Combating Phishing Attacks
Embed Size (px)
It seems like we've been hearing a lot about phishing in the news in recent years, and this threat hasn't abated yet. Why are attacks via phishing -and social engineering in general -so prevalent and so effective? This whitepaper examines the many different methods employed in phishing attacks and social engineering campaigns, and offers a solution-based approach to mitigating risk from these attack vectors.
Transcript of Combating Phishing Attacks
- White Paper Combating Phishing Attacks How to Design an Effective Program to Protect Your Organization Against Social Engineering
- Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Most of todays data breaches start with a phishing email, giving company-confidential data to malicious outsiders. This is a real problem that companies need to address. Phishing attacks are the most frequently used form of social engineering. They work because they take advantage of cognitive biases, or how people make decisions. These techniques prey on human emotion by appealing to greed, curiosity, anxiety or trust. Phishing means that attackers are fishing for your private information. Attackers attempt to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Many times this is done to steal a victims login credentials and other confidential information. Phishing continues to grow and become more widespread with attacks up 37% year over year, and 1 in every 300 emails on the web containing elements pointing to phishing.1 So, how can you combat phishing attacks and protect your company and its employees? This paper will discuss the problem of social engineering and phishing along with its consequences, and will outline approaches for solutions to safeguard your organization. Defining the Problem: Breaches Often Start With Phishing To demonstrate the seriousness of the problem, we will briefly present three examples of phishing and the damage they can cause within an organization. These examples range from politically-motivated to financially-motivated to healthcare data attacks. The New York Times, The Wall Street Journal, The Washington Post, Twitter and Apple were all attacked in early 2013 in what is seen as a wide-spread, potentially connected attack on high-value targets.2 In the case of The New York Times, the attackers stole the corporate passwords for every Times employee and used them to gain access to the personal computers of 53 employees. The attack is believed to be politically-motivated retaliation for a Times investigation on Chinas prime minister, Wen Jiabao. Although Chinas Ministry of National Defense denies the attacks, it appears to be part of a computer espionage campaign against American media that have reported on Chinese leaders and corporations.3 Although these are all high-profile organizations with sophisticated defenses in place, it appears that attackers may have used a targeted spearphishing attack to breach the Times, exploiting human vulnerabilities to click on a link that led to a malicious website. Many times cyberattacks are financially motivated. Attackers try to get customers credit card information, and if they are successful, it results in a breach of trust with the company that was attacked, as well as substantial costs of dealing with a breach. Barnes & Noble, the worlds largest bookseller, had credit card information stolen at 63 stores across the U.S.; this information was then used to make unauthorized purchases. In this case, a malware (or malicious software) attack targeted the keypad devices in stores. Security experts believe a company insider could have inserted malicious code, or criminals could have persuaded an unsuspecting employee to click on a malicious link that installed the malware, giving the perpetrators a foothold into Barnes & Nobles point-of-sale systems.4 Healthcare data breaches have also been in the news recently. According to security expert Larry Ponemon, president of the Ponemon Institute, stolen healthcare records can be much more valuable that financial records because they can be used for financial ID theft crimes, medical ID theft or both, With medical records providing physical characteristic information, attackers can create false passports and visas.5 Over the past three years, about 21 million patients have had their medical records exposed in data security breaches that were big enough to require they be reported to the federal government. (As required by section 13402(e)(4) of the HITECH Act, breaches affecting 500 people or more need to be reported, if the data was not encrypted.) At present, physical theft such as a stolen laptop from a car made up 54% of the breaches, while hacking made up about 6% of the compromised data.6 And, although phishing attacks have not been the cause of the most significant data breaches to date, the healthcare industry is acutely aware of the threat and trying to protect against it.
- Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Consequences of Phishing Phishing attacks can result in compromised client systems. Here are some different consequences of phishing that can impact your network: Browser exploitation - Browsers and their plug-ins contain vulnerabilities that can be exploited simply by visiting a malicious website. An attacker can send an email with a link, which brings the user to a malicious website (which is often designed to look like a legitimate site.) Just by visiting that site the users browser and machine would be compromised and the attacker would have full access to the users computer. In addition, a completely legitimate website can be attacked to become malicious. So a user could be browsing a legitimate website thats been attacked on the back end and injected with malicious code, which then exploits their browser. File format exploitation Opening a malicious email attachment is another way to trick users. Attachments are typically PDFs or Office files because those applications are widely distributed and widely used across platforms, and the chance that the recipient can read that kind of file is higher. Once the malicious attachment is opened it exploits vulnerabilities in a given application. Executable exploitation This exploit uses another form of email attachment, an executable file (ending in .exe) that runs when the user clicks on it. It is programmed to operate without needing a vulnerability in the program. Although .exe files are quite often blocked by email security features, there are other types of executables. For example, JAR (Java Archive) files end in .jar, rather than .exe, but they can still execute a malicious file when you double click on them. How do attackers gain your passwords or other credentials? Here is an overview of some of the methods used: Phishing form - This attack starts with a phishing email that includes a link to a website. When the user clicks on that link, it doesnt start to exploit your browser but it just pretends to be a familiar website, such as the LinkedIn log in page or Outlook Web Access. When the user types in their user name and password, it captures that information and records it, and then typically forwards you to the real site and logs you in. But, in the meantime, its taking your information and storing it to further access your system in the future. The next two are a little bit different. These require that the users computer is already compromised, for example by one of the methods described above, and then they are used to gain additional information. Passwords and password hashes - In that case, the attacker can copy cached passwords from your machine. Passwords are usually stored in the form of password hashes for security reasons. However, once a password hash has been compromised, attackers can either use cracking to obtain the password in the clear or use the password hash itself in a so-called pass-the-hash attack to gain access to network resources. If an administrator ever logged onto the users machine, their credentials are cached on that machine. The attacker could reuse those administrator credentials to access and start exploiting other machines on the network. Key logging Once an attacker has access to a users machine they can also install whats called a key logger, which records every key that they press on the keyboard. This would allow the attacker to capture a user name and password when a user types it, and would also capture the text of an email or a document being typed and send it back to the attacker.
- Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com As a result of compromised credentials, the attacker can gain access to the local file system, file servers, email, the Customer Relationship Management (CRM) system to access customer information, the Enterprise Resource Planning (ERP) system to access corporate financial information, credit card data, healthcare information, and other Personally Identifiable Information (PII) such as Social Security Numbers. So, even if one person in an organization is a victim of a phishing attack, there are major implications for the entire organization and its data. The problems worsen with pivoting to other machines, where a compromised system is used to attack other systems on the same network in multi-layered attacks, bypassing the perimeter defenses. So, even if the user who was hacked does not have access to the ERP system, for example, the attacker now scan the entire internal network through the first users machine and see what other machines are out there and the vulnerabilities that exist. Limiting user privileges does not always protect companies from compromise either. Attackers often use privilege escalation, exploiting a bug in an operating system or software application, to gain administrator-level privileges. So, how do social engineering and phishing attacks happen? Email Phishing Techni