Want to gain access to a company server for malicious or illegal purposes? These days, you don't need much more than the ability to search LinkedIn and a willingness to pay for malware development under a software-as-a-service model.
Burning picture from Shutterstock
This point was raised at the 'Enrich Defend Protect' seminar I attended in Melbourne earlier this week. Co-hosted by FireEye, Imperva and Splunk, the overriding theme was how security tools need to integrate with each other to provide an effective defence system. One major reason for that? Mounting a concerted attack is much easier than it used to be.
"Advanced targeted attacks are a common challenge across all sectors," said Kane Lightowler, APJ director of strategic accounts at Imperva. "This isn't a specific threat that is targeting a certain organisation size or a certain sector."
The easiest way to hack into an organisation is to dupe an employee. "A very small percentage of our users have the intent to be malicious. But 100 per cent of your employees have the ability to be the unknowing accomplice to that crime."
The ability to search LinkedIn and find people who work in specific roles increases the odds that an email can be sent to a user with specific privileges high enough to access and alter systems, Lightowler said. Technical roles such as database administrators can be a tempting target, but anyone senior enough is worthwhile.
"It could be an administrator or any internal user. It's very easy to pluck off your particular target and then you can craft a compelling sphere phishing email," Lightowler said. A common trick is to promote something relating to that person's job, perhaps promoting the launch of a new software tool or a possible meeting of a user group.
A phishing email can divert someone to a site, but how can you be sure of compromising their system? That's arguably less of a challenge too. Lightowler points out that a three-month license to the BlackHole exploit kit costs $US700, and that includes support. It is, for all effective purposes, malware as a service.
Older distribution vectors such as email also remain common. Rich Costanzo, ANZ sales engineering manager for FireEye, points to a recent surge in Australia of the 'Shipping Label' threat, which is a disguised executable renamed to look like a printable shipping label. "We've seen it pop up as a targeted attack in about four different organisations across Australia," he said.
I should stress that this doesn't mean LinkedIn itself is in any way a bad thing. Like any useful tool, it can be exploited for malicious purposes. The solution isn't to abandon the potential benefits; it's to make sure you take appropriate precautions and educate staff to treat everything with a suitable degree of caution.