Spear-phishing scourge: It's up to you, the user
Web browsers are getting better at detecting and blocking URLs associated with phishing sites, according to a recent test of leading browsers by NSS Labs, but defending against social engineering will require educated users, not just better software, says one researcher.
“Technology has not been able to deal significantly with social engineering on a number of fronts,” said NSS research director Randy Abrams.
One of those fronts is spear phishing, and that is bad news for government, which has thousands of users and operates with more transparency than many other organizations. “That makes spear-phishing them significantly easier,” Abrams said. “Government is going to have to spend more on education.”
Before going on, some definitions: “Phishing” tries to get a victim to disclose sensitive personal or account information, including access credentials. This can be done in a variety of ways, including e-mails and phony websites, and often is done on a large, broadcast scale.
“Spear phishing” targets specific individuals, groups or organizations, usually using information about the victim that the attacker has gathered through open-source research or intelligence operations. Because there are a small number of intended victims, detecting spear phishing is more difficult.
A new report from TrendMicro found that 91 percent of targeted attacks from February to September 2012 employed spear-phishing, and that 65 percent of attacks were aimed at government, by far the most targeted sector.
NSS Labs’ most recent examination of browsers looked at how well four popular ones blocked known phishing URLs. Results ranged from 90 percent for Firefox 15, through 91 percent for Safari 5 and 92 percent for Internet Explorer 10. The best performer was Chrome 21 at 94 percent.
These sites are more difficult to shut down because they have become more nimble. The number of phishing URLs is growing, from 40,000 per month in 2011 to 50,000 per month in 2012, and at the same time their lifespan is shortening, to an average uptime of just 23 hours in 2012. This timing is important because it takes a while for browsers to “learn” that a site is malicious. More sites and shorter lifespans means more zero-hour attacks, and the zero-hour block rates for the browsers tested against brand new malicious URLs ranged from just 53.2 percent for Chrome to 79.2 percent for Safari. This means a growing window of opportunity for attackers.
The good news is that phishing, like almost all social engineering attacks, requires the victim’s cooperation. If the victim doesn’t fall for the fake e-mail or visit the malicious site, he’s safe. Unfortunately, many people who have been brought up using technology are too trusting and have not been taught to be critical, Abrams said.
“We haven’t made social engineering education part of our societal education,” he said. “Fundamentally we are probably two generations away from getting a grip on social engineering if we start now. And government doesn’t have two generations to wait.”
Posted by William Jackson on Nov 30, 2012 at 9:39 AM