It is interesting to read about the public details of an unusually high-quality spear-phishing attack against a low value target. Particularly if you are engaged in constructing carefully-crafted tests of email security services.
Who were the targets?
In this case, there were two targets: Free Press, and Fight for the Future. The attack, dubbed “Phish for the Future” in a brief analysis by the Electronic Frontier Foundation, is curious for several reasons.
Free Press is a pressure group campaigning for an open internet. It fights media consolidation by large corporations and defends press freedom. Fight for the Future works to protect people’s basic online freedoms. Objectively, it is working for a better online future, which makes the whole affair seem suspicious.
Criminal working hours
The first thing that struck me was that the emails were apparently all sent during office hours. The time zones place the senders anywhere between Finland and India. However, they resolve to office hours when normalised to a single zone.
Another interesting aspect is that even though the emails were sent on 23 active days, the attackers didn’t work weekends. This immediately marks them out as unusual. Anyone who’s run an email honeypot knows that commodity spam flows 24 hours a day.
The attackers first tried generic phishing expeditions, but quickly cranked up their targeting and psychological manipulation. This poses an interesting question. If you’re an experienced, professional, disciplined crew, why jeopardise the operation by beginning with less convincing samples? They could alert the target. Why didn’t they simply start with the good stuff, get the job done, and move on?
One possible explanation is that the attackers were trainees on a course, undertaking a carefully controlled “live fire” exercise. Psychologically manipulative techniques such as pretending to be a target’s husband sending family photos, or a fan checking a URL to someone’s music, imply a level of confident duplicity normally associated with spying scandals.
Phishing attack sophistry
The level of sophistication and persistence on display forms a shibboleth. It looks and smells somehow “wrong”. The published report reveals an attention to detail and target reconnaissance usually reserved for high value commercial targets. Either the attackers learn at a tremendous rate through sheer interest alone, or they’re methodically being taught increasingly sophisticated techniques to a timetable. If it was part of a course, then maybe the times the emails were sent show a break for morning coffee, lunch and afternoon tea, or fall into patterns of tuition followed by practical exercises.
The timing of the complete attack also stands out. It began on 7th July, ended on 8th August, and straddled the Net Neutrality Day of Action (12th July). With a lot happening at both targets during that time, and one assumes a lot of email flying about, perhaps the attackers believed they stood a better chance when the staff were busiest.
So, to recap, it looks like highly motivated yet disciplined attackers were operating with uncommonly sophisticated confidence against two small online freedom groups. Neither target has the business acumen of a large corporation, which rules out criminal gain, and yet an awful lot of effort was ranged against them.
It’s all about access
The product of phishing is access, either to abuse directly or to be sold to others. Who would want secret access to organisations campaigning for online freedom? Both targets exist to change minds and therefore policy, which makes them political. They’re interesting not only to governments, but also to media companies seeking to control the internet.
I’m speculating wildly, of course. An under-worked individual at a large company could very easily have perpetrated the whole thing using their office computer and keeping regular hours to avoid suspicion. The rest is down to ingenuity and personal motivation.
We’ll never know the truth, but the supporting infrastructure detailed in the EFF report certainly points to some considerable effort over a long period of time. If it was an individual, he’s out there, he’ll strike again, and he learns fast. In many ways, I’d prefer it to have been a security service training new recruits.
Find out more
Free security test reports
Stay in touch
- Do you run a large organisation’s security infrastructure and want an assessment?
- Are you a security vendor that needs certification?
- SE Labs anti-virus certification can help security vendors access Windows Early Launch Antimalware (ELAM).
Please contact us now.