Phishing Evolved.

A Whaling attack or phishing evolved is specifically aimed at a single, high-profile business target including maxresdefaultC-Suite executives. This group has access to sensitive employee, and/or customer data, banking, and/or securities accounts. Phishers target this group with e-mails and web-pages embedded with malicious code. When e-mail attachments are opened, or web-pages clicked the code is activated. The malicious code unleashes backdoors, remote access or embeds keyloggers; and within hours or days, the phisher gains access.

How does the ‘bait’ differ between Plain-Vanilla Phishing and Whaling?

Plain-Vanilla phishing attacks are a numbers game and are mass generated; they are casually addressed ‘Dear customer,’ or ‘Dear user’ e-mails, web-pages or pop-ups that appeal to a personal aspect of the target’s life. They may include ‘once in a lifetime vacation offers’ that is time-sensitive, or an urgent message which appears to be from your bank, PayPal or Netflix accounts that use threats of ‘account closure’ or ‘compromise.’

In the case of Whaling, there are a smaller number of attacks, but the phishers are looking for a bigger score.  Whaling campaigns are highly customized to an executive’s specific position and responsibilities within the organization. Moreover, the phishers will specifically target those individuals who have wire transfer authority. Phishers craft e-mails and malicious web-pages that appear to come from a trusted source which will necessitate an immediate response.

The target opens the viral e-mail attachment or clicks into a malicious Web-page. Game Over. What is even more disturbing, once phishers are armed with access, often they will launch further attacks causing considerable damage including monetary and reputational.

Why is whaling pervasive? 

A key reason whaling is so pervasive is that individuals overshare personal and behavioral data on social media applications. Phishers can tap this information otherwise known as OSINT. The well-crafted e-mails and web-pages are designed using the targets OSINT.  The more personal information the target shares publicly, the greater the risk that this information will be used to manipulate them.

The risks are real. 

The FBI has commented that whaling or what they refer to as BEC (Business Email Compromise) attacks are an ’emerging global threat.’ Companies from all 50 US states and 79 countries have lost approximately $1.2 Billion dollars in the previous two years (2013-2015).

Reducing risk.

  • Lockdown privacy settings on social media accounts.
  • Limit the use of third-party applications.
  • Two-factor authentication and multiple signatures should be implemented for the vendor payment process.
  • Employ a team either in-house or from the outside that can effectively assess the organization’s overall predisposition to phishing/whaling attacks by having a precise idea of what OSINT is available that could be used against the organization.
  • Increase awareness through continuous and ongoing training programs with staged, real-world phishing, whaling, and other social engineering attacks.
  • Look to C-Suite executives to make data breach preparedness a continuing priority for the entire company.

As information security professionals develop new defenses and warnings, the threat actors will continue to adapt, and we need to be prepared. There is no one-hundred percent fix for social engineering threats. The key is continuous training and reinforcement and should include all employees, not just management and the executive branch.

Cybersecurity is a shared responsibility. Stop. Think. Connect.

Creating A Narrative With OSINT.

ae474a69a76d1e660f8ac88ebcbdd8faInformational footprints that individuals, corporations, organizations and governments leave behind on the WWW or other open source tools, contains incredibly useful information. This information is often referred to as OSINT, and it is helpful because it can reveal actions and/or intent; and ultimately can give the holder of this information the upper hand or edge over your competition or target.

OSINT is simply Open Source + Intelligence as opposed to ‘covert or clandestine’ and includes all unclassified intelligence that is freely available. The sources where information can be located is pervasive including Web-based;  Media; Public data; Academic or Professional.

Think about it, when you are doing reconnaissance, i.e., searching for answers to a question using the Internet or other available sources, be it the latest threat intelligence, a threat actor, your next employer, or background checks on potential nannies or home contractors, you are utilizing OSINT.

OSINT is one of the many INTs disciplines or intelligence gathering disciplines. The other well-known INTs include:

  • HUMINT Human Intelligence gathered from a person on the ground.
  • FININT Financial Intelligence gathered from analysis of monetary transactions.
  • GEOINT Geospatial-Intelligence gathered from satellite, aerial photography, mapping/terrain data.
  • SIGINT Signal Intelligence; Made up of COMINT Communication with individuals and ELINT Electronic communication.

OSINT can be utilized for Business Intelligence; Due Diligence; Competitor Analysis; Criminal/Legal Investigations; Background Checks; Identifying people and preferences by their IP address;  e-mail;  phone number(s);  Operating Systems used; Software/version; and/or Geolocation.

OSINT it is not always easily found. The information is out there, but often the link-crawling search engines Google (72.48%), Bing (10.39%), and Yahoo (7.78%) [ranked by market share] will not always provide you with what you need. By some estimates, these sources represent only a minuscule portion of the total web content, 1%-5%.  In contrast, other sources including the Deep Web which includes data not indexed by standard search engines; and the DarkNet using ‘The Onion Router‘ known as TOR may provide you with too much information creating frustration. When it comes to making use of information, simply collecting it, is not enough. The best research/intelligence is unusable if it cannot be delivered in an easily understood format, presenting a compelling narrative and completed in a timely fashion.

OSINT can be a cumbersome task to navigate without the proper tools. As humans, we process colors, shapes, and connections. OSINT Tools allows for easier spotting of patterns, out of place things, or hidden items; As a result, conveying critical information faster and more accurately.  If you want to transform information into ‘actionable intelligence,’ you need to learn the tools.

OSINT Tools (These are not all of them, but they provide a good starting point.) 

Creepy

Creepy is an incredibly useful tool for investigators written in Python, i.e. Cree.py. It allows the user to extract location Metadata (EXIF) from the photos on Twitter and Flickr social media accounts, and all you need is a username. After entering the username, you will get a list (right-click), and Google maps will open, giving the targets exact location plus other features.

To find out just how Creepy, Cree.py is, check out  I know where you are….

The Wayback Machine

There is nothing more frustrating than hitting a dead end in your information search because the website you were looking for no longer exists. The Wayback Machine (archive.org) website can help with this.

Who.Is

Who.is provides lots of information about the domain, the IP it sits on, the domain owner data, what other domains reside on the same server space and loads of other statistics.

Maltego

Maltego is an open source intelligence and forensics application developed by Paterva. Maltego uses Java, so it runs on Windows, Mac, and Linux and is quick and easy to install. This application provides a graphical interface that makes seeing relationships, even if they are three or four degrees of separation away, instant and accurate.

Shodan

Shodan is the search engine for IoT or internet-connected devices.‍ Shodan has servers located around the world that crawl the Internet 24/7 to provide the latest Internet intelligence. Who buys Smart TVs? What companies are affected by Heartbleed? To name just a fraction of what Shodan can provide.

ThreatPinch

Creates on-hover tooltips for every website for IPv4, MD5, SHA2, CVE or add your own threat intel IOC. Designed to work with any API. Customization is encouraged. It is the called the ‘infosec threat and OSINT swiss army knife for your browser.’

Cybersecurity is a shared responsibility. Stop. Think. Connect.

Phishing: Attacks Are Not Going Away-They’re Far Too Effective.

scammers-using-social-media-brands-launch-phishing-fraud-malware-attacks

You check your e-mail, as usual, and this time there’s an urgent message from your bank threatening to close your account if you ‘do not reply immediately.’ This message and others like it are examples of a form of Social Engineering called Phishing. Phishing is a method of identity theft; however, in addition to stealing sensitive data, phishers can do much more including infecting your computer with viruses, keyloggers, trojans, and spyware. Once infected, your computer can work against you by reporting information directly to the phisher with every click of your keyboard; Track and record your online behaviors’. Turning your computer into a bot who will maintain fictitious conversations with other unknowing victims in chat rooms; and/or coordinate zombie networks that distribute new phishing e-mails or host phishing Web pages. All this just from clicking on a simple looking attachment within an email or another electronic form of communication. Phishing attacks is a numbers game they generate billions of dollars even when only a small percentage of the targets fall for the bait.

E-mail is the most common way to phish, but be aware, these criminals will stop at nothing to Phish you. Often using:

  • Instant Messaging (IM)
  • Short Message Service (SMS), i.e., Text messaging
  • Pop-Ups
  • Malicious Websites
    • Phishers develop e-commerce websites with ‘too good to be true’ offers. Often the bogus sites are indexed legitimately with different search engines. They often include banking sites.
    • Pharming attacks are DNS based (Domain Name System). The requests for URLs return a bogus address, and subsequent communications are directed to a ‘spoofed’ of fake site. Users remain oblivious of the fraudulent website controlled by phishers.

Once the phisher has assumed your identity, from your stolen data, they can do any or all the following:

  • Impersonate the victim, transfer funds.
  • Convince your friends to do something and your friends’ friends.
  • Commit crimes in your name.
  • Open credit card and bank accounts in your name.
  • Purchase merchandise (Think Big).
  • Hijack usernames and passwords.
  • Use and abuse your Social Security number.

The worst yet, is that phishers are never satisfied, when they get board they will simply sell your information on the Darknet where the process will begin all over again. Many (not all) phishers leave telltale signs in their notifications and Web pages. Be on the lookout for them and delete immediately:

  • Request for personal information.
  • Generic greetings, like ‘Dear Customer’ or ‘Hello User.’
  • Threats and requests for immediate action, such as ‘Please reply immediately’ or ‘we will cancel your account.’
  • Requests to re-enter or update personal information under the pretext that ‘account is about to expire’ or ‘multiple log-ins have been detected.’
  • Links that are misspelled, poor grammar, longer than normal URL’s especially those containing numbers and symbols, all are clear signs of phishing.
  • On occasion, the communications used by phishers can include unusually personal content, assured to appeal to the victim. Keep your guard up; there is a specialized type of phishing called Spear Phishing which targets individuals and includes personalized information gathered from OSINT. OSINT is intelligence collected from publicly available sources such as social networking sites.

When you get that e-mail or other activity that looks like a phishing attempt, never click on the links, or provide your personal information.

The most significant thing you can do is to remain aware and vigilant of what you download.

  • Hastily downloading e-mail attachments is dangerous. It only takes one click of a phisher’s malicious attachment to circumvent even the strongest anti-virus software.
  • Organizations including banks, social media platforms, and PayPal will never send you emails requesting your personal information.
  • This can not be stressed enough, never open an attachment from someone you do not know even if they have authentic looking logos.
  • If it is unusual for friends, your employer or groups you are involved with to send attachments, call them before opening the attachment.
  • Find a security website and frequent it often. Become aware of the latest scams and threats.
  • Finally, get into the habit of changing your passwords often and follow a strong password rule of at least eight characters, with a mixture of upper/lower case, numbers, and symbols-!@#$%^&*().

A few rules to follow in order to protect your computer from intrusion:

  • Turn your Firewall on and keep it on.
  • Update your Antivirus Software.
  • Update Your Antispyware Technology.
  • Update your Operating System (OS)

To sum up, phishing attacks can come in several different forms. Perhaps what is often overlooked are hidden threats related to phishing. Moreover, the mere numbers and level of sophistication of phishing attacks are increasingly making them one of the most structured and immensely profitable cybercrimes.

Cybersecurity is a shared responsibility. Stop. Think. Connect.