iDefense Press Release: Spear Phishing and Whaling Attacks Reach Record Levels
June 7, 2008
Summary:
Targeted social engineering attacks against corporations have reached new highs during April and May 2008. These e-mail-based attacks, often referred to as “spear phishing” or “whaling,” target individual users and contain personal information such as name, company, mailing address and phone number. Many of these attacks target senior executives and other high profile individuals.
These attacks are far from new; between February 2007 and June 2008, there have been at least 66 unique attacks. More than one quarter of these attacks occurred in April and May 2008. All of these attacks leverage social engineering to convince victims to open an attachment or follow a link to view additional information. The attacks do not use vulnerabilities in the operating system or applications to install malicious code. Often, anti-virus products do not detect the malicious code involved on the day of the attack.
The victim counts from these attacks is staggering – over 15,000 corporate users in 15 months. Victims include Fortune 500 companies, government agencies, financial institutions and legal firms. In these attacks, the goal is to gain access to corporate banking information, customer databases and other information to facilitate cyber crime.
Two groups of attackers have carried out 95 percent of these attacks. Each group installs a unique malicious code and operates independently. One group, known as “Group B,” installs a Browser Helper Object (BHO) capable of logging SSL encrypted sessions and performing man-in-the-middle attacks on two-factor authentication systems.
The other group went through a period where they installed a full version of the Apache Web server on victims’ computers, earning them the name “Group A.” This group commonly installs a key logger that is also capable of performing attacks on two-factor authentication systems.
iDefense expects the volume of spear phishing attacks to continue to increase. The quality and sophistication of the social engineering and malicious code is also likely to improve. iDefense recommends in-depth training of executives and other employees on social engineering attacks, specifically spear phishing. No single technical defense is likely to prevent these attacks; however, most can be prevented using a layered defense that includes desktop and gateway anti-virus, URL filtering, vigilant monitoring of anomalous network activity and the use of non-administrative user accounts.
Key Statistics:
- 66 distinct spear phishing and whaling attacks between February 2007 and June 2008
- Over 15 different templates have been used including Better Business Bureau (BBB), Internal Revenue Service (IRS), Federal Trade Commission (FTC), US District Courts, Department of Justice (DoJ) and Proforma Invoices
- 95 percent of the attacks emanate from two cyber crime groups
- Signature-based anti-virus detection ranges from 5 to 40 percent for each attack
- Victim losses can exceed $100,000
- Malicious code from these attacks targets over 50 financial institutions in the US
- Attacks are often well timed to coincide with events such as tax day, Microsoft Patch Tuesday and month-end processing
- Malicious payload split 50/50 between links and attachments
- For more than 12 months, the malicious code is capable of defeating most two-factor authentication systems
- Over 15,000 corporate victims in 15 months of attacks
- Attack volume reached new highs in April and May with 10 and 9 attacks, respectively
- Recent Attacks have netted over 2,000 victims in May alone
- May 29, 2008 - IRS / US Treasury Tax Court – 600 victims
- May 12 - 22, 2008 - IRS Tax Court – 800 victims
- May 1 – 7, 2008 – BBB Complaint – 800 victims