//
you're reading...
Security News

Longlining – Mass Customization Spear Phishing

I came across an interesting variation on spear-phishing known as longlining.  Longlining, which is named after the industrial fishing practice of deploying miles-long fishing lines with thousands of individual hooks, combines successful spear phishing tactics with mass customization.

Using these techniques, attackers can deploy thousands of unique, malware laden messages that are largely undetectable to traditional signature and reputation-based security systems.

This is taken from Proofpoint’s website: http://www.proofpoint.com/about-us/press-releases/02262013.php

Dale Pearson of Subliminal Hacking also has a nice chart taken from Proofpoint here:

http://www.subliminalhacking.net/2013/05/10/longlining-the-2013-social-engineering-threat/

Longlining Defined

Longline phishing attacks are distinguished by three specific characteristics:

  1. Proportionally low volume per organization, with high overall volume. While not as targeted as an Advanced Targeted Attack (Longlining often hits tens of companies simultaneously), the volume of email per attack received by individual organizations represented far less than 0.1% of their overall mail flow. Across all targeted companies, however, a Longlining attack will likely send tens to hundreds of thousands of email messages in a few hours.
  2. Aggressive obfuscation and customization techniques, including: Massively rotated sending IPs and  spoofed sending addresses.
    • Malware hosted on dozens of compromised sites
    • Text customization, ranging from minor wording shifts  for “hashbusting” pur­poses to significant title and body content changes based  on sending time and recipient company
    • URL rotation and/or link obfuscation, where links are typically obfuscated in HTML and may also be shortened and/or made unique via shortening techniques
  3. Malware payloads that leverage zero-day exploits. Links contained in Longline phishing messages lead to malware that exploits security holes for which no patch has yet been released, or for recently-discovered security holes that are likely to be as yet unpatched in  most organizations.

The net result is that individual messages received are largely unique, and thus successful in bypassing traditional email security systems. No organization hit by a Longlining attack will receive more than a few email messages with the same  characteristics.

In addition, the senders, recipients, and embedded URLs will appear valid and reputationally positive, making the emails very difficult to detect via conventional methods—even though the total volume of messages sent in a given

Results and Effectiveness of Longline Phishing Attacks

While the mechanisms used in the delivery of Longline  phishing attacks are worth under­standing, they would be of only academic interest if they were not also highly effective in luring message  recipients to take the desired action. Several key findings from Proofpoint  researchers are reported below.

For the following analysis, Proofpoint observed more than a billion email messages, delivered over several week-long periods to  multiple “Fortune 1000” enterprises.       Proofpoint’s research team observed that:

  • More than a quarter (27%) of email messages classified as spam also con­tained links to malicious URLs.
  • Of the Longline phishing attack messages that escaped detection by traditional perimeter  defenses (i.e., messages that were successfully delivered to a legitimate  recipient inbox), recipients fell for the attacks at an alarming rate. More than one in ten (11%) recipients clicked on embedded links to malicious URLs, effectively inviting attackers into their organizations. The  majority of such URLs link to exploits that are undetectable to an observer (e.g., the exploit looks like a web page or browser waiting to load).
  • Mobile and remote users were dramatically more  susceptible to Longline phishing attacks. Nearly one of every five (19%) clicks on malicious URLs embedded in email occurred “off network”—that is, outside of corporate perimeter protec­tion—when employees accessed their email from home, on the road, or via mobile devices.
  • Approximately one in seven (14%) malicious  URLs are sent only to a single, targeted organization. On average, most URLs aren’t sent to more than five organi­zations, making the malicious URLs very difficult to detect and stop using conven­tional, signature-based methods.

Longline phishing attacks are not only effective, but are also designed to circum­vent existing perimeter-only  security systems. Given the frequency of off-network clicks and unique  URLs/malware signatures, Longlining would seem to necessitate a “follow the  email” protection system to ensure that users are not compromised when they are  outside of the protection provided by their organizations’ perimeter security  systems.

 

Advertisements

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: