While this attack sounds fictitious, it already happened. In May 2005, the press exposed a scandal in Israel in which large, well-known companies used Trojan horse programs to spy on their competitors. Unfortunate as it was, this incident gives security professionals a window into a new, more dangerous type of cybercrime known as the targeted attack. Using techniques that phishers have adapted to steal relatively low-value information, such as usernames and passwords from individuals, these new, more sophisticated attackers seek out high-value information, such as confidential documents, and usernames and passwords for internal systems. Some industry pundits have coined this technique "spear phishing."
Spear phishers target companies of all types and sizes. However, because news stories and press releases usually divulge detailed information that can be used to craft a convincing e-mail, companies with a major news presence may be most at risk. On the contrary, it is important to remember that in this age of Google, spear phishers can easily find enough information to craft a convincing come-on.
Less-sophisticated spear phishers often use ready-made Trojan programs to launch their attacks. Organizations with robust, multi-level AV and antispyware defenses (at the perimeter and the desktop) will be able to deflect these targeted "spears." Serious spear phishers, on the other hand, are harder to stop. They typically use spyware to solicit a targeted attack and customized spears that do not trigger perimeter and desktop alarms. Unfortunately, we should expect to see an increase in these attacks because toolkits have made the production of customized Trojans easier and as a result, cheaper.
So, what's an information security practitioner to do? Here are three steps you can use to reduce spear phishing attacks:
- Establish an awareness program to educate executives and employees about the existence and possible consequences of a targeted attack. These attacks rely on human factors to initially penetrate networks and systems; therefore education is perhaps the single most important and effective step an information security department can take to protect their enterprise.
- Have a response plan. Your users should have a clear idea of what to do when they receive a suspicious e-mail or other computer media. They should know to never click on or load onto their computers anything that doesn't look right, and to contact your company's help desk to report the material. Once the suspect material is reported, quickly find out if anyone else received copies and whether they have opened them. If so, this is the time to activate your company's incident response plan because sensitive information may already be compromised.
- Keep records. If you receive what appears to be a "spear phishing" attempt via snail mail, keep all of the packaging it arrived in. Place all materials into a plastic bag, seal it and document everyone that you know has handled it. Maintaining the chain of custody will help law enforcement official do their job if called upon later. In the case of e-mails, make paper copies that have complete sets of headers and store electronic copies on permanent media such as CD-ROM.
In the 1930s, a newspaper asked John Dillinger why he kept robbing banks. "Because that's where the money is," the outlaw replied. Today's outlaws have realized that money is found in the computers of corporate executives. Spear phishing is their weapon and infosec practitioners need to be prepared to handle these targeted attacks.
About the Author
Al Berg, CISSP, CISM is the Director of Information Security for Liquidnet (www.liquidnet.com). Liquidnet is the leading electronic venue for institutional block equities trading. According to INC. magazine in 2004, Liquidnet was the fastest growing privately held financial services company in the US and the 4th fastest growing privately held company in the US across all industries.
This was first published in March 2006