Phishers Cast Longlines to Hook More Victims

Phishing and spear phishing have long been thought to be mutually exclusive hacking tricks, but cybercrooks have found a way to combine the two in a technique called longline phishing.

“The technique allows you to hit a lot of people very quickly and largely go undetected,” Dave Jevans, founder and CTO of Marble Security and founder of the Anti-Phishing Work Group, told TechNewsWorld.

With spear phishing, which is typically used as a vehicle for advanced persistent threat attacks like the recent one on The New York Times, a select group of connected people are targeted with a highly credible email message based on extensive research of the targets’ backgrounds.

“With longlining, you can get hundreds of people exposed to a website that will infect their computers,” Jevans noted.

He explained that longliners — named after commercial fishermen who use long lines of hooks to catch fish — might send 100,000 emails from 50,000 IP addresses, which makes it difficult to identify an email from a particular server as hacking bait.

Evading Detection

In a typical spam attack, thousands of emails can be connected to a single IP address, Jevans said. With a longline attack, only one or two messages will be associated with an IP address.

“That makes it impossible to detect that IP address as bad,” he said.

The content of each individual message is also different, making it hard to identify the message as spam from its content.

“All the messages are in perfect English, too,” Jevans added.

By camouflaging their attacks behind customized messages and many IP addresses, the longliners can evade detection and extend the life of their campaign, according to Limor Kessem, a cybercrime specialist with RSA.

“When they limit exposure, the attack won’t be taken down easily,” she told TechNewsWorld. “A typical phishing attack is taken down momentarily these days.”

Bad Apps on the Rise

A number of surveys released last week painted a grim picture of web and mobile apps, as well as data breach notification compliance among small businesses.

A report from F-Secure did nothing to change the reputation of Google’s Android operating system as a magnet for bad apps.

The Finnish-based security firm reported that 79 percent of all mobile malware in 2012 could be found on the platform. That was a jump from 2011 when 66.7 percent of all mobile malware was found on Android.

If the Android app scene is bad, the web app scene is even worse, according to Cenzic, makers of a security platform for cloud apps.

In a study it released last week, it found that 99 percent of all web apps it tested in 2012 had one of more serious vulnerabilities. What’s worse, the median number of vulnerabilities in their app sample was 13.

“What I am a bit surprised by, is the quantity and severity of vulnerabilities we are seeing in mobile apps,” Cenzic CEO Scott Parcel told TechNewsWorld.

“The fact that normal web application vulnerabilities and risks have not changed substantially is frustrating, but not a surprise,” he said.

“We are all too aware that organizations still do not give web application security the priority that it is due, and are often unaware of more effective solutions.”

Customer Alerts Lacking

In another study released last week, it was revealed that 55 percent of small businesses have experienced at least one data breach, and almost as many — 53 percent — have been hit by multiple data breaches.

While many small businesses are experiencing data breaches, however, only about a third notified people affected by the breaches, according to the survey conducted by the Ponemon Institute for Hartford Steam Boiler.

“We were surprised to discover that only 33 percent of small businesses notified the people affected that their personal information had been lost or stolen,” Eric Cernak, a vice president at Hartford Steam Boiler told TechNewsWorld.

“It’s as if smaller firms are unaware of their legal obligations when the reality is that there is no ‘safe harbor’ for smaller enterprises,” he added.

Data Breach Diary

  • Mar. 4. Symantec and FireEye link attack on security vendor Bit9 was part of a larger cyberespionage campaign targeting a number of industrial targets.
  • Mar. 5. Evernote, a cloud notebook application, discloses it will be implementing two-factor authentication later this year. On March 2, the company reset the passwords of some 50 million users after discovering a data breach.
  • Mar. 6. California federal court dismisses lawsuit seeking damages from LinkedIn for data breach last year that compromised 6.5 million user accounts. Judge ruled plaintiffs could not show they suffered actual damages from the breach.
  • Mar. 6. Saudi Aramco Twitter account compromised.
  • Mar. 6. South African State Security Ministry Twitter account reported compromised.

Upcoming Security Events

  • Mar. 12-15. Black Hat Europe. Grand Hotel Krasnapolsky, Amsterdam, Netherlands. Registration: through Jan. 10, 1,095 euros (US$1,447); through Feb. 28, 1,295 euros ($1,711); Mar. 1-15, 1495 euros ($1,975).
  • Mar. 14. Understanding What Data Masking Approach is Right For You. 2 p.m. ET. Webinar sponsored by IBM. Free.
  • Mar. 20. Mitigating the Top Human Risks. 1 p.m. ET. Webinar sponsored by RSA and SANS Institute. Free.
  • March 28. Trends in Government Security – Risk Management, Compliance and Technology. 1 p.m. Webinar. Free.
  • Apr. 23-24. Black Hat Embedded Security Summit. McEnery Convention Center in San Jose, Calif. Registration: Before Feb. 9, $999; Feb. 9-Apr. 18, $1,099; Apr. 19-25, $1,199.
  • Apr. 23-25. Infosecurity Europe. Earls Court, London, UK. Registration: By Apr. 19, free; After Apr. 19, Pounds 20.
  • Jun. 11. Cyber Security Brainstorm. 8 a.m.-2:30 p.m. ET. Newseum, Washington, D.C. Registration for Non-government attendees: Before March 3, $395; Mar. 3-Jun. 10, $495; Onsite, $595.

John Mello is a freelance technology writer and former special correspondent for Government Security News.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Hacking

Technewsworld Channels