One of the joys of going to the RSA security event is that not only do you have the opportunity to learn something new every day, but you get to learn lots of new things on an hourly basis. This is a result of the speed at which the landscape in the security industry is being transformed. “E”verything from BYOD to the cloud, virtualization, sophistication and ingenuity of the bad guys is having an impact. It is ratcheting up the challenges IT is facing as pressure grows for IT to have more control over risk mitigation just as the ability to do so is becoming more complex and business imperatives are driving lines of business (LOBs) and others to by-pass IT altogether in order to be able to compete in a fast-changing world.  

One of things I learned at the show came from a discussion with David Knight, executive vice president of product management for Proofpoint , a leading security-as-a-service (SaaS) provider. It was about the results of a just released study the company did on various types of attacks. What they found was a new class of sophisticated and effective, large-scale phishing attack. They are calling it “Longlining”.

With a play of words on the hit movie Jaws, just when you thought it was safe to go in the water, the sharks have adopted and are lurking in devious and previously almost invisible ways.

Longlining revealed

What it is and how it got its name

As Knight explained, “Longlining” got its name from the industrial fishing practice of deploying miles-long fishing lines with thousands of individual hooks. In a nutshell, in a cybersecurity context it combines successful spear phishing tactics with mass customization. Unfortunately, attackers can now rapidly deploy thousands of unique, malware-laden messages that are largely undetectable to traditional signature and reputation-based security systems. And, Proofpoint’s investigation found that despite the enormous scale of such attacks the mass customization employed tricked more than 10 percent of recipients into clicking on malicious content capable of taking complete control of PCs and compromising corporate networks.

The relief here is that Proofpoint has the ability to trace and defeat these attacks using their recently released big data solution Proofpoint Targeted Attack Protection. In short, it is possible to feel better about going for swim with the knowledge that the sharks can be detected and repelled.

How it works: phishing meets mass customization

Knight walked me through how Longlining works its evil; unlike conventional mass phishing exploits, the ‘hooks’ (e-mail messages) used are highly variable rather than identical. This is the secret in why they are largely undetectable to traditional signature and reputation-based security gateways. In fact, a recent incident is enough to keep IT people up at night.

The messages are typically varied by IP address of origination, subject line and body content. The body content also includes multiple mutations of an embedded destination URL, which typically leads to a site with a positive reputation that’s been successfully compromised prior to the attack. The compromised Web destinations are loaded with hidden malware either before, during or sometimes after the attack wave has begun.

Proofpoint in its public explanation of this notes that: “Attackers have been able to combine the stealth techniques and malicious payloads of spear phishing with massively parallel delivery. This means they can cost-effectively send 10,000 or even 100,000 individual spear phishing messages, all capable of bypassing traditional security. Attackers’ ability to distribute thousands of e-mail-borne malicious URL ‘hooks’ in a matter of hours greatly improves their odds of success and their ability to exploit zero-day defects before corporate IT has time to patch vulnerable systems.” In fact, Knight is quoted as saying, “Legacy security systems and techniques simply can’t cope with this combination of speed and sophistication, leaving large enterprises increasingly vulnerable to a wide-range of criminal activity and data loss.”

Chaos in Action

As part of the new, six month study, which involved over one billion e-mail messages, Proofpoint observed, documented and countered dozens of longlining attacks globally. And, just so you know, they have a pretty good view of things based on their penetration of U.S. enterprise accounts.

The one cited in the public release was on October 3, 2012, Proofpoint observed a Russia-based attack with the following characteristics:

• 135,000 e-mails sent to more than 80 companies in a three-hour period
• To avoid detection, the attacker employed approximately 28,000 different IP addresses as sending agents, 35,000 different ‘sender’ aliases, and more than twenty legitimate websites compromised to host drive-by downloads of zero-day malware.
• Because of the different agents, sender aliases, URLs and text, no single targeted organization saw more than three e-mails with the same characteristic.
• Overall, this attack represented less than 0.06 percent of the targeted companies’ mail flow (compared to 19 percent for spam and 11 percent for virus-laden e-mail).
• The combination of mass customization and proportionally low volume made this attack effectively invisible to traditional anti-spam products, enabling widespread access to corporate networks.

Similar attacks were documented throughout the fourth quarter of 2012 and early 2013. And, just in case that does not scare you, in another representative attack, approximately 28, 800 messages were sent in multiple one-hour bursts to over 200 enterprises. The campaign consisted of 813 unique compromised URLs sent from 2,181 different sending IPs. Again, each organization saw no more than three messages with identical content.

Longlining works all too well

The bad news is that despite their size, longline attacks really work quite well. Proofpoint found that:

• Ten percent of the e-mail messages containing embedded malicious URLs that escaped perimeter detection were clicked on by the receiving employees
• All the longline attacks employed so call “drive-by downloads” installed on compromised web-sites. These attacks leverage browser, PDF and Java vulnerabilities to install “rootkits” invisibly with no user action required beyond clicking on the  e-mailed URL and visiting the infected web-site
• Almost one out of every five clicks (19 percent) on malicious URLs embedded in e-mail occurred ‘off network’ when employees accessed their  e-mail from home, on the road, or via mobile devices where they were outside corporate perimeter protection

As Knight told me, the real issue is that typical antivirus protection did not pick up these attacks. In describing another incident that involved 700 customers and 900K messages from 30K IP addresses, each message had four exploits contained. “If they did not get you with one they got you with one of the other three and less than 10 percent of the 46 anti-virus solutions used detected the activity,” Knight explained.

With a huge part of the industry discussion at RSA involving Advanced Persistent Threats (ATPs), the ability by the bad guys to expand their scope and reach through longlining is certainly not welcome news, but the discovery of it and the fact that there are counter-measure is an important contribution to the industries now laser-like focus on generating more visibility for everyone regarding what is out there and what to do about it.

There is a lot more to know about longlining than this space allows. Hence, I recommend you download the Proofpoint whitepaper, Longline Phishing:  e-mail-borne Threats, Cloud Computing, Big Data, and the Rise of Industrial Phishing Attacks at http://www.proofpoint.com/longline-wp, for a full explanation.

I would like to say you will be glad you did, and hopefully it does not cause you to be like me, sleepless in San Francisco. Clearly the bad actors have been busy and that is not a good thing.