This post was authored by Earl Carter.
Attackers are constantly looking for ways to monetize their malicious activity. In many instances this involves targeting user data and accounts. Talos continues to see phishing attacks targeting customers of multiple high profile financial institutions. In the past couple of months, we have observed phishing attacks against various financial customers including credit card companies, banks, credit unions, and insurance companies, as well as online businesses such as Paypal and Amazon. These phishing attacks have gone old-school in that they either attach an HTML document or include HTML data in the actual email to present the user with official looking pages that appear to be from the actual businesses being targeted.
Read More »
Tags: phishing, spam, Talos, threat intelligence
This post was authored by Nick Biasini, Alex Chiu, Jaeson Schultz, and Craig Williams. Special thanks to William McVey for his contributions to this post.
Table of Contents
WHOIS Privacy Protection
Why Does This Exist
Implications for the Good/Bad Guys
Current State and Mitigations
In mid-2013, a problem occurred that slowly began unmasking the hidden registration information for owners’ domains that had opted into WHOIS privacy protection. These domains all appear to be registered via Google App , using eNom as a registrar. At the time of writing this blog, there are 305,925 domains registered via Google’s partnership with eNom. 282,867 domains, or roughly 94% appear have been affected . (Google reports that new domains which have not faced a renewal period are not affected and many businesses do not opt into their privacy service.) The information disclosed included full names, addresses, phone numbers, and email addresses for each domain. The information was leaked in the form of WHOIS records.
The graphic above illustrates the drastic shift in domains utilizing privacy protection (dark green) to those with WHOIS information exposed (light green). At its peak at least 90% of the domains registered were utilizing privacy protection which plummeted to less than 1%. The grey circle indicates the initial shift occurring. The arrow notes when resolution had occurred.
Read More »
Tags: discovery, phishing, Talos, Threat Research, whois
2014 was a terrible year for corporate data breaches. If there is to be any silver lining, information security professionals must draw lessons from the carnage. A good place to start is to identify common denominators.
Several of the most damaging incidents started with phishing emails into office (or contractor) networks. Social engineering has gotten so sophisticated and targeted, we can hardly blame the employees (sometimes high-level executives) for clicking on legitimate-looking links. Once an attacker establishes his credentials as the compromised employee, he potentially can gain access to whatever that employee uses. One attacker got in through a corporate software development network that was not sufficiently segregated from other critical networks. In other cases, disgruntled employees with access to valuable customer data were involved.
Clearly, employee access controls are critical. If we can improve these systems, we will go a long way toward securing our networks. This is not as easy as it sounds, however. When information security teams restrict access or revoke privileges, they get pushback. They become obstructionists, bad cops, bureaucrats. To be fair, we really do run the risk of strangling teamwork, erecting stovepipes, and throttling collaboration. How do we construct robust user access controls without being the bad guys?
Read More »
Tags: access control, data breaches, phishing, security, social engineering
If you read the recently released Cisco Annual Security Report, you will have learned how spammers have adopted a “Snowshoe” strategy, using a large number of IP addresses with a low message volume per IP address, to send spam, preventing some spam systems from sinking the spam. This yielded a 250 percent increase in spam from January 2014 to November 2014. Or, perhaps the fact that malicious actors are using malvertising (malicious advertising) from web browser add-ons as a medium for distributing malware and unwanted applications caught your eye in the report. In order to protect against these types of emerging threats, Cisco showcases its continued thought leadership in email security to offer even greater protection and control across the attack continuum, while also providing additional flexibility for centralized management. Read More »
Tags: 2015 annual security report, AMP, Cisco Advanced Malware Protection, email, email security, esa, ESAV, malvertising, phishing, SMA, Snowshoe, WSAV
Researchers from the Cisco Talos Security Intelligence and Research Team recently discovered an elaborate attack dubbed the String of Paerls. The attack, a combined spearphishing and exploit attempt, was able to bypass most antivirus engines and used a targeted phishing email that included a malicious Word document attachment. Upon opening the Word attachment, a macro downloaded and launched an executable on the victim’s machine, which then called out to command and control servers.
In the graphic below you can see an illustration of each of the major steps of the attack. A common thread is that Cisco security provides protection against attacks like this one using the approach of integrated threat defense. Specifically, Advanced Malware Protection tools were used throughout the discovery and analysis process to expose the exploit.
For a complete play-by-play of this attack, read the String of Paerls blog post from Talos. For more about integrated threat defense in our products, see the new Cisco ASA with FirePOWER Services.
Tags: Advanced Malware Protection, AMP, malware, phishing, security, spear phishing, spearphishing