With his article about HTTP fingerprinting Stephan started a new series that aims to highlight the anatomy of cyber attacks. One essence is, that nearly every attack starts with some basic information gathering. As we saw in this article, information gathering often comes with some nice information about a target's infrastructure. In the following article, I want to emphasize, that it can also be used to gain information about social aspects, which become valuable in the context of an attack.

Social Engineering

Consider an attacker, I'll call him Eve, that want's to target a company C. In the very beginning, Eve is interested in an overview about C. So he starts using a search engine to gather information about C. Already the first links indicate, that a lot of employees of C have a linkedIn-Profile. As next step, Eve learns that the marketing king, Bob often posts in diverse groups and is in discussion with one of his contacts, Alice. Alice is a marketing queen and works in another company, D. Their discussion indicates, that both visited the marketing conference last month and that they have a friendly relationship. For now, Eve's curiosity is satiesfied and he is interested in their mail addresses. Visiting the websites of both companies, reveals that they usually consist of the first name and the company's url. Hence, Eve assumes the mail addresses bob@c.com and alice@d.com.

Spear Phishing

So far, the attacker of our example gathers basic information about social situations by using Social Engineering, which is a quite powerful technique. In order to compromise a company's network different techniques are used. Besides dropping USB-devices, sending spear phishing mails is a very common intrusion attempt. Like classical phishing, spear phishing mails tempt people to click on malicious links or open infected mail attachments. The main difference is, that spear phishing heavily relies on social engineering. Eve now makes use of his knowledge about Alice and Bob and sends Bob a mail impersonating Alice:

Dear Bob, do you remember the guy on the marketing conference talking about User Tracking? There is another interesting talk next month! Have a look at the details: http://example.com/next/talk/ It would be great, to see you there! All the best! Alice

To make impersonation complete, Eve manually changes the sender's mail address to look like Alice's. As a consequence, Bob beliefs that this mail is really sent by Alice. This makes Bob clicking on the link. The link leads to a web server controlled by Eve. And just by loading the website, Bob's browser downloads malicious code invisible for the user, which is called drive-by-Download. Due to a bug in the web browser, the malicious code gets executed and gives Eve access to Bob's PC. Instead of putting a link in the mail, attackers send attachments (e.g. pdfs, docx) which were opened by the victim. Since Eve now has access to Bob's PC, it is possible to infiltrate the company's infrastructure.

Conclusion

Spear phishing relies on social engineering. The better the social engineering, the more likely is it that the receiver clicks on a link or opens the attachment. Good spear phishing attacks are hard to prevent. Operations in the past, like Aurora or NightDragon, make clear, that even big companies like Google are susceptible to spear phishing.

Mitigation

How to counter spear phishing? Our mail system heavily relies on trust. The most reliable way to verify a sender is by signature (PGP or S/Mime). Since most of the mails were sent without any use of signatures it is hard to verify the sender. The most efficient way of defense is to raise awareness for this type of attack. In addition to that, it is wise to enforce a defense in depth, which means, that the corporate's network is separated in difference security layers. So compromising one layer does not automatically results in compromising the whole infastructure.

Further Reading