Saturday, October 1, 2011

The Spear-Phishing Report

Phishing means - to me - attacks on computer users, based on tricking them into believing they communicate with a trusted entity - when in fact they communicate with the attacker. Spear-phishing attacks are phishing attacks, which target specific victims (rather than random users); spear-phishing attackers would usually use personal and/or corporate related aspects, to make their forgery more convincing. Phishing, and esp. spear-phishing, is often used as the initial step in sophisticated attacks, e.g., Advanced Persistent Threats (APT).

While researching for an article I'm writing discussing major threats to Internet Security (Internet Security: Still Vulnerable After All These Years), I've looked for a list of major, interesting spear-phishing attacks, and didn't find. I'm sure such lists exist already, but for now, after spending more than reasonable imho searching for existing list, I've decided to simply make a list here, update it when new attacks are published, and refer to other lists when I learn of them.

I will also list here relevant/related papers, articles and resources, e.g., InfoWar Monitor. And of course see my papers, e.g.: in Esorics'11, IEEE Security and Privacy mag. (2012), ACM Tran. on Internet Technnology (2009). [I need to add the links] See also my homepage.

Note: I want this list to focus on spear-phishing and therefore will try not to list here other attacks, interesting as they may be (e.g., DigiNotar... and many others).

So, without further ado, here is a first cut at a list of important, interesting spear-phishing attacks. I will appreciate updates, corrections or other feedback/suggestions. For now, I'll simply write a list of attacks, ordered by time of report (better defined than time of occurrence). I'll try to maintain the entries organized to allow import into spreadsheet for processing.

When: Sept. 2007
Victims: Booz Allen Hamilton
Type: corporations (consulting, gov)
Reported: Businessweek, April 10 2008

When: Dec. 2009
Victims: Google, Adobe and 32 others
Type: corporations (internet/technology, financial, media and chemical sectors)
Reported: Wired, January 12 and 14, 2010, also McAfee's report: Protecting Your Critical Assets: Lessons Learned from “Operation Aurora”.
Comments: zero-day IE exploit.

When: 2007
Victims: ExxonMobil, ConocoPhillips and Marathon Oil
Type: coporations (oil)
Reported: Christian science monitor, Jan. 25, 2010

When: 2009-2010
Victim: multiple Email Service Providers (ESPs)
Type: corporations (internet, email)
Reported: Nov. 28, 2010 by Matt Blumberg (Return Path's CEO)
Comments: attack also continue later, see e.g. Epsilon Interactive (March 2011)

When: Nov. 2009- ? 2010
Victim: multiple
Type: corporations (global - oil, energy, and petrochemical)
Reported: McAfee report, Global Energy Cyberattacks: “Night Dragon”, version 1.4, Feb 10, 2011

When: Jan. 2011
Victim: three dept. of Canadian govt', incl. Defence Research and Development Canada
Type: gov, defense
Reported: CBC news Feb 16th, 2011

When: March 2011
Victims: RSA, Locheed-Martin
Type: security-vendor, defense
Reported: by RSA. Also, e.g., Wired, March 17 2011
Comments: exposed information related to secure-ID authentication devices; this was later used to break into Locheed-Martin. RSA replaced all devices.

When: Feb. 2011
Victim: Australian government, parliament, incl. PM office
Type: gov
Reported: Wired, March 29, 2011

When: Nov. 2010
Victims: Condé Nast
Type: corporations (media)
Reported: Wired, April 4 2011
Comments: $8M

When: March 2011
Victims: Epsilon Interactive and via it 24 finanical corporations and 87 retailers
Type: corporations (internet, email, financial, retail)
Reported by: CAUCE article: Epsilon Interactive breach the Fukushima of the Email Industry, April 4 2011
Comments: see also CAUCE's list of breached companies and article in PCWorld

When: April 2011
Victims: Oak Ridge National Laboratory
Type: gov-sec-lab
Reported: Wired, April 20 2011
Comments: zero-day IE exploit

When: 2010-2011
Victims: US Government
Type: gov
Reported: Wired, June 1st, 2011

When: May-June 2011
Victim: HBGary Federal
Type: small security-vendor
Reported: Parmy Olson, Forbes: Anonymous Takes Revenge On Security Firm, June 2nd, 2011.
Comments: resulted in resignation of CEO.

When: 1H 2011
Victim: International Monetary Fund (IMF)
Type: financial, gov
Reported: NYT, June 11 and  Wired, June 13, 2011

When: 2006-2011
Victim: more than 70 global companies, governments, and non-profit organizations
Type: gov, corporations, non-profit
Reported: Dmitri Alperovitch, McAfee report: Revealed: Operation Shady RAT, Aug. 2011, version 1.1.
Comments: I think this the worst so far.

When: 2011
Victim: Mitsubishi Heavy Industries
Type: corporation (defense)
Reported: Fahmida Y. Rashid, eWeek IT Security & Network Security News, Mitsubishi Heavy Network Most Likely Compromised by Spear-Phishing Attack, Sept. 21, 2011

When: Sept. 2011
Victims: GoDaddy
Type: security-vendor
Reported by:  Fahmida Y. Rashid, GoDaddy Attack Started With Spear-Phishing, in eWeek
IT Security & Network Security News, Sept. 23, 2011.

No comments:

Post a Comment