Targeted Phishing Campaigns Use Missing Malaysian Airline As The Lure


Security experts have predicted that the search for Malaysian Airlines Flight 370 would be used in widespread phishing campaigns, but new evidence uncovered by researchers at security vendor FireEye suggests that cybercriminals are using the high-profile news in a series of targeted attacks.  

FireEye said it uncovered the use of the missing airline news in an attack against a foreign government in the Asia-Pacific region only two days after the plane went missing. A few days later a prominent U.S.-based think tank was targeted using the missing jetliner news as a lure, according to FireEye.  

[Related: Phish Food For Thought: 10 Ways To Identify A Phishing Attack ]

The attacks are slipping past traditional security measures that are designed to filter out spam messages and known malware-laden file attachments. The FireEye team detected a custom malware variant connected to the Poison Ivy attack toolkit after an individual attempted to open a malicious document used in the phishing attack. The campaign against the U.S. organization used a bogus Flash video that purported to be information about the airliner. The researchers, Ned Moran and Alex Lanstein, are warning security teams at businesses to inform employees about the potential threat and heighten the awareness about phishing. The malware was designed to establish back-door access to maintain a sustained presence on the infected system, the FireEye researchers said. 

"While many [advanced persistent threat] actors have adopted strategic Web compromise as a delivery vector, it is apparent that spear phishing via email-based attachments or links to Zip files remain popular with many threat actors, especially when paired with lures discussing current media events," the researchers said in their analysis of the attacks. "Network defenders should incorporate these facts into their user training programs and be on heightened alert for regular spear-phishing campaigns, which leverage topics dominating the news cycle."

Solution providers say exploiting the human element using a phishing attack is often the path of least resistance into an organization. All of the technology in the world won't necessarily stop an employee from making a mistake, said Ben Goodman, president of Enterprise Risk Associates. Goodman, who advises businesses on their information security programs and risk tolerance strategy, said all organizations accept some form of risk, but increasingly they want to create a culture of security by fostering awareness among employees. It's a task that takes a consistent effort over time, Goodman said.

"Fundamentally, we are uncertain about what exactly is living in our environment," Goodman said, speaking to attendees at the SecureWorld Expo regional security conference Tuesday in Boston. "While critical assets are being defended with multiple firewalls, IPSes and so forth are still a major model of the security strategy. Often, those methods provide a false sense of security and that is something we have to be aware about."

Goodman and experts at other solution providers say spear-phishing attacks are used by both financially motivated cybercriminals and those behind many cyberespionage activities because they work. They typically are the first step in an attack to gain access to the corporate network and have been behind many high profile data breaches.

In addition to tricking users through real-world events, attackers have used phony security updates as bait. Security vendor Sophos detected a phishing attack campaign that masqueraded as an antivirus software update. The attack used a variety of well-known antivirus names, Sophos said.  

PUBLISHED MARCH 26, 2014