I have been doing a lot of penetration testing and the largest risk I see is Directed Phishing Attacks. I'm not talking about the normal phishing attack that sends out 10,000 million emails to random .@yahoo addresses asking the user to login to the "new" portal to make sure the password works...
I'm talking about a very small scale, hand-crafted attack. The attacker may spend days or weeks profiling and gathering information before sending an active attack. This is usually directed towards email addresses found on public websites or hardcopy documents captured via other channels. It's common to replicate an outward facing portal and spoof an email to users asking to login or verify credentials to ensure continuity. This stage is where creativity pays off.
The widget that gathers the passwords could be spoofed company newsletters, citrix , or remote email applications. Other advanced methods include creating a custom .exe installer with company logos and verbiage. The link is then passed to targets asking to install an update etc....
No matter the method of gathering the domain credentials... the attacker now has access to valid channels into the Target Intranet. To me.. this process is MUCH easier to execute than performing a multilayered SQL injection or certain overflows. But the obvious fact is that the attacker never triggers any IDS / IPS alarms. Valid remote access is obtained into the target network.
I have been keeping notes over the past couple years while performing these attacks and have recorded a 100% per engagement success in gaining valid credentials. This is successful due to an overal response rate of 65% which is probably a lot higher due to expired email addresses on the Internet.
How to protect from this Attack?
Well.. this is the hard part. Currently I don't know of an existing method that will protect against this type of attack. I have tested numerous Global Companies that had every device on the market in the network and this attack didn't raise one flag. However, PacketFocus is working to develop a new hybrid technology to protect organizations against this attack. This includes working on a prototype to be released depending current negotiations.
This new technology will push a new type of AI to detect and deter directed phishing attacks. However, it would be much eaiser if we could mark the internal usernames and passwords so a smart device could make sure they are not sent outside certain boundaries..
Until then..
Several of the following methods may minimize this risk but impact normal computing;
Enforcing Plain Text Email
Whitelisting Company Partners
Configuring Email servers to deny spoofed addresses
EMail Josh.Perrymon (at) packetfocus.com for more details.
www.packetfocus.com
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment