While reading some online security articles, one in particular stood out. The reason it stood out was how the story was told; it wasn’t just a bunch of technical mumbo jumbo that is tough to decipher. Sure, there were some technical points but the way the author detailed his experience made the story far more relatable to what users face in the real world. Even being somewhat security-aware, this blogger’s perspective sheds light on what even us security folk may go through.
Spear-phishing, a sophisticated but targeted phishing attempt, happens and they do work sometimes. Even those who are security-prone or know what to look for can easily fall for such attempts allowing their computers to become infected – if the attack succeeds, that is.
In the case of our story, the target (the blog writer) received an email requesting his participation as a judge for an award at a prestigious university. Despite the target doing his due diligence in verifying authenticity, he eventually dropped his guard for whatever reason. The email domain checked out, the university was well known, the only reservation was the lack of an online presence pertaining to the author of the email. This didn’t faze him as not everyone has an online presence nor social media accounts. So far, I can see even myself believing such an email to be authentic.
However, embedded within the email body was a link to a resource hosted on the legitimate website of said university. The author continued down his security checklist and analyzed the link. The only odd thing that stuck out was the directory path, but some websites do that and there was no further thought from him regarding this. Again, pretty on-par even for me.
Having clicked on the link to read more details about the topic, unbeknownst to the target, the link was an active trap for a 0-day exploit in Firefox web browsers that allowed for a drive-by download. Fortunately for our friend here, he was using Google Chrome and that is what saved him from the exploit. Other’s may not have been as lucky as he is.
This is a tough predicament to be in. From a security standpoint, referring to myself now, how do we assess 0-day vulnerabilities in our trusted Internet browsers? Unless you check your email in a virtual machine (VM) or something to that extent, how can you be sure of any link you click on in an email? Knowing a link may lead a viewer to an infected server hosting malicious code that exploits an unknown vulnerability isn’t something easy to spot. Sure, checking your emails in a VM can protect you from this scenario, but consider the downloaded code could escape the VM’s realm and onto the physical host as well and we must then put on our tin foil hat. Further, is it feasible and practical in a real world to always check your emails inside a VM?
Aside from the common “update your software” or “use firewalls” suggestions, and the above VM tactic, the next best option is to simply not open links from anyone – even if you know them. That’s seem impractical though, but it’s the truth. If you don’t want to stop there then, here we tout the good old “layered security” approach where you combine the likes of various security services. Sure, a firewall may not prevent an unknown exploit from being used against a web browser’s drive-by vulnerability. However, the downloaded script may be a known signature and therefore blocked by said firewall. Welcome to the new age of Internet security.