Spear phishing: Don't be a target

While this attack sounds fictitious, it already happened. In May 2005, the press exposed a scandal in Israel in which large, well-known companies used Trojan horse programs to spy on their competitors. Unfortunate as it was, this incident gives security professionals a window into a new, more dangerous type of cybercrime known as the targeted attack. Using techniques that phishers have adapted to steal relatively low-value information, such as usernames and passwords from individuals, these new, more sophisticated attackers seek out high-value information, such as confidential documents, and usernames and passwords for internal systems. Some industry pundits have coined this technique "spear phishing."

More Information Learn seven emerging trends among virus and worm writers and how to prevent them. Use this guide to protect against spyware. Learn how to develop an effective incident response plan.

Spear phishers target companies of all types and sizes. However, because news stories and press releases usually divulge detailed information that can be used to craft a convincing e-mail, companies with a major news presence may be most at risk. On the contrary, it is important to remember that in this age of Google, spear phishers can easily find enough information to craft a convincing come-on.

Less-sophisticated spear phishers often use ready-made Trojan programs to launch their attacks. Organizations with robust, multi-level AV and antispyware defenses (at the perimeter and the desktop) will be able to deflect these targeted "spears." Serious spear phishers, on the other hand, are harder to stop. They typically use spyware to solicit a targeted attack and customized spears that do not trigger perimeter and desktop alarms. Unfortunately, we should expect to see an increase in these attacks because toolkits have made the production of customized Trojans easier and as a result, cheaper.

So, what's an information security practitioner to do? Here are three steps you can use to reduce spear phishing attacks:

1. Establish an awareness program to educate executives and employees about the existence and possible consequences of a targeted attack. These attacks rely on human factors to initially penetrate networks and systems; therefore education is perhaps the single most important and effective step an information security department can take to protect their enterprise.

2. Have a response plan. Your users should have a clear idea of what to do when they receive a suspicious e-mail or other computer media. They should know to never click on or load onto their computers anything that doesn't look right, and to contact your company's help desk to report the material. Once the suspect material is reported, quickly find out if anyone else received copies and whether they have opened them. If so, this is the time to activate your company's incident response plan because sensitive information may already be compromised.

3. Keep records. If you receive what appears to be a "spear phishing" attempt via snail mail, keep all of the packaging it arrived in. Place all materials into a plastic bag, seal it and document everyone that you know has handled it. Maintaining the chain of custody will help law enforcement official do their job if called upon later. In the case of e-mails, make paper copies that have complete sets of headers and store electronic copies on permanent media such as CD-ROM.

In the 1930s, a newspaper asked John Dillinger why he kept robbing banks. "Because that's where the money is," the outlaw replied. Today's outlaws have realized that money is found in the computers of corporate executives. Spear phishing is their weapon and infosec practitioners need to be prepared to handle these targeted attacks.

About the Author
Al Berg, CISSP, CISM is the Director of Information Security for Liquidnet (www.liquidnet.com). Liquidnet is the leading electronic venue for institutional block equities trading. According to INC. magazine in 2004, Liquidnet was the fastest growing privately held financial services company in the US and the 4th fastest growing privately held company in the US across all industries.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Threat Monitor Windows registry forensics: Investigating system-wide settings Weaponizing Kaminsky's DNS discovery Debian: A niche OS with a not-so-niche security flaw Web advertising exploits: Protecting Web browsers and servers Ransomware: How to deal with advanced encryption algorithms Hidden endpoints: Mitigating the threat of non-traditional network devices Protecting exposed servers from Google hacks (and Google 'dorks') Countermeasures against targeted attacks in the enterprise Windows registry forensics guide: Investigating hacker activities More built-in Windows commands for system analysis Phishing Product Review: Sophos Endpoint Security and Control 8.0 EV SSL certificates won't stop phishers, researchers say Apple iPhone mail, Safari prone to spoofing ING hopes to cut phishing attacks with encryption software Companies still monitoring email manually, survey finds Trojan downloaders, droppers skyrocket, Microsoft says New phishing, Zeus Trojan technique spreads crimeware New Storm attack exploits April Fool's Day Clinton, Obama campaigns used in spam blasts How secure is online banking today? Phishing Research Viruses, Worms and Other Malware Product Review: Sophos Endpoint Security and Control 8.0 Researcher disinfects multimedia Trojans Researchers develop cloud-based antivirus Web advertising exploits: Protecting Web browsers and servers SaaS startups enter Web security gateway market Hoffman to demonstrate new hacking techniques Analysis tool uses Intel virtualization to hide from malware How can widget malware on social networking sites threaten enterprises? How can an enterprise-wide network remain resilient against denial-of-service (DoS) attacks? Microsoft Word zero-day being actively exploited RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary crimeware  (SearchSecurity.com) pharming  (SearchSecurity.com) phishing  (SearchSecurity.com) Rock Phish  (SearchSecurity.com) spear phishing  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.