Wednesday, November 18, 2009

FBI warning on spear phishing



11/17/2009—The FBI assesses with high confidence that hackers are using spear phishing e-mails with malicious payloads to exploit U.S. law firms and public relations firms.

During the course of ongoing investigations, the FBI identified noticeable increases in computer exploitation attempts against these entities.

The specific intrusion vector used against the firms is a spear phishing or targeted socially engineered e-mail designed to compromise a network by bypassing technological network defenses and exploiting the person at the keyboard.

Hackers exploit the ability of end users to launch the malicious payloads from within the network by attaching a file to the message or including a link to the domain housing the file and enticing users to click the attachment or link.

Network defense against these attacks is difficult as the subject lines are spoofed, or crafted, in such a way to uniquely engage recipients with content appropriate to their specific business interests.

In addition to appearing to originate from a trusted source based on the relevance of the subject line, the attachment name and message body are also crafted to associate with the same specific business interests.

Opening a message will not directly compromise the system or network because the malicious payload lies in the attachment or linked domain. Infection occurs once someone opens the attachment or clicks the link, which launches a self-executing file and, through a variety of malicious processes, attempts to download another file.

Indicators are unreliable to flag in-bound messages; however, indicators are available to determine an existing compromise.

Once executed, the malicious payload will attempt to download and execute the file ‘srhost.exe’ from the domain ‘’; e.g. Any traffic associated with ‘’ should be considered as an indication of an existing network compromise and addressed appropriately.

The malicious file does not necessarily appear as an ‘exe’ file in each incident. On occasion, the self-executing file has appeared as other file types, e.g., ‘.zip’, ‘.jpeg’, etc.

Please contact your local field office if you experience this network activity and direct incident response notifications to DHS and U.S. CERT.

-- public domain information "Spear Phishing Emails Target US Law Firms & Public Relations Firms" at FBI Cyber Investigations unit.

It's time to get smart about cyber crime and cyber war techniques. This is the realm of blogocombat on steroids. In regular blogocombat, words are used to attack, defend, and debate issues or personalities.

In cyber crime/war, the combat is waged against your personal computer or corporate network. They use highly seductive or relevant phrases, like the name of a fellow employee or a family member, or a topic related to your job or personal interests.

A Twitter friend, Michael Koby, (his blog: Michael Koby - Commentary on Technology, Media, News and More ) recommends this book (Amazon item page):

"The Art of Deception: Controlling the Human Element of Security" by Kevin D. Mitnick

Mitnick is the "reformed cyber criminal hacker" whose exploits inspired the movie War Games. He was the Most Wanted Computer Criminal at one time. See the Wikipedia article on Kevin D. Mitnick.

Social Engineering article on Wikipedia.


Social engineering is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.

All social engineering techniques are based on specific attributes of human decision-making known as cognitive biases.[1] These biases, sometimes called "bugs in the human hardware," are exploited in various combinations to create attack techniques.


No comments: