RSA recently discovered a phisher using free Web analytics tools to gather data on the success of his attacks, including the number of hits, best time to send out attacks and so on. Are there any resulting trends or data points that enterprises can use to augment or tune defenses?
Organized cybercrime is big business, and like any business, those involved want to know the effectiveness of each tactic they deploy. It's to be expected that criminals would make use of Web analytics tools to gather statistics on how well specific phishing campaigns are performing and the systems people are using when visiting their sites.
These attack statistics can help them decide the best time to send phishing email, the accuracy of a purchased email list and which of their sites is most effective at duping innocent victims. There's also evidence of cybercriminals combining Web analytics with common marketing techniques such as A/B testing to identify the most effective types of email -- for example, the phishing hooks that get the highest open rates and most click-throughs or the Facebook posts that generate the most likes and victims.
Ask a question
SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email: firstname.lastname@example.org.
To get a sense of when organized cybercriminals are most active, we have to rely on cybercrime statistics from the big antivirus vendors and other security firms involved in data breach investigations. According to the Trustwave 2012 Global Security Report, the majority of executables and viruses are sent in the early morning hours, hitting a peak between 8 a.m. and 9 a.m. Eastern Standard Time. The aim is clearly to catch people as they check email at the beginning of the day. Interestingly, August and September proved to be the most popular months for emailing viruses. This may be because IT departments are more likely to be short-staffed during the summer holiday period. Big news stories, such as the death of a celebrity like Steve Jobs or Whitney Houston, also correlate with a spike in the amount of scam email being sent.
Criminals who have already compromised a network typically try to extract the data on weeknights, except when it's a major U.S. or foreign holiday. Bots and Trojans typically operate between the hours of 10 p.m. and 4 a.m. The two probable reasons behind this trend are (1) network activity on the weekend that is more likely to appear anomalous with normal traffic flows, and (2) fresh data that is more likely to be generated during the working week.
To combat these bursts of activity, gateway processes can be given access to more resources during the early hours to process increases in spam, but the best defense is to tune firewalls and intrusion detection systems to look for any activity that is outside the bounds of day-to-day business. This requires recording normal behavior to establish a baseline of standard activity so that any divergence from regular activity, usually a sign of attack, can be more easily spotted. Also, firewall rules need to be established that reflect company practice. For example, if the last employees from the sales department have to leave their desks by 8 p.m., then any traffic emanating from that segment of the network needs to be blocked and investigated.
Criminals are always looking for ways to pass through network controls undetected. If an enterprise understands the makeup of the traffic on its network, detecting malicious traffic becomes easier no matter when organized cybercriminals try to infiltrate a network.
This was first published in September 2012