These professional hacking mills employ divisions of labor. The marketing team, often led by executives, seeks customers willing to pay to hack a particular company for information, although the mills will often attack any company on spec, then market the information afterward.
The research and surveillance teams gather information about the target company’s org structure, business partners, Internet-accessible servers, software versions, and current projects. They obtain much of this information by visiting the target company’s public website and breaking into a few of its weaker-protected business partners.
This research is passed along to a team of initial compromisers, which establishes anchors inside the target organization. This team is the most important team at the mill, and it is broken down into several skilled subgroups, each focused on a particular domain: breaking into servers, launching client-side attacks, performing social engineering attacks, or spearphishing. The spearphishing team works hand in hand with the research team, mixing relevant topics and projects with their cadre of boilerplate email templates.
There are other teams as well. Backdoor teams come in after the initial entry is secured to help ensure easy future entry by inserting backdoor Trojans, creating new user accounts, and vacuuming up every log-on credential in the compromised organization.
Then, like any good consulting company, a longer-term team is dedicated to this “client.” This team roots around looking for important information, detailing the organization’s structure and VIPs. Within a short amount of time they know every defense system the company has in place and how to bypass it. When some new project or big piece of data comes online, this team is among the first to know about it. Any potentially interesting info is copied for safekeeping and future sale.
If that sounds a little different than a script kiddie whipping together a sloppy email at an Internet café, you’ll know why today’s phishing attempts are that much more effective. It’s a day job -- won by interview -- with a salary, benefits, and project bonuses. It even comes with a nondisclosure agreement, HR hassles, and departmental politics.
Make no mistake: Phishing emails went pro.
The attack is sent by someone you know
Today’s spearphishing emails often originate from someone you email with on a daily basis, not a Nigerian prince. They often appear to be from a boss, team leader, or some other authority figure up the management chain to ensure the victim opens the email and is more likely to do whatever the email says.
The email could be from an outside, sound-alike email account meant to resemble the authoritative person’s personal email account. After all, who hasn’t received a work-related email from a co-worker who accidentally used his or her personal account? We accept it as a common mistake.
Sign up for Computerworld eNewsletters.