I came across an interesting variation on spear-phishing known as longlining. Longlining, which is named after the industrial fishing practice of deploying miles-long fishing lines with thousands of individual hooks, combines successful spear phishing tactics with mass customization.
Using these techniques, attackers can deploy thousands of unique, malware laden messages that are largely undetectable to traditional signature and reputation-based security systems.
This is taken from Proofpoint’s website: http://www.proofpoint.com/about-us/press-releases/02262013.php
Dale Pearson of Subliminal Hacking also has a nice chart taken from Proofpoint here:
Longline phishing attacks are distinguished by three specific characteristics:
- Proportionally low volume per organization, with high overall volume. While not as targeted as an Advanced Targeted Attack (Longlining often hits tens of companies simultaneously), the volume of email per attack received by individual organizations represented far less than 0.1% of their overall mail flow. Across all targeted companies, however, a Longlining attack will likely send tens to hundreds of thousands of email messages in a few hours.
- Aggressive obfuscation and customization techniques, including: Massively rotated sending IPs and spoofed sending addresses.
- Malware hosted on dozens of compromised sites
- Text customization, ranging from minor wording shifts for “hashbusting” purposes to significant title and body content changes based on sending time and recipient company
- URL rotation and/or link obfuscation, where links are typically obfuscated in HTML and may also be shortened and/or made unique via shortening techniques
- Malware payloads that leverage zero-day exploits. Links contained in Longline phishing messages lead to malware that exploits security holes for which no patch has yet been released, or for recently-discovered security holes that are likely to be as yet unpatched in most organizations.
The net result is that individual messages received are largely unique, and thus successful in bypassing traditional email security systems. No organization hit by a Longlining attack will receive more than a few email messages with the same characteristics.
In addition, the senders, recipients, and embedded URLs will appear valid and reputationally positive, making the emails very difficult to detect via conventional methods—even though the total volume of messages sent in a given
Results and Effectiveness of Longline Phishing Attacks
While the mechanisms used in the delivery of Longline phishing attacks are worth understanding, they would be of only academic interest if they were not also highly effective in luring message recipients to take the desired action. Several key findings from Proofpoint researchers are reported below.
For the following analysis, Proofpoint observed more than a billion email messages, delivered over several week-long periods to multiple “Fortune 1000” enterprises. Proofpoint’s research team observed that:
- More than a quarter (27%) of email messages classified as spam also contained links to malicious URLs.
- Of the Longline phishing attack messages that escaped detection by traditional perimeter defenses (i.e., messages that were successfully delivered to a legitimate recipient inbox), recipients fell for the attacks at an alarming rate. More than one in ten (11%) recipients clicked on embedded links to malicious URLs, effectively inviting attackers into their organizations. The majority of such URLs link to exploits that are undetectable to an observer (e.g., the exploit looks like a web page or browser waiting to load).
- Mobile and remote users were dramatically more susceptible to Longline phishing attacks. Nearly one of every five (19%) clicks on malicious URLs embedded in email occurred “off network”—that is, outside of corporate perimeter protection—when employees accessed their email from home, on the road, or via mobile devices.
- Approximately one in seven (14%) malicious URLs are sent only to a single, targeted organization. On average, most URLs aren’t sent to more than five organizations, making the malicious URLs very difficult to detect and stop using conventional, signature-based methods.
Longline phishing attacks are not only effective, but are also designed to circumvent existing perimeter-only security systems. Given the frequency of off-network clicks and unique URLs/malware signatures, Longlining would seem to necessitate a “follow the email” protection system to ensure that users are not compromised when they are outside of the protection provided by their organizations’ perimeter security systems.