Menlo Security has announced that its cybersecurity researchers recently uncovered a sophisticated spear phishing attack at a well-known enterprise that went undetected by existing security solutions.
A close examination of the recent spear phishing event by Menlo Security researchers revealed the following details:
- The attackers performed various checks on the password entered by the victim and their IP address to determine whether it was a true compromise versus somebody who had figured out the attack.
- The attackers supported various email providers. This was determined by the fact that they served custom pages based on the email domain. For example, a victim whose email address was john.doe@gmail.com would be served a page that looked like a Gmail login page.
- The attackers exfiltrated the victim’s personally identifiable information (PII) to an attacker controlled account.
- The attacker relied heavily on several key scripts to execute the phishing campaign, and to obtain the victim’s IP address in addition to the victim’s country and city.
“Credential theft via increasingly sophisticated spear phishing attacks is dangerous to the enterprise,” said Poornima DeBolle, Chief Product Officer and co-founder of Menlo Security. “Existing email security products will have a difficult time detecting these attacks using the usual good versus bad methods. Once an attacker obtains an employee’s credentials, they have the keys to your kingdom.”
The spear phishing vulnerabilities stem from legacy email security solutions, including sandbox-based anti-phishing products, being largely based on reputation; that is, whether an email link is known to be “good” or “bad.” A link’s reputation is determined via third-party data feeds, or internally by way of large-scale email traffic and data analysis. In the case of spear phishing attacks, which target specific individuals within an organization, the email link is usually unique, as is the target user, hence there is no third-party reputation data available, nor is there enough data to analyze internally to make an accurate determination. If the determination is incorrect, users are sent directly to a web site where credentials can be stolen or malware can be downloaded to the user’s device.
For more details on the anatomy of the spear phishing attack, please visit: https://www.menlosecurity.com/research-brief-2017
About Menlo Security
Menlo Security protects organizations from cyber attack by eliminating the threat of malware from Web, documents and email. Menlo Security’s cloud based Isolation Platform easily scales to provide comprehensive protection across organizations of any size without requiring end point software or impacting end user experience. Menlo Security is trusted by some of the world’s largest enterprises, including Fortune 500 companies and financial services institutions. Backed by General Catalyst, Sutter Hill Ventures and Osage University Partners, Menlo Security is headquartered in Menlo Park, California. For more information, visit http://www.menlosecurity.com or @menlosecurity.