[Cryptography] phishing attack again - $300m in losses?

[Christian Huitema]

On Monday, February 16, 2015 8:36 AM Steve Furlong [mailto:demonfighter at gmail.com] wrote

> I'd guess that getting rid of the tight integration between MS Windows, IE, and MS Office would 
> solve most of the problem, but I don't see that happening -- it's too conveeeeenient for the users. 

There is actually a level of indirection between Office and the browser -- the system variable that sets default browser to the user preference. If you set that to Firefox, Firefox, not IE, will be launched when you click on a link in Office. So the integration is not quite as tight as you mention.

> Conceivably, an artificial intelligence sitting between the user and the links he clicks would do it. I'm
> not confident of this. The providers of the back-end processing for such AIs as we have now do not seem 
> to be any more secure than any other business.

AI is actually not bad at making binary decisions. With proper training, it might be able to differentiate between a mail that actually comes from someone in your contact list and a spoofing attempt. Of course, this is only one of the steps in the phishing attempts.

First step is reconnaissance. The more information you make available about yourself, the easier it is to forge the convincing email that will phish you. Or to learn the various web sites that you go to and spike one for a water-holing attack. In the days of Facebook and LinkedIn and Twitter, reconnaissance is getting very easy.

Step two is generally the phishing e-mail. The goal is to make the target believe that the e-mail is legit, and have them then click on either a web link in the email, or an attachment. I said generally, because the same phishing attack could be conducted through social network if one of the target's contacts is compromised. It could also be conducted by laying a trap in a web site that the target often visits, if that site can be compromised to do the bidding of the phisher. SQL injection, for example.

Step 3 is the initial exploit that will deliver a payload to the target's computer. Great variety there. That's one of the purpose of the zero day attacks hoarded by spy agencies and by criminals. Maybe there is a virus in that PDF. Maybe the web site that the target clicked contains a spiked bit of flash. Maybe the page exploits a zero day in IE or Firefox. There are lots of possibilities. And if a virus does not do, the phisher can try to capture passwords by other means.

Remember, the initial goal is to get a beach head or two in the target organization. The phisher may try a number of targets, and only needs one of them to bite the bait. After that, the attack moves to the second stage, lateral propagation inside the corporation.

And yes, I agree with IanG that this situation is outrageous.

-- Christian Huitema