Solera research director spots a hybrid spear phishing attack

Solera's Andrew Brandt details the anatomy of a hybrid spearphishing attack
Solera's Andrew Brandt details the anatomy of a hybrid spearphishing attack

According to Brandt, the message addressed to Alan Hall, Solera's head of marketing, claimed it was an order confirmation from a (real) online retailer named Yesasia.com, and contained his full name as well as his Solera Networks email address in the body of the message.

The order confirmation claimed that Alan had just completed the purchase of two products: a Logitech QuickCam Ultra Vision webcam and a 1TB external hard drive from Freecom with a price tag of $483.47.

“For more information, the email claimed, you could follow a link – now dead – that looked like it pointed to an invoice hosted on Yesasia’s server”, he said in his latest security posting, adding that it turned out to be a classic fake shipping confirmation scam.

Its success, he explained, hinged on the recipient clicking the text of a fully-qualified URL that was actually hyperlinked to point at a different web address, primed to do nasty stuff when the victim falls into the trap and thoughtlessly clicks the link.

In most respects, Brandt went on to say, this particular attack wasn’t all that different from the rounds of fake order confirmation spam that’s been in regular use as a social engineering technique, delivering keyloggers such as Zeus and SpyEye, and downloaders such as Tacticlol, to victims’ computers for more than three years.

“In fact, this is the time of the year when this kind of activity ramps up, leading up to the post-Black Friday end-of-the-year online shopping period”, he noted.

“Simply by hovering your mouse pointer over the link, you can see the problem with this. Unfortunately, we’ve all become trained to think that this kind of thing is normal. After all, it has become all too common for many businesses to embed links in legitimate messages that point not to the company’s own web server, but to tracking services whose job is to monitor how many people click the link”, he explained.

Brandt noted that, on October 10th, Solera’s CTO Joe Levy also received a similar email, but customized for his name and email address.

Was this a spear phishing attack? Not quite, as the Solera director of threat research said that, if this kind of mass-scale data mining is becoming common, we might have to move the bar that defines what we mean by a “spear phishing attack.”

Until now, he said, we’ve called most kinds of targeted phishing attacks in which the recipient is identified a spear phish, but this is different as, judging by the volume of people complaining about receiving a very similar email, this is merely a conventional malicious email that uses spear phishing-like techniques to cull public data and insert it into a bulk mailer, so making it more likely to trick the target.

“The truly scary spear phishing emails are the ones designed to look like they’re coming from a colleague at the same company as the target. This was definitely not one of those. More importantly, the link was live and delivering malware”, he said.

What’s hot on Infosecurity Magazine?