Advanced phishing techniques and how to combat them

Brid-Aine Parnell

Monday 27 July 2015

Phishing emails are more sophisticated than ever. With the rising threat of document-based malware and exploit kits, they’re taking cybercrime to a new level.

We’re all familiar with the clichés of phishing spam. You receive an email from a Nigerian businessman who says he has an incredibly lucrative proposition for you, or a missive from a very lonely and very attractive lady in Asia who needs your help to come to your country. All you have to do is click on a link, send over some bank details, even start a conversation, and the fraudsters on the other end will take whatever data  and ultimately money  they can from you.

But this image of phishing has, in fact, now become so outdated that it might be doing more harm than good. While a lot of people know not to answer this kind of email or click on any links they contain, not many know that a perfectly valid looking email with a document attachment could be just as dangerous.

“This is like a blast back to the 90s, using docs to distribute malware instead of web-based links,” explains James Lyne, global head of security research at Sophos, during the recent CBI Cybersecurity Conference in London.

If you’re the head of the HR department and you receive an email apparently applying for a position you’ve advertised, with a CV attached, you’re probably going to quite happily click on that document. Other gambits include enticing documents with titles like ‘Company Salaries’ or seemingly legitimate business documents like bid proposals.

Equally, if a company is just about to launch a new product or initiative, the head of marketing might receive a very interesting email, purportedly from a journalist at the New York Times or The Guardian who wants to do a big spread on the firm. “Just read through the attached questions and see what you think!” would, for instance, sound harmless enough.

There’s no easy way to stop a staff member from buying into these legitimate-looking emails and documents. They’re not written in broken English, they’re not asking outright for cash investment or bank details and there are no suspicious web links. These are targeted emails that are aiming to distribute malware into a company’s system and the perpetrators are very clever in how they go about it.

The employee might get lucky and spot an error in the sender’s email address, but barring that, they’re likely to click on the attached document. What they’ll get is what appears to be a small glitch in reading the document.

“The doc will be gibberish and say something like “enable content” or “protected doc, do this to read it” or this was created by a newer version of Office so click “enable content”,” Lyne continues.

It’s this second click that puts the malware into the system and enables the hackers behind the exploit to start accessing company data.

So where is all this malware coming from? The hype would have you believe that the world is filled with highly sophisticated hacker types that are constantly coming up with new ways to infiltrate computer systems. But the reality is that most of the malware is coming from the same place.

“We see about 350,000 new pieces of malicious code every day at the moment,” says Lyne. “[But] the driving force behind them are these exploit kits like Nuclear, Angler and Fiesta. One of the original exploit kits is Blackhole. It’s three clicks on this user interface to generate a new malicious URL, which you can send to people in a phishing email that will lead to malware  no programming required.”

The cybercriminals have even taken a leaf out of the tech industry’s book and started offering malware-as-a-service.

“The Neutrino gang now offer cybercrime as a service. They even offer a money-back guarantee if law enforcement takes down your illegal website,” Lyne adds, incredulously.

Whether you’re talking about advanced persistent threat groups, nation states or script kiddies, many cybercriminals are using the same tools and just adapting them to their own purposes.

The programming hackers are actually relatively rare in comparison to the number of cyber incidents, and frequently their malware comes from finding opportunities in business processes and chinks in security armour. For example, because companies often take a long time to update all of their systems when software vendors release security patches, cybercriminals can take advantage of that to get in the back door.

“Cybercriminals reverse engineer from patches, taking advantage of the timelag in our implementation to exploit the flaw between day one and day 29 after the patch is issued,” Lyne explains.

It’s this kind of innovation in cybercrime that makes it a moving target for businesses. It’s not enough to educate your staff once a year and update your software when you get around to it, both of these processes have to be continuous if firms want to combat hack attacks.