When it comes to security, there is no shortage of jargon that gets tossed around the blogs and forums. Much of it comes from the threat landscape growing so rapidly and changing so fast that new attack methods are introduced on a frequent basis.
Just recently, the world of email security found itself adding two new terms to its lexicon. Both of these terms describe new twists on an old standby, phishing.
Phishing is one of the primary methods used for compromising computer assets. Anyone who read the recent Mandiant report knows that the ramifications of someone in your organization falling for a phishing email can have serious repercussions for the entire organization. These new approaches to this can present some real challenges.
One way that anti-spam solutions find, and block, malicious emails is by looking at their links. If any URLs in the email content point to malicious sites that are known, the email is blocked.
To circumvent this, attackers began using two techniques that became known as waterholing. The first method is to include a clean domain in the URL that is embedded in the email. When the recipient clicks this link, they are taken to the original website, but then immediately redirected to another site. This can be the malicious site or the attacker could mask his or her actions by redirecting a few more times before the victim reaches the malicious site.
The second approach to waterholing is when the attacker sends out a phishing email with a link to a site. At first, the web site is free of malware so nothing arouses suspicion. Later, the attacker uploads the malware to the site so people who click on a link a short time later will arrive at the malicious site. Typically, the attacker will send the phishing email out on a Friday night with a benign URL so that it makes its way through the filters. Over the weekend, the attacker can upload any malware to the site so that when the victims arrive at work on Monday morning the link, which once pointed to a clean web site, can now infect the victim’s computer.
This term just recently made its way into the vocabulary of security professionals. It basically describes the coming together of the different types of phishing. You see consumer based phishing relies on the old tactic of casting a wide net in hopes you catch something. Phishers will send out millions of emails in hopes that they are able to catch some victims off guard. Fortunately, these emails are easy to spot. After all, if you receive an email that informs you of problems with your account at XYZ bank, but you don’t have an account with XYZ bank, odds are you aren’t going to fall for the trick.
Spear phishing, on the other hand, relies on the ability of the attacker to personalize an email message as much as possible. The drawback for this tactic is that they can’t send their email to as many people – hence the term spear-phishing.
Longlining brings these “best” of these two worlds together. Using this tactic, the attacker can personalize the emails he or she is sending; and send the emails to a large number of people. Just like its namesake in the real world, longlining allows the attacker to cast a wider net than a traditional spear phishing campaign, while still using individual pieces of bait for each victim.
Understanding the different terms used in email security is not only pertinent to understanding the risks associated with email, but it is essential in understanding how to protection your organization, and users, against these threats. Knowing the names of the different attack methods, as well as how they work, will help you choose the right tools to keep you and your assets safer from these sophisticated attacks.