Security watchers are warning of a surge of highly convincing spear-phishing emails sent in bulk. More than one in 10 recipients of these so-called longlining* messages click on links to compromised websites because the phishing email look utterly plausible, according to cloud-based security services firm Proofpoint. The …
Doesn't spearfishing imply it's a very targeted attack with personalised emails? Sending so many messages to so many companies sounds more like regular phishing.
Since we will never solve the problem of users being misled and tricked to click a link, when will there be software that doesn't cause your computer to be p0wned only by clicking on a link?
Something is fishy all right. They didn't even mention what kind of software one would have to run in order to make this happen.
Possible sometime after we've worked out how to make computers self-aware. ie: Not anytime soon. In the meantime I think there is scope for improving the "are you sure" dialogue boxes. :)
Re: Self aware
The humans that click the links are arguably self aware, I think we can assume that by the time the average laptop has the combined IQ of six thousand PE teachers it will be just as easily fooled by the Hawking model the spammers are using to craft the spam.
They didn't even mention what kind of software one would have to run in order to make this happen
Adobe or java - bringing platform equality to a virus near you..
@Ole- I'm sure Eadon will be along shortly to tell us.
"when will there be software that doesn't cause your computer to be p0wned only by clicking on a link?"
When the major browser vendors grow some fucking balls and disable software by default that is well known to be insecure. Want to use Java or Flash? Pop up an explicit warning that the software is dangerous to enable and that it should only be enabled on trusted sites.
Re: ...software that doesn't cause your computer to be p0wned only by clicking on a link?
Yes, there is, and it is called Linux.
A question of style: scare quotes
Dear El Reg,
I do think the "longline" adjective should be within quotes as it is a term used by proofpoint (but it's not), whereas "drive-by downloads" and "rootkits" should not be within quotes (but they are) as these are standard, accepted terms.
Yours faithfully etc..
Re: A question of style: scare quotes
It would help people to understand also that 'trolling' doesn't actually refer to sub-bridge dwellers but another fishing reference.
That of dragging shiny lures through the water , they sparkle and flash and grab the attention of the unwary.
Spear or longline?
When you go spear fishing you use a spear, similarly a long line is used for long line fishing.
Your phish therefore, has to be one or the other.
Why do so many companies use email systems where SPF is not used? That should help prevent these getting through to the PICNICs.
HTML email only?
Presumably the nature of these emails is obvious to anyone using a plain text email client (or one configured that way.)
Re: HTML email only?
When many have defaults running on most mail clients or just use webmail, they only want to see pretty pictures and not all the giveaway clues you see on 'text only, no preview'.
Re: HTML email only?
Given the parameters, while I'd expect fewer clients who use plain text mail readers to be taken in, that's because I expect the people who use plain text mail readers are more technically aware than readers who use the default from the installer, which is typically HTML.
The key bits here are that the messages are well written, highly variable, and are using initially clean websites for the phishing. So the filter oriented techniques which are the standard technical defenses don't work. If the rest of the message gets past your social defenses and you copy the link to a browser, you are just as likely to get infected. It's not the HTML message itself that provides the compromise, it's the website when you follow the link.
Re: HTML email only?
MIME type is included in most decent spam filters
That might explain the plethora of "convincing looking" emails that I received over the weekend.
As per usual, they were all responded to from a library computer, all links were followed and all user credentials and passwords were made up on the spot.
If all IT chaps did this then a couple of things could happen.
1. The library computers could be infected with Malware - not nice, but not my own PC
2. The perpetrator might waste some time with false positives.
3. If 2 happened then maybe cyber-plod could at least arrest someone
4. Libraries would stop letting members of the public use their computers.
"they were all responded to from a library computer,"
If you really wanted to have 'fun' with this why not use a LiveCD distro ?
Possibly because anyone booting their own OS in a library is liable to be chucked out PDQ by any member of staff at least half on the ball.
How do the staff know what you're booting? The most common Linux live CD that I boot is for data erasure, I wouldn't want someone screwing with my installed OS. I'd certainly kick someone out for booting something I haven't specifically checked out on my systems, were I in charge and very much doubt that I'd have the time to check out random punter's personal OSes. That said, I would probably download a linux CD myself from the ditributer's web site and allow someone to use that.
"Possibly because anyone booting their own OS in a library"
I wasn't suggesting anyone should boot another OS on a library computer - I'd assume they'd have disallowed that in any case. The OP seemed to suggest that he used a library computer to specifically deal with this sort of e-mail, not for all their computing.
super-phishing emails threatens biz
according to cloud-based security services firm Proofpoint.
Now you just have to buy our service...
Thanks for the ad Reg.
Re: super-phishing emails threatens biz
All the scary security news of last few years comes from marketing departments of security firms. Firms like Symantec and McAfee pump out these things on a daily basis. I think news sites should start to filter this kind of "news".
Its all rather old news repeated really
Since the days of SMTP authentication implementation, I think these sorts of 'tales' have existed, they just seem to be multiplying :-(
Proofpoint and Sophos should mention something that people shouldnt already know... shouldnt, because don't doesn't quite apply for most users.
Reverse DNS lookups mixed with SPF and DKIM and a relatively strict spam score would also aid in authentication.
Guess I'm not important enough
All the spam emails I get are written in such awful English that it stands out like a sore thumb. "Please respectfully download ours new security softwares to protect yours account" is hardly something I'd expect from the FDIC.
Or am I giving the FDIC too much credence here? :D
Re: Guess I'm not important enough
Those guys that secretly close banks on Friday 16:00?
Makes it worse...
when legit companies use bit.ly etc to link to their own site.
I got a phish email on Friday.
On my work account.
And on my work account alias.
And on work's all_staff address.
Love that targeting.
Industrial-scale super-phishing emails?
"New class of industrial-scale super-phishing emails threatens biz"
Is this the same as the old-fashioned stuff, as in your 'computer' can be compromised by opening an email attachment or clicking on a URL?
Who is going to save us from all this adobe browser apple android java linux open source pdf malware?
Live and let spam = DEATH TO EMAIL
See how well filtering has worked? The spammers have made so much money that they can now refine their targeting in search of bigger phish. So far they had just been playing in the shallow end of the pool, but you've probably seen some of the excellent pitches at Facebook and LinkedIn users. Lord save us from the spam-lovers at Yahoo, and several recent rounds of spam have been bypassing the supposedly wonderful spam filtering from the google of increasing EVIL.
Why doesn't ANYONE offer an email system that the spammers hate and fear?
Wasting my breath and keystrokes, but I'll repeat the OBVIOUS suggestion: Some email system should have integrated INDUSTRIAL-STRENGTH anti-spammer tools. EVERY part of the spammers' infrastructure should be targeted and ALL of the spammers' accomplices should be pushed to bankruptcy. ALL of the suckers who feed the spammers should be protected from the idiocy. Heck, let's even protect the corporate victims whose reputations are abused by the spammers.
Imagine a multi-round spam-fighting tool that would analyze the spam with increasingly refined targeting. Would you be willing to spend a few minutes and donate a bit of your intelligence to help shut down the spammers and prevent them from profiting? Of course you don't have to, but if it was easy enough for more people to do it, we can surely cut the spammers away from their extremely limited supply of suckers.
However, I think that some of the spam would get your goat and you would want to help stop it. Do you have children? Would you like to hammer on a spammer who targets children? What if you are actually a high-level executive who might be a legitimate target of spear phishing? Would you like tools to help you recognize the scam and shut it down? Maybe you work for a company that gets abused by spammers and you'd like to take a few shots at them?
A horse? No. I would give my kingdom for a BIG anti-spam hammer. (Okay, so I don't have a kingdom, but it's not like I'm Shakespeare.)