Cisco Cisco Email Security Appliance C190 White Paper
4
Cisco Security White Paper
Email Attacks: This Time It’s Personal
company correspondence. While spearphishing attacks may
contain some personalized information, a targeted attack may
contain a great deal of information which is highly personalized
and generally of unique interest to the intended target.
contain some personalized information, a targeted attack may
contain a great deal of information which is highly personalized
and generally of unique interest to the intended target.
Table 2: Comparison Between Targeted and Spearphishing Attacks
A well-publicized example of a targeted attack is the Stuxnet
attack, a computer worm discovered in July 2010 which
specifically targeted industrial software and equipment.
Stuxnet exploited a vulnerability in the way that Windows
handles shortcut files, allowing the worm to spread to new
systems. The worm is believed to be purpose-built to attack
Supervisory Control and Data Acquisition (SCADA) systems, or
those used to manage complex industrial networks, such as
systems at power plants and chemical manufacturing facilities.
Stuxnet’s cleverness is in its ability to traverse non-networked
systems, which means that even systems unconnected to
networks or the Internet are at risk. Operators believed that
a default Siemens password (which had been made public
on the web some years earlier) could not be corrected by
vendors without causing significant difficulty for custom-
ers. The SCADA system operators might have been laboring
under a false sense of security—since their systems were not
connected to the public Internet, they might have believed
they would not be prone to infection. Federal News Radio’s
website called Stuxnet “the smartest malware ever.”
In January 2011, Cisco SIO detected a targeted attack
message sent to senior executives at a large corporation. This
campaign was sophisticated, in that it used previously unseen
resources. The message was sent by an unknown party
through a legitimate but compromised server in Australia.
The email message was seemingly legitimate (figure 3).
The embedded action URL was hosted on a legitimate but
compromised law blog. When clicked, the user’s browser was
directed to a previously unknown copy of the Phoenix exploit
kit. After the exploit was successful, it installed the Zeus
Trojan on the victim’s computer.
attack, a computer worm discovered in July 2010 which
specifically targeted industrial software and equipment.
Stuxnet exploited a vulnerability in the way that Windows
handles shortcut files, allowing the worm to spread to new
systems. The worm is believed to be purpose-built to attack
Supervisory Control and Data Acquisition (SCADA) systems, or
those used to manage complex industrial networks, such as
systems at power plants and chemical manufacturing facilities.
Stuxnet’s cleverness is in its ability to traverse non-networked
systems, which means that even systems unconnected to
networks or the Internet are at risk. Operators believed that
a default Siemens password (which had been made public
on the web some years earlier) could not be corrected by
vendors without causing significant difficulty for custom-
ers. The SCADA system operators might have been laboring
under a false sense of security—since their systems were not
connected to the public Internet, they might have believed
they would not be prone to infection. Federal News Radio’s
website called Stuxnet “the smartest malware ever.”
In January 2011, Cisco SIO detected a targeted attack
message sent to senior executives at a large corporation. This
campaign was sophisticated, in that it used previously unseen
resources. The message was sent by an unknown party
through a legitimate but compromised server in Australia.
The email message was seemingly legitimate (figure 3).
The embedded action URL was hosted on a legitimate but
compromised law blog. When clicked, the user’s browser was
directed to a previously unknown copy of the Phoenix exploit
kit. After the exploit was successful, it installed the Zeus
Trojan on the victim’s computer.
Figure 2: Spearphishing Message
Targeted Attacks
Targeted attacks are highly customized threats directed at
a specific user or group of users typically for intellectual
property theft. These attacks are very low in volume and can
be disguised by either known entities with unwitting compro-
mised accounts or anonymity in specialized botnet distribution
channels. Targeted attacks generally employ some form of
malware – and often use zero day exploits – in order to gain
initial entry to the system and to harvest desired data over a
period of time. With these attacks, criminals often use multiple
methods to reach the victim. Targeted attacks are difficult
to protect against and have the potential to deliver the most
potent negative impact to victims.
While potentially similar in structure, the major differentiator of
targeted attacks relative to spearphishing attacks is the focus
on the victim. A targeted attack is directed toward a specific
user or group of users whereas a spearphishing attack is
usually directed toward a group of people with a commonality,
such as being customers of the same bank. Targeted attackers
often build a dossier of sorts on intended victims - gleaning
information from social networks, press releases, and public
a specific user or group of users typically for intellectual
property theft. These attacks are very low in volume and can
be disguised by either known entities with unwitting compro-
mised accounts or anonymity in specialized botnet distribution
channels. Targeted attacks generally employ some form of
malware – and often use zero day exploits – in order to gain
initial entry to the system and to harvest desired data over a
period of time. With these attacks, criminals often use multiple
methods to reach the victim. Targeted attacks are difficult
to protect against and have the potential to deliver the most
potent negative impact to victims.
While potentially similar in structure, the major differentiator of
targeted attacks relative to spearphishing attacks is the focus
on the victim. A targeted attack is directed toward a specific
user or group of users whereas a spearphishing attack is
usually directed toward a group of people with a commonality,
such as being customers of the same bank. Targeted attackers
often build a dossier of sorts on intended victims - gleaning
information from social networks, press releases, and public
Attributes
Targeted Attacks
Spearphishing
Attacks
Intent
Intellectual Property
Theft
Financial Gain
Malware
Yes, often with
zero-day exploits
Possibly
Target
Reconnaissance
Yes
No
Level of
Personalization
Very High
Some
To: XXXXXX
From: XXXXXX
Date: Sun, Jun 19, 2011
Subject: XXXXXX Account Certificate Download
Dear XXXXXX User,
Our database has been compromised, how you
already know.
To protect your account in the future, please
download the Certificate (self-extracting
archive) from XXXXXXXXXXXXXXXXXX.com and install
it.
If you are using the same password on XXXXXX and
other places (email, XXXXXXXXX, etc.), you
should change this password as soon as possible.
Please accept our apologies for the troubles
caused, and be certain we will do everything we
can to keep the funds entrusted with us as
secure as possible.
Any unauthorized access done to any account you
own (email, XXXXXXXXX, etc.) should be reported
to the appropriate authorities in your country.
Thanks,
The XXXXXX team