Friday, June 03, 2011

Spear Phishing Uses Friendly Faces to Spread E-Mail Fraud

But what if the e-mail appears to come from a colleague down the hall? And all he asks is that you add some personal information to a company database?

This is spear phishing, a rapidly proliferating form of fraud that comes with a familiar face: messages that seem to be from co-workers, friends or family members, customized to trick you into letting your guard down online. And it has turned into a major problem, according to technology companies and computer security experts.

On Wednesday, Google disclosed that it had discovered and disrupted an effort to use such pinpoint tactics to steal hundreds of Gmail passwords and monitor the accounts of prominent people, including senior government officials. Secretary of State Hillary Rodham Clinton said Thursday that the F.B.I. would investigate Google’s assertion that the campaign originated in China.

Such tactics were also used in an attack on a company called RSA Security, which security experts say may have given hackers the tools to carry out a serious intrusion last month at Lockheed Martin, the world’s largest military contractor.

The security specialists say these efforts are a far cry from more standard phishing attempts, which involve spraying the Internet with millions of e-mails that appear to be from, say, Citibank in the hope of snaring a few unfortunate Citibank customers. Spear phishing entails sending highly targeted pitches that can look authentic because they appear to come from a trusted source and contain plausible messages.

As such, the specialists say, the overtures are becoming very difficult for recipients to detect.

“It’s a really nasty tactic because it’s so personalized,” said Bruce Schneier, the chief security technology officer of the British company BT Group. “It’s an e-mail from your mother saying she needs your Social Security number for the will she’s doing.”

Mr. Schneier said the attacks are more like a traditional con game than a technically sophisticated intrusion. “This is hacking the person,” he said. “It’s not hacking the computer.”

Symantec, the computer security firm, said it intercepted around 85 targeted attacks a day in March, including efforts to steal personal information through phishing or with links to nefarious software that could ultimately expose corporate files. The only month with more attacks was March 2009, when there was a surge that coincided with a G20 summit meeting.

Symantec said the most common targets were government agencies and senior managers and executives; the phishing of such big game is commonly referred to as “whaling.” Manufacturing firms were the targets of 15.9 percent of the attacks, compared with 8 percent for the financial sector and 6.1 percent for technology companies, Symantec said. Hackers taking aim at corporations are often seeking new product designs and may focus on engineers at a defense contractor, for example, to get data they can sell on the black market.

Enrique Salem, Symantec’s chief executive, gave the example of an e-mail sent to the head of a company that appears to be from the Internal Revenue Service. The message raises questions about the tax implications of an acquisition, and the chief executive passes the message to others inside the company. Someone opens the attachment, giving the attacker access to the company’s internal network.

“It’s about getting you to do something to compromise the system,” Mr. Salem said.

In the case of the Gmail attacks, Google said they appeared to originate from Jinan, China, and were aimed at users like Chinese political activists, military personnel, journalists and South Korean officials.

The Chinese Foreign Ministry said Thursday that the government had no involvement in any such attacks, and that it “consistently opposes any criminal activities that damage the Internet and computer networks including hacking, and cracks down on these activities according to law.”

It is not clear how the attackers obtained the Gmail addresses they used, although they could have been found inside other compromised accounts, including corporate or government accounts whose addresses are often easier to guess.

The attackers may have hoped to find some work-related e-mail in their victims’ personal Gmail accounts.

Mila Parkour, an independent security researcher who helped alert Google to the attacks, said she was tipped off to the campaign when one of the victims let her examine some suspicious messages.

John Markoff contributed reporting.

No comments:


Blog Archive