Wednesday, May 29, 2013

Tips for detecting cyber espionage attacks - how to find suspicious emails

State sponsored cyber espionage or targeted malware is most often delivered as email attachments or links within the body of an email. The other methods are compromised websites (waterhole attacks), and direct hacking via externally available systems such as servers and databases. Email is by far the most common and successful way to be targeted by a foreign state, but it's also best defended against by user awareness.

Typical Targets of APT

  • Human rights groups - Tibet, democracy etc.
  • Fortune 500
  • Military, foreign affairs, government, and contractors
  • Resources and energy
  • Communications
  • Aerospace
  • Transportation
  • Health Care
  • Emerging Technology
  • Companies that trade with or compete with China

Tips to detect suspicious emails:

  • Themes - socially engineered emails look somewhat related to your interests or business, but are often something general like a recent news event, or a related theme but not something you're involved with - like invitations or conference attendee lists for events you aren't involved with.
  • Attachments - RTF, DOC, XLS, PDF, PPT, DOCX, CHM, ZIP, RAR, 7Z, HLP, DMG, APK, are common. In addition links to external websites - if it's a link and you feel it might be safe - hover your mouse over it and check that the actual address matches up with the text.
  • Bad names - check the "from" name and the email signature at the bottom - do they match up.
  • Fake email addresses - while a lot of spear phishing comes from Yahoo (or rocketmail) and Hotmail addresses, often the name might be someone you've heard of - but is the address legitimate. Businesses - is the CEO or whoever really sending business related email from their webmail? Also, emails can be spoofed from any legitimate address, including from your organization or businesses that you work with - is the email unusual or has major grammatical or spelling errors?
  • XLS files as a document - XLS files are a popular exploit format - if the email purports to have a document and not a spreadsheet, but the attachment is a XLS file, be suspicious.
  • Double content - the email body has the subject content, but there's a PDF or  .doc file as well. Also both a .doc and PDF of supposedly the same content probably just has different exploits.
  • Password protected files - that mysterious zip, .doc, PDF file is sent to you with the password in the body of the email, don't open it if you weren't expecting it. Password protected files avoid most antivirus scanning.
  • Mobile malware - recent attacks have used emailed APK


Avoidance: be aware that any business, organization or human rights group could be targeted by an APT, educate users to the types of emails that should be investigated. If a user notices one attack, often they can occur as often as daily for years in some cases. If you're suspicious of the attachments or links, call the person that supposedly sent you the message to see if its legitimate.

Patching: while zero day exploits regularly surface in APT attacks, often attackers target office document and PDF software that are not patched as often as the operating system, in addition to your operating system and web browser, patch your Office and PDF applications and turn on automatic updating. We track the top threats for office documents and PDF documents.

Detection: Commercial AV will have a very low detection rate for targeted malware using document exploits. Upload and scan suspicious documents with Cryptam, and PDFs with PDFExaminer.

Example Phishing Email Resource

For some real life examples of some better socially engineered APT email attacks, check out the Contagiodump blog