Phishin’ Magicians: Think the Spammers are Getting Smarter? You’re Right.Written by Malcolm James on August 11, 2011
Sigh. Just when I thought I’d figured spammers out, they rear their ugly heads and show me that they’re not nearly as dumb as I’d like them to be. Okay, I don’t really know if they’re ugly, but sometimes I browse the crap in my junk folder (I have a penchant for mediocrity) and I pretend they are. It’s much more desirable than the alternative – that they have Brad Pitt good looks, lounging on their yachts eating KD smothered with really expensive ketchup out of solid gold bowls. It should come as no surprise, however, that regardless of how we view them, spammers aren’t the morons we sometimes make them out to be.
Recently, a number of high profile botnet takedowns have made spammers’ migrations to more sophisticated and lucrative endeavors all but a fait accompli. The global law enforcement community, by kicking the hornet’s nest, has made our lives a little more difficult by encouraging the spammers to make their approach a lot more surgical. Almost as if they’re coordinated, à la the mafia or even heavily funded, state-sponsored operations. I know, it’s unlikely that any country is morally bankrupt enough to fund spear phishing, but it is tempting to imagine massive data centers in high tech buildings, filled with workers pounding away at their keyboards, like an infinite number of monkeys working on the perfect scam to take down an infinite number of unsuspecting targets. And that takes money. It’s not like these spammers were independently wealthy to begin with – if they were, then why would they bother? They could already afford their own ketchup. Furthermore, I doubt spammers are walking into banks applying for loans to set up well-funded scams.
A couple of months back, we were warned that spammers are getting smarter and more organized, when Cisco Security Intelligence Operations (SIO) published a report entitled “Email Attacks: This Time It’s Personal.” In it, Cisco SIO points out that spammers have moved away from tried and not so true ‘throw-it-against-the-wall-and-see-if-it-sticks’ method, and instead have become more calculated and yes, even sophisticated in choosing spear phishing over bulk phishing. After all, why cast a net that may yield nothing when you can pluck the fish out of the water, one at a time? That is the theory, and Cisco’s numbers seem to back up the bad news: spammers are getting smart.
Nearly two months after the Cisco SIO report, a new paper published by a security company backs up the speculation. According to marketwire.com, security firm Internet Identity (IID) is reporting that more than half of all enterprises were victimized by spear phishing in the past year. The report also identifies that “phishers are becoming more sophisticated criminal marketers,” and that high profile data breaches on large companies like Sony and Epsilon have only underscored the insecurity of personal data, the lifeblood of spear phishers. Noteworthy too is that security firms themselves have come under attack.
As an example of how sophisticated the phishers have become, the article notes that:
“phishers increasingly used a technique called URL rewriting to target multiple legitimate domains simultaneously through compromised shared servers that host hundreds of unique URL’s at a single IP address. Compromising thousands of legitimate domains with good reputations in their attacks allows phishers to bypass many anti-spam measures and increase deliverability of their lure messages.”
The report also notes a quarter over quarter increase in phishing by 11%, a whopping number which suggests that while our junk email folders may get lighter, our guard is going to have to be raised for the very real possibility that someday soon, someone’s going to try to poke you in the eye with a spear.
On an organizational level, this is a tremendous kick in the pants. As I’ve stated previously, I never worry about myself, because I know what to look for. Last month, I received a phone call from someone claiming to be from Microsoft. The chap informed me that Microsoft was calling all Windows users to help them avoid a security breach in the operating system. In between soft chuckling on my part, I goaded him on a bit before yanking the carpet out from under him. “I’m an IT professional,” I explained. “Why don’t you explain the problem and I’ll fix it myself?” That was enough to get rid of him.
Now, how will you go about giving everyone you know the knowledge they need in order to tell reality from fantasy?