One of the joys of going to the RSA security event is that not only do you have the opportunity to learn something new every day, but you get to learn lots of new things on an hourly basis. This is a result of the speed at which the landscape in the security industry is being transformed. “E”verything from BYOD to the cloud, virtualization, sophistication and ingenuity of the bad guys is having an impact. It is ratcheting up the challenges IT is facing as pressure grows for IT to have more control over risk mitigation just as the ability to do so is becoming more complex and business imperatives are driving lines of business (LOBs) and others to by-pass IT altogether in order to be able to compete in a fast-changing world.
One of things I learned at the show came from a discussion with David Knight, executive vice president of product management for Proofpoint , a leading security-as-a-service (SaaS) provider. It was about the results of a just released study the company did on various types of attacks. What they found was a new class of sophisticated and effective, large-scale phishing attack. They are calling it “Longlining”.
With a play of words on the hit movie Jaws, just when you thought it was safe to go in the water, the sharks have adopted and are lurking in devious and previously almost invisible ways.
What it is and how it got its name
As Knight explained, “Longlining” got its name from the industrial fishing practice of deploying miles-long fishing lines with thousands of individual hooks. In a nutshell, in a cybersecurity context it combines successful spear phishing tactics with mass customization. Unfortunately, attackers can now rapidly deploy thousands of unique, malware-laden messages that are largely undetectable to traditional signature and reputation-based security systems. And, Proofpoint’s investigation found that despite the enormous scale of such attacks the mass customization employed tricked more than 10 percent of recipients into clicking on malicious content capable of taking complete control of PCs and compromising corporate networks.
The relief here is that Proofpoint has the ability to trace and defeat these attacks using their recently released big data solution Proofpoint Targeted Attack Protection. In short, it is possible to feel better about going for swim with the knowledge that the sharks can be detected and repelled.
How it works: phishing meets mass customization
Knight walked me through how Longlining works its evil; unlike conventional mass phishing exploits, the ‘hooks’ (e-mail messages) used are highly variable rather than identical. This is the secret in why they are largely undetectable to traditional signature and reputation-based security gateways. In fact, a recent incident is enough to keep IT people up at night.
The messages are typically varied by IP address of origination, subject line and body content. The body content also includes multiple mutations of an embedded destination URL, which typically leads to a site with a positive reputation that’s been successfully compromised prior to the attack. The compromised Web destinations are loaded with hidden malware either before, during or sometimes after the attack wave has begun.
Proofpoint in its public explanation of this notes that: “Attackers have been able to combine the stealth techniques and malicious payloads of spear phishing with massively parallel delivery. This means they can cost-effectively send 10,000 or even 100,000 individual spear phishing messages, all capable of bypassing traditional security. Attackers’ ability to distribute thousands of e-mail-borne malicious URL ‘hooks’ in a matter of hours greatly improves their odds of success and their ability to exploit zero-day defects before corporate IT has time to patch vulnerable systems.” In fact, Knight is quoted as saying, “Legacy security systems and techniques simply can’t cope with this combination of speed and sophistication, leaving large enterprises increasingly vulnerable to a wide-range of criminal activity and data loss.”
Chaos in Action
As part of the new, six month study, which involved over one billion e-mail messages, Proofpoint observed, documented and countered dozens of longlining attacks globally. And, just so you know, they have a pretty good view of things based on their penetration of U.S. enterprise accounts.
The one cited in the public release was on October 3, 2012, Proofpoint observed a Russia-based attack with the following characteristics:
Similar attacks were documented throughout the fourth quarter of 2012 and early 2013. And, just in case that does not scare you, in another representative attack, approximately 28, 800 messages were sent in multiple one-hour bursts to over 200 enterprises. The campaign consisted of 813 unique compromised URLs sent from 2,181 different sending IPs. Again, each organization saw no more than three messages with identical content.
Longlining works all too well
The bad news is that despite their size, longline attacks really work quite well. Proofpoint found that:
As Knight told me, the real issue is that typical antivirus protection did not pick up these attacks. In describing another incident that involved 700 customers and 900K messages from 30K IP addresses, each message had four exploits contained. “If they did not get you with one they got you with one of the other three and less than 10 percent of the 46 anti-virus solutions used detected the activity,” Knight explained.
With a huge part of the industry discussion at RSA involving Advanced Persistent Threats (ATPs), the ability by the bad guys to expand their scope and reach through longlining is certainly not welcome news, but the discovery of it and the fact that there are counter-measure is an important contribution to the industries now laser-like focus on generating more visibility for everyone regarding what is out there and what to do about it.
There is a lot more to know about longlining than this space allows. Hence, I recommend you download the Proofpoint whitepaper, Longline Phishing: e-mail-borne Threats, Cloud Computing, Big Data, and the Rise of Industrial Phishing Attacks at http://www.proofpoint.com/longline-wp, for a full explanation.
I would like to say you will be glad you did, and hopefully it does not cause you to be like me, sleepless in San Francisco. Clearly the bad actors have been busy and that is not a good thing.
To hear the current FCC talk about it, 5G mobile service is the be-all and end-all of not only mobile communications, but the answer to most of the co…
mCart by Mavatar announces the launch of the world's first blockchain-based decentralized mCart marketplace by the FX Group.
Federal judge Richard Leon gave the $85 billion deal the green light today - and without any requirements to sell off any parts of the company. He als…
There are now thousands of blockchains, and unless you are a cryptophile, you won't recognize most of them.
Ribbon Communications tells its story at Perspectives18.