During the last several incident responses that JRD has been involved in we've noticed a rather disturbing trend. The intrusions have typically started with some very good quality spear phishing targeted at corporate executives and key personnel. While I've been thinking about this and warning our clients about the threat I came across several articles that confirmed what we have been seeing.

The first article I found was the most recent Phishing Attack Trends Report (1/25/08) from the Anti-Phishing Working Group (APWG). The report covers a lot of phishing topics but the APWG notes that a drop of general phishing attacks in November 2007, was mirrored by an equal increase in phishing attacks targeted at corporate executives nd key personnel.

The second article was from Internet Security Systems' X-Force team at IBM as reported by Matt Hines at InfoWorld. The X-Force was reporting that they had seen an increase web sites hosting sophisticated "personalized" attacks designed to take advantage of the unfortunate user's particular browser and operating system. They also reported that some of the more advanced malware groups were collecting the IP addresses of the web site visitors so they didn't repeatedly attack the same host.

Both of these reports closely mirror several of the intrusions that we've recently responded to. Unfortunately in most cases the intruder has experienced some level of success with these personalized phishing attacks. We've also noted that there is usually a series of these attacks not just a singular phishing attempt.

We are proponents of multiple security systems as part of a strong IT securityinfrastructure. In these cases even the best anti-phishing, anti-spam filtering would have failed due to the personal nature of the phishing emails which included correct email addresses and current corporate information from the victim companies. I'm not saying that content filtering email doesn't work, it does, and everyone should use it as one method of protecting users. The problem is that even the most up-to-date filtering usually can't protect you from a email that appears to have legitimate recipients, legitimate content and normal looking attachments.

In cases where these attacks were successful we saw a breakdown in end user security awareness training and web proxy filtering. This is question of multiple layers of security; if the incoming email filtering fails and the end user fails a properly functioning web proxy filter has a good chance of blocking the malicious site (contained in the email or attachment) or preventing the malware download.

Along that line, it is important that the web proxy be able to review both HTTP and HTTPS content. It doesn't hurt to monitor text messaging traffic if that is common in your environment; there are plenty of phishers working the instant messaging route too.