Skip to content

Spear-Phishing Deep Dive Primer: The Attack


Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

About a month ago, Solera’s head of marketing, Alan Hall, received what he considered an obvious phishing email addressed to his work email account. The message claimed it was an order confirmation from a (real) online retailer named, and contained Alan’s full name as well as his Solera Networks email address in the body of the message.

The order confirmation claimed that Alan had just completed the purchase of two (what I would consider grossly overpriced) products: a Logitech QuickCam Ultra Vision webcam and a 1TB external hard drive from a company called Freecom. Total price: precisely $483.47. For more information, the email claimed, you could follow a link — now dead — that looked like it pointed to an invoice hosted on Yesasia’s server.

If you know me and my work, you know where this is leading next. Yes, Asia, the link pointed elsewhere. It was a classic fake shipping confirmation scam, and its success hinged on the recipient thoughtlessly clicking a link primed to do nasty stuff when the victim falls into the trap. In fact, according to The Internet Patrol Web site, the attack has been around (in some form or another) since April.

This is the first in a series of three posts in which I’m going to examine this particular attack from all angles: How it arrives; The nature of the social engineering scam involved in the attack; What happens to the victim’s computer as a result; Who are the culprits and what can they do; And what lessons can we take away from this particular attack. In this post, I’ll scrutinize the attack vector, the social engineering spam message, to see what we can learn from it.

A Failed Phish

In most respects, this particular attack wasn’t all that different from the rounds of fake order confirmation spam that’s been in regular use as a social engineering technique, delivering keyloggers such as Zeus and SpyEye, and downloaders such as Tacticlol, to victims’ computers for more than three years. In fact, this is the time of the year when this kind of activity ramps up, leading up to the post-Black Friday end-of-the-year online shopping period.

Well, Alan’s no chump, so he dutifully spam-boxed the junk and went about his business. That simple act of not clicking the link rendered the attack a dismal failure. In fact, it was such a nonissue that nobody would have thought of it again, until precisely the same thing happened again, targeted at a different Solera employee, with more immediately recognizable detail in the second fake message than there was in the first.

Simply by hovering your mouse pointer over the link, you can see the problem with this. Unfortunately, we’ve all become trained to think that this kind of thing is normal. After all, it has become all too common for many businesses to embed links in legitimate messages that point not to the company’s own Web server, but to tracking services whose job is to monitor how many people click the link. Take a look, for example, at this legitimate email from Network Solutions, asking that we log in and verify the WHOIS data on our domain registration.

At least Network Solutions uses a tracker that’s in their same domain space, so you know you’re going to end up somewhere within the domain if you click the link; Many companies link to domains owned by the tracking services, so you really can’t know where it leads without clicking the link.

Phishing a Security Expert? That’s an ass whoopin’

On October 10th, Solera’s CTO Joe Levy, also received an email that appeared to be an order confirmation from — a confirmation for a purchase of a Logitech QuickCam Ultra Vision webcam and a 1TB external hard drive from a company called Freecom, for $483.47. Yeah, the fake order was identical to Alan’s, but this fake confirmation contained Joe’s actual business telephone number (from a previous job), as well as Joe’s full name. It was mailed to his former business email address.

…which is, as you would imagine, not at all hard to come by. A rudimentary level of digging indicates that these three pieces of outdated information are simple to obtain with just a Google search.

If this kind of mass-scale data mining is becoming common, we might have to move the bar that defines what we mean by a “spear phishing attack.” Until now, we’ve called most kinds of targeted phishing attacks in which the recipient is identified a spear phish.

But this is different: Judging by the volume of people complaining about receiving a very similar email, this is merely a conventional malicious email — sad that there is such a thing — that uses spear phishing-like techniques to cull public data and insert it into a bulk mailer, thereby making it more likely to trick the target. The truly scary spear phishing emails are the ones designed to look like they’re coming from a colleague at the same company as the target. This was definitely not one of those. More importantly, the link was live and delivering malware.

The oddly specific contents of the message — and the fact that the link led to a .zip file, which itself contained a Windows executable — caught Joe’s attention. So, of course, he mentioned it to me, and then Alan heard about it, and told us the same thing had happened to him.

By the time we were on the case, the link in Alan’s original spam not only was dead, but the DNS a-record for the domain used in Alan’s message had been expunged. The domain,, had been registered in Singapore only this past June 29th, but – alas – has gone to the big 404 in the sky.

But the domain used in the newer, more specific email,, was only registered (using a Russian domain registrar) on October 10th — the same day the spear phishing message showed up in Joe’s inbox.

We had a live attack targeting a lot of people, we had a real link, and we had the malware sample — so what else are we going to do? It’s like handing a giant lollipop to a baby. Of course we infected some testbeds so we could watch the Trojan in action. And I’ll talk about what came of that in tomorrow’s post.Solera blog stats

%d bloggers like this: