Second Stage Attacks Go Hand In Hand With Targeted Trend
With a seemingly unstoppable upsurge of targeted attacks in recent years, hackers are naturally finding better ways to acquire personal identifying information to really hone in on their victims. They're called second stage attacks.
Specifically, second stage attacks are multi-faceted cyber assaults in which the attackers infiltrate a network and steal data from one organization to leverage a more targeted, victim-specific attack on another account.
“Second stage attacks are more effective and more dangerous because of the targeted aspect, and they come more heavily armed,” said Derek Manky, Fortinet senior security strategist. “They have more information on them that's going to let them attack more efficiently.”
Meanwhile, Manky says that these kinds of highly targeted, individualized attacks have gained momentum in recent years in due to the proliferation of social media, which gives attackers a wealth of identifying information at their fingertips and the ability to easily launch highly personalized attacks.
Here's one scenario. A hacker targets an employee in a company—acquiring his or her online information from a social networking site such as LinkedIn or Facebook. The hacker sends the victim a phishing email compelling them to click on a link or open an attachment, that, when launched, downloads an information stealing trojan. Among other things, the trojan gleans data on numerous high profile customers. The customer data is then used to conduct a highly targeted social engineering attack on C-level executives in another company in an effort to steal intellectual property and proprietary product information.
"In a similar scenario, user credentials can also be stolen and re-used with success to log into other sites -- since, unfortunately, many people use the same password on multiple sites," Manky adds.
Meanwhile, as targeted attacks become more sophisticated, it stands to reason that attackers will put increased effort into complex attacks that consist of multiple phases. The reason? Simply put, the more targeted an attack, the better chance a hacker has of convincing a victim to click on embedded malware, and the higher the returns. (The mentality could be likened to an aggressive stalker--the more someone is determined to find you, the harder it is to get away.)
And while the generic mass attacks aren't exactly going away, they're losing their effectiveness—and profitability—as more users are catching on to their tactics.
“Generally the click-through rates are much higher with these targeted and second stage attacks than with the blanketed ones,” Manky says. “The generic spam emails, those rates are lower because people are starting to become more educated and aware of those campaigns. Naturally attackers are starting to go to second stage and targeted attacks. And they're easier to execute these days.”
One example of a high profile second stage attack occurred with a major assault against SKCommunications/Cyworld. Last year South Korea's SK Communications Co. revealed that a hack into its systems led to other major attacks on two of its subsidiaries—Nate, Korea's third-most visited Web search engine, and Cyworld, the country's biggest social networking site with 25 million users, accounting for half the country's population. Hackers compromised and modified a server so that more than 60 SK Communications computers would receive a trojaned 4 update file when they conducted routine security updates. The trojaned update files came from ESTSoft's update server, which SK Communications used. Once the computers were compromised, the hackers could gain entry into the user databases in order to execute attacks on tens of millions of Cyworld and Nate users.