Spear Phishing in Google’s Pond

Francis deSouza - Group President, Enterprise Products and Services, Symantec

Earlier this week, Google posted a blog stating that the personal Gmail accounts of numerous users, including senior US government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel, and journalists had been attacked. Google said a campaign to obtain passwords appears to have originated in Jinan, China and was aimed at monitoring the contents of these users' emails, with the perpetrators apparently using stolen passwords to change people's forwarding and delegation settings. Google confirmed that it detected and disrupted this campaign and has notified victims and secured their accounts. They have also notified the relevant government authorities.

These attacks appear to be an example of “spear phishing.” Spear phishing is an email that appears to be from an individual or business that a user knows, but it isn’t. It’s from the same criminal hackers who want your credit card and bank account numbers, passwords, and the financial information on users’ PCs. At its heart, spear phishing is simply a targeted attack.

Symantec has noted a continuous increase in targeted attacks, including spear phishing. In fact, the April 2011 MessageLabs Intelligence Report, published by Symantec, revealed that the number of targeted attacks intercepted by Symantec.cloud each day rose to 85—the highest since March 2009, when the figure was 107 in the run-up to the G20 Summit held in London that year. While some high-profile targeted attacks in 2010 attempted to steal intellectual property or cause physical damage, many of these targeted attacks preyed on individuals for their personal information.

Spear-phishing attacks can target anyone, and while the high-profile targeted attacks that received a high degree of media attention (such as Stuxnet and Hydraq) attempted to steal intellectual property or cause physical damage, many of these attacks simply prey on individuals for their personal information. Such was the case with the recent events surrounding Google’s Gmail.

The spear phisher thrives on familiarity. They know their target’s name, email address, and at least a little about them personally. The salutation on the email message is likely be personalized: “Hi Bob” instead of “Dear Sir.” It may make reference to a “mutual friend” or to a recent online purchase you’ve made. Because the email seems to come from someone the target knows, they may be less vigilant and give them the information they ask for. And when it’s a company they know asking for urgent action, they may be tempted to act before thinking.

How do people become targets of a spear phisher? The answer is simple: from the information users put on the Internet from their computers and smartphones. For example, they might scan social networking sites, find a user’s page, their email address, their friend list, a recent post by them telling friends about the cool new camera they just picked up from an online store, or a page about someone giving a presentation on a new ground breaking technology. Using that information, a spear phisher could pose as a friend, send the target an email, and ask them for a password to the user’s photo page. If the user responds with the password, they’ll try that password and variations to try to access their account on the online shopping site they bought the camera from. If they find the right one, they’ll use it to run up a nice tab for you. Or the spear phisher might use the same information to pose as the online shopping site and ask the user to reset their password, or re-verify their credit card number. If they do, the spear phisher will then do them financial harm.

At the end of the day, these kinds of attacks are often highly targeted and prey on the susceptibility of individuals. Symantec recommends the following best practices for protection against targeted phishing attacks:
•    Unsubscribe from legitimate mailings that you no longer want to receive. When signing up to receive mail, verify what additional items you are opting into at the same time. De-select items you do not want to receive.
•    Be selective about the websites where you register your email address.
•    Avoid publishing your email address on the Internet. Consider alternate options; for example, use a separate address when signing up for mailing lists, get multiple addresses for multiple purposes, or look into disposable address services.
•    Use strong passwords or two-factor authentication, such as Symantec’s VeriSign Identity Protection, that requires something you know and something you have.
•    Only enter personal and financial details on a website that is protected with an SSL certificate. Look out for the padlock, https, or the green address bar. Using directions provided by your mail administrators, report missed spam if you have an option to do so.
•    Delete all spam.
•    Avoid clicking on suspicious links in email or IM messages because these may be links to spoofed websites. We suggest typing Web addresses directly in to the browser rather than relying upon links within your messages.
•    Always be sure that your operating system is up to date with the latest updates, and employ a comprehensive security suite.
Do Not
•    Open unknown email attachments. These attachments could infect your computer.
•    Reply to spam. Typically the sender’s email address is forged, and replying may only result in more spam.
•    Fill out forms in messages that ask for personal or financial information or passwords. A reputable company is unlikely to ask for your personal details via email. When in doubt, contact the company in question via an independent, trusted mechanism, such as a verified telephone number or a known Internet address that you type into a new browser window (do not click or cut and paste from a link in the message). Only enter personal information when you initiate the session.
•    Buy products or services from spam messages.
•    Use the same login and password across multiple websites.
•    Open spam messages.
•    Forward any virus warnings that you receive through email. These are often hoaxes.