Anti-Phishing

Longline fishing is a commercial fishing technique in which a main line of up to several miles in length contains hundreds or thousands of short lines with hooks, each loaded with their own bait. The controversial technique is used to target certain types of fish, such as tuna and halibut, and can efficiently catch thousands of fish with a single deployment.

At RSA, Proofpoint discussed their discovery of what they have defined as “longline phishing attacks”—highly effective, large scale phishing attacks that have a high success rate in defeating existing anti-phishing defenses, and that result in a high clickthrough rate by users who receive these phishing emails.  These longline phishing attacks have three characteristics:

• They are sent in high volumes—to the tune of hundreds of thousands or millions of emails per attack—but each recipient organization receives only a relatively small number of emails, somewhere on the order less than 0.1% of their total email volume during the period of the attack.
• The content in the emails that are sent are highly customized, using minor word changes, changes in the subject lines or body content, rotating the URLs that are included in the messages, a large number of sending IP addresses, and malware that is hosted on a large number of compromised—often legitimate—sites.
• The use of zero-day exploits for which patches or AV signatures have not yet been developed.

The genius behind the longline phishing attack is that (a.) volumes of any one message are extremely low, which makes recognition of these attacks difficult; (b.) overall volumes of messages received per potential victim are also low, often not triggering conventional anti-spam or anti-malware defenses; (c.) the attacks exploit vulnerabilities for which no defense is yet available; and (d.) botnets are used to distribute the attack across a wide range of sending IP addresses—one such attack, designed “Letter.htm” by Proofpoint, found in excess of 25,000 unique senders’ IPs in use.

Another reason that longline phishing attacks are successful is that their perpetrators will compromise legitimate Web sites to distribute malware in order to gain higher clickthrough rates from potential victims. For example, in the Letter.htm attack, the cybercriminals who launched it compromised 22 different legitimate Web sites deep within each site—an average of three subdirectories deep. Moreover, they waited to load malware onto these sites until after the attack had launched, increasing the likelihood that these sites’ administrators would not be able to discover or address the infiltration until after the attack had been completed. In the Letter.htm attack, more than 185,000 emails were sent to 80 companies over a span of three hours, no company received more than three emails with the same characteristics, and the total mail volume represented by the attack was less than 0.06% of the total volume of email received by each company.

Underscoring the effectiveness of longline phishing attacks, Proofpoint found that 11% of the messages delivered—observed in more than one billion email messages sent to large enterprises—resulted in users clicking on links in the messages, demonstrating the efficacy of using compromised legitimate Web sites as part of the attack effort.

There are three lessons that should be taken away from this:

1. Bad guys are smart and well funded, and getting smarter and even more well funded.
2. Users are an important line of defense in preventing these types of attacks.
3. Anyone who thinks the “spam problem” has gone away is sorely mistaken.

More information on longline phishing attacks is available from Proofpoint here.