Evaluate Websense products by watching demos and installing evaluation software.
Learn how Websense solutions help keep our customer safe, secure and productive
Get information on product updates, support resources and more.
Get the most out of support in five simple steps.
Find tools and assets to help sell Websense solutions.
Be notified of Websense news, product information, industry events and more.
we want to hear from you >
Spear-phishing is a huge concern for today’s government and enterprises. While high profile attacks like last week’s spear-phishing attack against the White House and last year’s attack against Oak Ridge National Laboratory underscore the risk to government agencies, today’s businesses are also a primary victim. Hackers are increasingly looking to steal source code, intellectual property and financial information.
In light of these incidents, the Websense Security Labs collected data from the ThreatSeeker Network and analyzed it using our Advanced Classification Engine to identify the top trends in phishing today. These include:
From Spam to Phish
To begin talking about phishing, you must first look at email security trends in general, and this usually begins with a discussion on spam.
The majority of these broad phishing attacks share a link to a fake web landing pages to steal the log in credentials of users. Where are these phishing sites hosted? Our research indicates that a large portion of these sites is hosted in the United States. This doesn’t mean that the majority of phishing criminals are in the U.S. It is more likely a representation of available bandwidth, infrastructure, number of servers and ease of domain registration.
The U.S. continues to dominate the volume of hosted phishing URLs.
Top 10 countries hosting phishing URLs: *Based on September 30, 2011-October 1, 2012 research
In this circumstance, the objective is to send a huge volume of emails with a lure compelling to a larger audience. So what does it take to get users to click?
Security as Social Engineering
Increasingly, attackers are using an individual’s fears of compromise against them. In this way, they have taken advantage of a tactic employed so successful by fake or rogue AV peddlers.
How many times have you been browsing a web page and you get a pop up warning you that your computer is compromised? Most of us now know that these popups are the result of a fake AV scam and many of us have been conditioned not to click on these. However, if you receive a security alert email that looks like it comes from an organization you have a relationship with, such as a bank, or a social network you are a member of, it may increase your likelihood to click. Typically the page components replicate a real site, right down to the security warning to “Stay alert!”
Increasingly, phishers are using security notifications and alerts in their lures. In fact, after an analysis looking at the most recent quarter of this year, Websense Security Labs has determined that four of the top five subject lines of phishing attempts by volume are security messages:
Four out of the top five phishing email subject lines are related to security. These types of attacks represent the largest volume of recent subject lines designed to lure in victims.
Top five phishing email subject lines: *Based on July – September 2012 research
But I work in a business you say… we have an email security system in place that inspects for viruses and does some rudimentary URL scanning…
Dodging the Cops: New Phishing Security Evasion Techniques
A disturbing new twist on targeted attacks has started to emerge this year that directly affects professionally managed networks. If we look at the days of the week when most phishing emails are sent, we notice a huge uptick in volume on Fridays, Sundays and Mondays.
Most phishing emails are sent on Fridays, followed by Monday and Sunday. The bad guys have learned that they can evade email security measures by sending an email with a clean link on Friday or over the weekend – bypassing email URL scanning. Then, over the weekend they compromise the URL with malicious code.
Top phishing days of the week (percentage): *Based on July-August 2012 research
The bad guys know potential victim’s behavioral patterns. They know worker’s minds can stray on Fridays in a more relaxed setting. Relaxation and anticipation of the weekend can lead to more web browsing and an increased likelihood to click on links in emails. Similarly, stricken by a case of the Monday Blues, workers are also more likely to wander. By studying these behavioral elements, phishers know that they can increase their success rate. These guys are masters of lures and understanding their subjects.
But they don’t just study their subjects, they study the security deployed to protect employees. This is also significantly increasing the volume of email sent late on a Friday and on Sunday.
The bad guys have learned that they can evade email security measures by sending an email with a clean link on Friday or over the weekend – bypassing email URL scanning. Then, over the weekend, they compromise the URL with malicious code.
A typical attack of this type would have the bad guy doing the following:
Evasion techniques like these help when hackers are going for the big game – spear-phishing employees with access to a specific network or data or whale phishing, the targeting of executives at companies.
Spear-phishing: The CSO Nightmare
Spear-phishing is one of the most pressing issues IT officers face today, and one they feel the least confident addressing.
Spear-phishing by definition isn’t a widely cast net. Instead, the attackers use well-crafted lures that incite a group or an individual’s urge to click. They are essentially socially engineering their victims onto the spear. Many of the targets of spear-phishing may also have an awareness of security initiatives in place, and may unwittingly rely more heavily on them.
Spear-phishing is one of the primary vectors of compromise and subsequent data loss.
The Watering Hole: A New Way to Hunt
Recently, attackers responsible for past targeted spear-phishing attacks have added a new wrinkle to the old phishing attack. This one involves lying in wait for targets to come to them, rather than supplying an active lure. Websense Security Labs has identified a number of these attacks, two of which took place prior to June 2012, the date previously disseminated by other researchers as the beginning of this type of attack.
While we can't determine that the infection of this website with exploit code is part of a targeted attack, one could deduce that visitors to this type of site are likely to have an interest in national security or are occupied in this field hence making it an attractive place for cybercriminals and nation states to wait for victims of a certain commonality to saunter by and then infect them. This is an effective way for hackers to reach a very targeted group, without sending out socially engineered lures.
While the INSS attack served up Poison Ivy, a common remote access tool used in the RSA attacks, we have also seen other exploits used in similar compromises:
Attacks of this nature may be a way for nation-states to garner additional information from a select audience without having to know the contact information or specific lure likely to compromise a target. This could be considered reconnaissance leading to more specific targeting and a more traditional spear-phish attempt.
These attacks illustrate how spam has evolved to phishing, which has evolved to spear-phishing, which in turn has evolved into sophisticated, targeted web compromises (watering holes), something unheard of just a short time ago.
Three Ways to Stop Spear-phishing
Websense recommends a three-pronged approach designed to stop 95-99 percent of spear-phishing attempts:
Click to download and view a pdf of the full size infographic: 6545.Websense phishing infographic OCT12.pdf
Click here to download the full size PDF infographic in Italian.