In the recent upsurge of high-profile attacks, spear phishing has been the tool of choice for hackers to compromise an organization.
Spear phishing is the targeting of specific companies or individuals, using hand-crafted messages meant to trick them into divulging personal or confidential data for unauthorized use. Malicious hackers know people are the weakest link, and that, even if a company has a $10 million security budget, it only takes one user’s mistake to compromise its defenses.
Spear phishing is a far more focused approach than normal phishing. Instead of a mass email sent to a wide swath of people, spear phishing focuses on one particular user or organization. Emails or messages sent under this guise generally employ specific, carefully researched details about the person or company in order to seem authentic. These are targeted attempts that have been maliciously crafted for a purpose: Usually, to gain specific corporate IP or personal information. This tip will offer advice on how to stop phishing and spear phishing attacks from tricking corporate users.
Phishing attacks have risen 12% (.pdf) year after year for the past few years, according to Internet Identity, with spear phishing leading the charge. And, as with the recent Epsilon email breach, it's not just that such an attack can yield customer emails and names, or organizational information for attackers, it's that spear phishers probably already have plans for what they are going to do with the data they compromise. Having a list of names, companies and email addresses can allow attackers to harvest a bounty of stolen data from victims whose information has already been breached, because attackers are able to use this info to craft more sophisticated attacks. The data that was breached in the Epslion attack was significant, but the additional data that could be stolen using this data may be even more noteworthy.
Let's review a few spear phishing examples:
Example 1 - John Smith is a senior chemical engineer working on a high-profile project for a cutting-edge pharmaceutical company. John receives an email purportedly from his college asking him if he’d like to participate in an alumni panel as a guest speaker. The email references an attachment with more details on the event and an attachment to fax back to the alumni office. John clicks the attachment and nothing happens; John Smith has been speared.
An attacker using a spear phishing campaign to compromise an organization is going to do his homework. In this case, all he might have used the Internet to find out where John Smith went to college and crafted a fake letter head with the department head's name on it (information also freely available on the Web). The payload here is the malicious software installed in the attachment. Once John Smith clicked the attachment, his workstation was compromised with malicious software.
A security awareness program should include training to safeguard against these types of attacks. Users should be taught that they should use company email for corporate use only, thus limiting some of the potential ways users’ email addresses would get out onto the Internet. Users should also be taught not to open attachments from sources that they’re not familiar with. In this case, John Smith trusted the sender because he had a previous experience with the school, leading him to believe it was safe. A social networking policy should be considered to hide or limit the information that employees can show on their LinkedIn page. Social networking sites are an excellent tool for spear phishers to use against victims. Limiting what your employees show on social networking sites about the organization will assist in your security posture. Lastly, spam gateways should be configured to block any executable coming into the network via mail by default.
Example 2 – Jane Doe receives an email from her bank, which we’ll call BigBank.com, telling her that she’s been selected to receive double frequent flyer miles on her credit card for the next three months. The email includes a link to fill out a form at https://bigbanks.com to complete the newly offered frequent flyer program. Jane makes sure the link is SSL protected and proceeds to fill out the form with all her personal information. After she’s done, a window pops up saying her profile been updated successfully. Jane Doe has been speared.
Spear phishing emails are frequently used to drive traffic to malicious websites, but it’s getting increasingly difficult for the average user to decipher what’s authentic. In this example, the legitimate website of Jane Doe’s bank is https://bigbank.com, but the phishing email had a link to https://bigbanks.com. Just adding an “s” to the domain creates a similar domain name that the user might not notice is different from the actual domain of his or her bank. Many users now look to see if sites are SSL encrypted and, in this case, it is, directly to the malicious site. Jane Doe added all her personal information into a site that had the look and feel of her normal banking experience, including a false sense of security in the SSL protection. Many users operate under the false impression that an SSL link is inherently secure.
Once again, security awareness training needs to evolve as the attacks evolve. A few years ago users were being taught that if a website URL used HTTPS, then they were safe. The bad guys know this and use this misconception to their advantage. Educating your employees or customers takes more than a one-time course; it needs to be done constantly via training, company newsletters and face-to-face so as attacks change, training and avoidance tactics evolve as well. There has to be expectations from the company on what being secure is as well. In this example, the “Big Bank” should let its customers know it would never ask for personal information from them via email, and to report it if found.
As illustrated by the examples above, spear phishing is a more focused attack method than generic phishing. Generic phishing is purely a numbers game: The more people who receive an email, the more likely it is one of them will click on the infected link. With generic phishing, many of today's filtering technologies will block suspicious-looking inbound email and phishing sites, mainly because they’ve been seen so frequently.
With spear phishing, there’s a good possibility an email will be able to fly under the radar because antiphishing systems often fail to detect it because it doesn’t include links to a known malware site (in fact, the site may not have been referenced in any other email), and users often fail to question its legitimacy because it looks legitimate.
Even with all the fail-safes in place, including state-of-the-art filtering technologies, people are still going to fall for phishing attacks. Using spam and Web content filters and providing a steady diet of information security awareness to users should help guard against these types of attacks.
Finally, hiring third-party vendors to attempt spear phishing or phishing campaigns against your company is a good way to determine if your training is working. It will show you places that might need more education, and departments that are doing a good job. This is an invaluable lesson, because it’s great to know where you can perform better before it’s too late. People need to be educated on the attacks, what to look for, and how to follow policy and procedure. Having an educated user force can save people from being fooled both corporately and personally.
About the author:
Matthew Pascucci has more than 10 years of experience in IT and is currently an information security analyst in the financial sector. He holds multiple certifications and is actively involved with InfraGard to help educate others in information security. You can follow his blog at www.frontlinesentinel.com or on Twitter at FrntLineSentneL.
This was first published in September 2011