in precautions so basic they shouldn't need to be repeated.

Don't. Open. The. Attachment.

Just leaning on employees doesn't work, however, unless you also add additional processes that require the one making the request to prove his or her identity, according to Amit Klein, CTO of fraud-detection specialist service company Trusteer.

It's far simpler to do that in banking – where moving money from here to there requires a series of well-defined, enforceable processes that can be changed to respond to new threats.

In less structured industries, it's almost impossible to ferret out the fraud attempts or keep employees from ever opening the wrong attachment.

It doesn't work for the same reason their spam and phishing filters don't always work: If the emails are spoofed correctly, with all the right addresses, names of managers or other employees the victim should know, and a legitimate-sounding problem, there's no reason for the employee to assume that email is any different from 100 others containing the same kind of request.

If it doesn't sound fishy to the employee, content-analyzing filters aren't going to catch them, either. It's only after the attachments are open and the malware is loose that behavioral virus-pattern identifiers might catch the infection.

By then it's often too late.

Once you get the end user to do something reckless, you're home free.

For the spear phishers, however, it's hard to get to that point, and getting harder.

High-value target industries like banks and financial services companies especially, have been able to cut down the rate of infection using a combination of training and technology.

The biggest problem, at least for fraudsters targeting banks and financial institutions, is that malware such as Zeus and the recently discovered Ramnit, are designed to map the flow of transactions through an organization to help hackers slip in their own fraudulent transactions without alerting anyone.

Extra layers of security and purposeful cloaking of certain processes to foil malware designed to collect it often leaves hackers short of the information they need, Klein wrote in a blog posted today.

One-time passwords collected from malware won't be valid when the hackers try to log in, for example. Many banks also require secondary authentication for customers logging in from an unfamiliar IP, or actual signatures before they'll transfer money, Klein wrote

The solution for attackers is to add another medium to the process – the telephone.

The phenomenon of stealing data using one channel such as the web and using it in a different channel or context such as social engineering attacks is often overlooked. Trusteer has found that data collected by Man in the Browser attacks can be used for other purposes than automated transaction fraud. Defending against the new wave of hybrid attacks requires both technology to detect MitB malware and vigilance from the users of online services. – Amit Klein, CTO, anti-fraud firm Trusteer.

New weapon in online fraud: the telephone

It's becoming more common for spear phishers to not only slide manipulative emails into the system, but to use the same personal information to pass themselves off as a customer, bank partner or employee and simply ask for the information their virus may have missed

Spear phishing is just another form of social engineering, Klein said. Fake phone calls are the original medium for social-engineering attacks, so it's not surprising to see some innovative gangs using both together.

IT security people don't expect to see the combination, however. They also may not have any direct channels of communication with the physical security staff or the managers who would hear about a rash of oddly querulous phone calls that might raise a red flag about vaguely curious emails, even if neither the phone calls or emails alone were enough to raise suspicion.

If hybrid spear-phishing is becoming common enough for Trusteer to issue general-purpose warnings, it won't be long before they're used in other industries as well.

What the next refinement may be in the continual evolution of attempts to steal secret data from research companies or money from banks, no one can tell.

Maybe it will become so much trouble to steal money digitally, fraudsters will have to invest in shotguns and ski masks to go pick it up themselves.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon