by

Spear-phishing; worryingly accurate for EMC, Condé Nast & possibly Epsilon?

I’m itching to find out exactly how the attackers who broke into Epsilon did it. Speculation so far is pointing at a well crafted social engineering or phishing attack, specifically a spear-phish. Epsilon are remaining tight lipped about the whole saga, but the press release on their website gives us a small clue.

“…an incident was detected where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system”

Unauthorized entry into the email system eh? So you mean someone either gave their username and password away or the system was cracked. The former being the most likely.

The reason I’m so keen to find out exactly how this happened is because Epsilon use a popular hosted security service for their spam and virus filtering, so if the attack was indeed delivered by email there will be some interesting questions being asked. Probably similar to the navel gazing that is currently going on at EMC and Condé Nast, along the lines of ….”given all our protections how did this happen?” If a spear-phishing attack does turn out to be the cause it will have circumvented classic protections – and that is alarming.

Phishing is not new

Criminals have been after our bank, credit card and financial information for years. Initially their use of the English language is what gave them away, but recently the attackers have been using native English speakers to craft their wares in the hope their motives will be less obvious.

Combine this with the 419 crime and advanced fee fraud that has been floating around since the Internet was invented, even before, and you’ve got a wonderful cocktail of mischievousness waiting to catch you out. I’ve lost count of the number of distant Nigerian relatives lost in plane crashes and even closer relatives who are regularly getting whacked by London buses. For the record my grandmother would never email me from hospital after being hit by a bus.  She’s only just getting the hang of her “New” VHS Video player.

The problem

A few weeks ago we wrote about another unfortunate organization that suffered an …ahem… unauthorized entry to their email system. The HBGary incident was overshadowed by a very well executed attack on EMC, specifically a spear-phishing attack. The interesting detail about the drama at EMC is that the first ‘malicious’ email ended up in the users’ Outlook Junk Folders, but was still actioned. The attackers sat back and waited until they had worked their way far enough up the tree, laundering their own actions through the actions of the unsuspecting users’. HBGary was slightly different, in that the user’s password was compromised on a 3rd party CMS application, given the user had the same password on their email account.  In other words, the attacker got lucky.

I have spent many years carrying out discrete penetration tests for customers, where weaknesses that gave up root access to a box were quite common. If not, you simply walked in the front door and took whichever box you wanted. Today phishing plays a major part in these types of tests, and for good reason – socially engineering end users is unbearably easy. A friend of mine who still carries out penetration tests tells me that a well crafted phishing attack is usually all they need these days; in fact she routinely sees success rates of up to 90%. In one case the email was actually forwarded on so the success rate came in at 110%.

What does this mean for you?

There will be more attacks, more disclosures and more embarrassment – why? Because it’s breathtakingly simple to phish your way into an organization.  But don’t let this scare you. Use this knowledge and the recent events to motivate the training of your users.

Importantly, remind them that no matter who they are or what their job function is, everyone is at risk – especially those of you that publish huge amounts of personal data on social networks. If I see you like a particular bar/shop/pizza joint/football team, you can bank on me using that as an angle to get you to do things for me.

After-all who turns down free beer/shoes/pizza/football tickets, especially by email?