ii

IBM MSS

THE PERILS OF PHISHING

RESEARCH AND INTELLIGENCE REPORT RELEASE DATE: MARCH 12, 2015 BY: DAVID MCMILLEN, SENIOR THREAT RESEACHER

©Copyright IBM Corporation 2015. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of IBM Corporation in the United States, other countries or both. Other company, product or service names may be trademarks or service marks of others.

iii

TABLE OF CONTENTS EXECUTIVE OVERVIEW/KEY FINDINGS ................................................................................................................ 1 HISTORY OF PHISHING ....................................................................................................................................... 1 WHO IS USING THIS ATTACK? ............................................................................................................................. 1 GOTHIC PANDA ............................................................................................................................................................... 2 TEMPER PANDA .............................................................................................................................................................. 2 EXTREME JACKAL ............................................................................................................................................................. 2 PIRATE PANDA ................................................................................................................................................................ 2 WOLF SPIDER .................................................................................................................................................................. 2 TOXIC PANDA .................................................................................................................................................................. 2 MAGIC KITTEN ................................................................................................................................................................. 3 NOTABLE PHISHING ATTACKS ............................................................................................................................. 4 TYPES OF PHISHING ........................................................................................................................................... 4 BASIC PHISHING ............................................................................................................................................................... 4 SPEAR PHISHING .............................................................................................................................................................. 5 CLONE PHISHING .............................................................................................................................................................. 5 WHALING ....................................................................................................................................................................... 5 VISHING ......................................................................................................................................................................... 5 SMISHING....................................................................................................................................................................... 5 METHODS USED IN PHISHING ............................................................................................................................. 6 LINK MANIPULATION ........................................................................................................................................................ 6 FILTER EVASION ............................................................................................................................................................... 6 WEBSITE FORGERY............................................................................................................................................................ 6 COVERT REDIRECT ............................................................................................................................................................ 7 EVIL TWINS ..................................................................................................................................................................... 7 RECOMMENDATIONS/MITIGATION TECHNIQUES ............................................................................................... 7 EDUCATION..................................................................................................................................................................... 7 PHYSICAL REMEDIES ......................................................................................................................................................... 8 IDPS SIGNATURES AND/OR SIEM RULES............................................................................................................................. 8 REFERENCES ...................................................................................................................................................... 8 CONTRIBUTORS ................................................................................................................................................. 9 DISCLAIMER ....................................................................................................................................................... 9

©Copyright IBM Corporation 2015. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of IBM Corporation in the United States, other countries or both. Other company, product or service names may be trademarks or service marks of others.

1

EXECUTIVE OVERVIEW/KEY FINDINGS Email is no longer a novelty. It keeps us tied to our family members and friends, our work, helps us keep track of appointments and allows us to transmit pictures, videos and documents to one another. Email is similar to postal mail, only better, as it has the ability to communicate in an instant. Because it is such a mainstream communication tool, it has become popular as a method of infiltration by both cybercriminals and state sponsored hacking consortiums. Company employees have become a focused target of a diverse set of adversaries with one objective, penetrating your network to gain access to financial and confidential data, personal and sensitive information, and intellectual capital. This paper takes a look at how criminals use emails specifically designed to gain entry to your personal information as well as your company’s network, and how they entice employees to fall victim to phishing.

HISTORY OF PHISHING The first recorded use of the word “phishing” was found in the AOL hacking tool AOHELL, which contained a function that allowed the attackers to glean user account passwords and financial information. AOHELL was designed specifically to allow attackers to pose as AOL representatives. These “phishers” would send a private message to end users using AIM (AOL Instant Messaging), asking them to reveal their password in an effort to “verify” their accounts. This would allow the phisher to use the unwary AOL user’s account for fraudulent purposes or spamming. The ability to capture credit card information led phishers to believe that attacks against online payment systems were feasible. The first known attack against a payment system occurred in June 2001 and targeted a digital gold currency operated by Gold and Silver Reserve under E-gold LTD. The first known phishing attack against a retail bank occurred in September 2003. An article in “The Banker” written by Kris Sangani detailed this attack. By 2004, phishers were enjoying waves of success that included attacks on banks as well as their customer base. Many new sophisticated types of phishing and spear phishing have been developed since then. They all have similarities that they carry forward from their predecessors and the concept of phishing has been proven to be quite effective.

WHO IS USING THIS ATTACK? Due in large part to the fact that spear phishing campaigns are proving to be extremely effective, many “threat actor” groups have been identified as using this tactic as their sole method of perpetration. Below are a few of those actors identified by CrowdStrike, and the methods of attack they have historically leveraged. ©Copyright IBM Corporation 2015. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States, other countries or both. Other company, product or service names may be trademarks or service marks of others.

2

GOTHIC PANDA Dating back to 2007, this group has been targeting high profile companies within the government research and development sector. Their attacks include links to sites hosting exploits for Microsoft Internet Explorer, which usually results in Microsoft issuing out-of-band patches.

TEMPER PANDA First seen in June 2012, this group has been extensively using spear phishing attacks against U.S. government targets to deliver malicious attachments, which contain the Trojan Poison Ivy and the Java Remote Access Tool (JRAT).

EXTREME JACKAL Targeting Israeli Law Enforcement, this group sends spear phishing emails with an attachment that contains a variant of Xtreme Rat, which is a Remote Access Tool. This group is made up of individuals from Middle Eastern countries known to have hacktivist motivations.

PIRATE PANDA First seen in April 2013, this group sends spear phishing emails to victims in Japan that contain an attachment with Remote Access Tool characteristics. This allows it to upload/download files, have full file system access and remote shell. The attachment targets a known buffer overflow vulnerability in the ListView / TreeView ActiveX controls in the MSCOMCTL.OCX library.

WOLF SPIDER First found in July 2014, this cybercrime adversary group uses targeted intrusion tactics to gain access to sensitive information possibly for use in gaining a trading advantage in financial markets. This adversary makes heavy use of social engineering to gain access to corporate email accounts from which it is able to glean valuable information. No malware has been associated with this actor, rather, it uses spear phishing emails containing Microsoft Office documents which require the intended target to enable macros. Once enabled, the documents display an email login interface which harvests victims' credentials and relays them back to the adversary. The actor uses access to compromised accounts to perpetuate the compromise by using the accounts to send seemingly legitimate emails to others within the organization and also to related entities such as consultants and legal counsel.

TOXIC PANDA This actor has been found to use spear-phishing emails with malicious Rich Text File (RTF) file attachments containing a “.doc” extension which exploit a Microsoft Windows Common Controls vulnerability (CVE-2012-0158). ©Copyright IBM Corporation 2015. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States, other countries or both. Other company, product or service names may be trademarks or service marks of others.

3

The exploit targets pre-Vista versions of Windows, and only Chinese language builds of those versions of Windows. The exploit is designed to fail on all other systems. Upon successful exploitation, shellcode in the malicious document is used to drop and execute a WinRAR self-extracting-archive (SFX), which drops other malware components to allow a remote server to control the infected computer.

MAGIC KITTEN This adversary is based in Iran and CrowdStrike Intelligence traces its earliest activity back to November 2008. This threat actor maintains a low profile and its activity does not appear to be widely tracked. It utilizes a highly modular RAT consisting of multiple independent components. The preferred delivery vector appears to be spear phishing emails with malicious attachments. These attachments contain a dropper that places the base module of the RAT on the victim’s system in order to establish a foothold in the victim’s network. From there, follow-on modules are downloaded to the vulnerable system. There are a number of modules available to this adversary with the following functionalities: victim system enumeration, keylogging, data alteration, arbitrary file execution, remote shell, screenshot, voice recordings, web browser and email application credential collection, and file exfiltration. MAGIC KITTEN targeting appears to be focused mostly on those with interests in the political sphere, likely political opposition groups within Iran.

©Copyright IBM Corporation 2015. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States, other countries or both. Other company, product or service names may be trademarks or service marks of others.

4

NOTABLE PHISHING ATTACKS

TYPES OF PHISHING BASIC PHISHING Basic Phishing is a general method of attempting to acquire personal information, financial data, usernames and passwords by pretending to be from a trustworthy source via electronic mail. These attacks are generally regarded as “incidental contact”. Basic phishing attacks are generally exploratory in nature and target a broad audience. Using a combination of social engineering and technical deceit, criminals will attempt to persuade a potential victim into opening embedded links or file attachments within the emails. These types of attacks are usually distributed in mass numbers and sent out like spam.

©Copyright IBM Corporation 2015. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States, other countries or both. Other company, product or service names may be trademarks or service marks of others.

5

SPEAR PHISHING Phishing attempts directed at specific individuals or companies have been termed spear phishing. It uses tactics such as sender impersonation and can also contain mail filter and antivirus evasion techniques. Attackers may gather personal information about their target to increase their probability of success. Links in spear phishing emails can contain links to drive-by downloads, weaponized document attachments such as Word, PowerPoint or Excel and watering hole attacks. This technique is, by far, the most successful on the Internet today, accounting for 91% of all APT attacks according to Microsoft. This method of phishing also leverages APT (Advanced Persistent Threat) vectors. These types of attacks are generally regarded as “targeted attacks”.

CLONE PHISHING This is a type of phishing attack whereby a legitimate, and previously delivered, email containing an attachment or link has had its content and recipient addresses taken and used to create an almost identical or cloned email. The attachment or link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender. It may claim to be a resend of the original or an updated version to the original. This technique could be used to pivot indirectly from a previously infected machine and gain a foothold on another machine, by exploiting the social trust associated with the inferred connection due to both parties receiving the original email.

WHALING Whaling is a method of phishing directed specifically at senior executives and other high profile targets within businesses. This tactic is also used against celebrities and politicians.

VISHING Emails are not the only way that criminals will try to steal your personal information. Vishing (voice phishing) is a telephonic method of phishing using unsolicited phone calls to a victim in an attempt to solicit their personal information. In most cases, the origin of the call is spoofed using VOIP (Voice Over IP) technology. Some tactics include pretending to be your utility company and trying to get you to lower your bill. Often times a criminal will attempt to pose as a vehicle warranty company where they try to dupe you into believing your auto warranty is about to expire and needs to be renewed. Vishing uses fake callerID data to give the appearance that calls are coming from a trusted organization.

SMISHING This tactic is primarily used on cell phones and uses text messages that include URLs or phone numbers. The phone number often has an automated voice response system and, just like phishing, usually asks for your immediate attention. ©Copyright IBM Corporation 2015. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States, other countries or both. Other company, product or service names may be trademarks or service marks of others.

6

METHODS USED IN PHISHING LINK MANIPULATION Most phishing methods use a form of technical deception in order to make a link in an email, and the spoofed website it actually points to, appear to belong to a trusted organization. Simply by inserting a trusted domain name between the tags of the HTML code forces the visible link to actually look like a reliable destination, when in reality it is pointed to the phishing host. Many web browsers and email clients will reveal the real destination by hovering over the visible link in the email.

FILTER EVASION Phishers have started using images instead of text to make it harder for anti-phishing filters to detect text commonly used in phishing emails. However, this has led to the evolution of more sophisticated anti-phishing filters that are able to recover hidden text in images. These filters use OCR (optical character recognition) to optically scan the image and filter it. Some anti-phishing filters have even used IWR (intelligent word recognition), which is not meant to replace OCR. These filters can detect cursive, hand-written, rotated (including upside-down text), or distorted text, as well as text on colored backgrounds.

WEBSITE FORGERY Once a victim visits the phishing website, the deception is not over. Some phishing scams use JavaScript commands in order to change the appearance of the address bar. This is done by placing a picture of a legitimate URL over the address bar, or by closing the original bar and opening up a new one with the legitimate URL. An attacker can even use flaws in a trusted website's own scripts against the victim. These types of attacks (known as cross-site scripting) are particularly problematic, because they direct the user to sign in at their bank or service's own web page, where everything from the web address to the security certificates appears correct. In reality, the link to the website is crafted to carry out the attack, making it very difficult to spot without specialist knowledge. Such a flaw was used in 2006 against PayPal. A Universal man-in-the-middle (MITM) Phishing Kit, discovered in 2007, provides a simple-touse interface that allows a phisher to convincingly reproduce websites and capture login details entered at the fake site. To avoid anti-phishing techniques that scan websites for phishing-related text, phishers have begun to use Flashbased websites using a technique known as phlashing. These look much like the real websites, but hide the text in a multimedia object.

©Copyright IBM Corporation 2015. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States, other countries or both. Other company, product or service names may be trademarks or service marks of others.

7

COVERT REDIRECT Normal phishing attempts can be easy to spot, because the malicious page's URL will usually be off by a couple of letters from that of the real site. The difference with Covert Redirect is that an attacker could use the real website instead by corrupting the site with a malicious login popup dialogue box making it a perfect phishing method. Once the user logs in, the attacker could get the personal data, which in the case of Facebook, could include the email address, birth date, contacts, work history, etc. But, if “the token” has greater privileges, the attacker could obtain more sensitive information including the mailbox, friends list, online presence and possibly even operate and control the user’s account.

EVIL TWINS Evil Twins is a phishing technique that is hard to detect. A phisher creates a fake wireless network that looks similar to a legitimate public network that may be found in public places such as airports, hotels or coffee shops. Whenever someone logs on to the bogus network, fraudsters try to capture their passwords and/or credit card information.

RECOMMENDATIONS/MITIGATION TECHNIQUES Defense against phishing attacks begin at the end user. Education is key in reducing infiltration attempts from outside cybercriminal organizations. There are also several physical defensive mechanisms that can be deployed to an email system, which are covered below.

EDUCATION The majority of companies, banks and agencies never request personal information via email. Don’t fall victim to this most common phishing type. Emails that contain generic greetings such as “Dear Customer” or contain spelling/grammatical errors should be immediately considered suspicious. Do not trust email attachments, even if they come from a trusted source. Unless you are expecting an email with a document attached, call the sender and confirm they sent it. It is possible the senders computer has been compromised and is sending emails without their knowledge. It is also possible that the senders email address is being spoofed. Report any email that you suspect might be a spear phishing campaign within your company. Never reveal personal or financial information in a response to an email request, no matter who appears to have sent it.

©Copyright IBM Corporation 2015. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States, other countries or both. Other company, product or service names may be trademarks or service marks of others.

8

Adopt an employee testing program that encourages behavior modification. Companies such as PhishMe.com and Phishing IQ Test from SonicWALL provide this type of service. Utilize different mediums such as video, webinars and in-person training. Require training at intervals in order to make the risk clear. Openly communicate any newsworthy data breaches related to phishing to employees and emphasize “this could happen to us”.

PHYSICAL REMEDIES Inbound Email Sandboxing – Deploy a solution that checks the safety of a link embedded in an email such as Sandboxie or Proofpoint’s Targeted Attack Protection. Real-Time analysis and inspection of your web traffic – Stop malicious URLs from even getting to your users' corporate inboxes at your gateway. Even if you have inbound email sandboxing for your corporate email, some users might click on a malicious link through a personal email account, like Gmail. In that case, your corporate email spear phishing protection is unable to see the traffic. The web security gateway needs to be intelligent, analyze content in real time, and be highly effective at stopping malware. Require employees to use VPNs – Many employees work from remote locations. The potential for an employee to use a public network in an airport, restaurant or coffee house is significant. Requiring Virtual Private Network (VPN) connections to encrypt the data connection back to the employer’s network adds a layer of security which prevents attackers from retrieving any company data that they can use in a spear phishing attack.

IDPS SIGNATURES AND/OR SIEM RULES Due primarily to the wide diversity of phishing attack types, IDS/IPS signatures do not exist. Because attackers will attempt to attach files that contain Trojan and malware characteristics, it is more likely that an anti-virus solution would be a more effective deterrent.

REFERENCES Spear Phishing http://www.sans.edu/research/security-laboratory/article/spear-phish History of Phishing http://www.phishing.org/history-of-phishing Phishing Defense http://www.csoonline.com/article/2132618/social-engineering/11-tips-to-stop-spear-phishing.html

©Copyright IBM Corporation 2015. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States, other countries or both. Other company, product or service names may be trademarks or service marks of others.

9

Anti Phishing Solutions http://www.phishlabs.com/services/phishing-protection http://phishme.com/ https://www2.fireeye.com/ppc-spear-phishing-attacks.html Notable Phishing Attacks http://en.wikipedia.org/wiki/Phishing CrowdStrike Intelligence www.crowdstrike.com

CONTRIBUTORS Michelle Alvarez –Threat Researcher/Editor Nick Bradley - Practice Lead, Threat Research Group

DISCLAIMER This document is intended to inform clients of IBM Security Services of a threat or discovery by IBM Managed Security Services and measures undertaken or suggested by IBM Security Service Teams to remediate the threat. This information is provided “AS IS,” and without warranty of any kind.

©Copyright IBM Corporation 2015. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States, other countries or both. Other company, product or service names may be trademarks or service marks of others.