Is your company fair game for a spear phishing attack? Scott Greaux, Vice President, Product Management and Services at PhishMe, offers some tips to avoid getting spiked by the latest hacking technique.
Gartner’s 2012 Magic Quadrant for Secure Email Gateways (SEG) had some alarming news: “Phishing attacks continue to oscillate, while more targeted phishing attacks increase.” In other words, phishers are getting smarter. Epsilon, RSA and the US Department of Energy have already become already high-profile victims and they won’t be the last. With so-called ‘spear phishing’ on the rise what can organisations do to avoid joining them in the phishing hall of shame?
The evolution of phishing
Traditional phishers disguise themselves as legitimate businesses, and encourage individuals to visit fake websites from which they farm usernames and passwords in order to access more valuable data stored on corporate networks. It is a fairly crude technique that involves mass email communication, and the hope that at least one individual will respond.
In contrast, spear phishers use techniques that are drawn from modern marketing methods. Rather than sending a blanket email to millions of addresses, they select a small group of individuals at their proposed target company, and create carefully tailored messages that are relevant to the recipients.
This is what happened at RSA. Two different emails with the subject line “2011 Recruitment Plan” were sent to a handful of employees. One person was tempted by the subject, opened the email and clicked on its attachment. Their action unleashed a zero-day exploit that installed a backdoor through an Adobe Flash vulnerability, with inevitable results…
Spear phishers don’t always limit themselves to attacking single organisations: whole sectors have come under fire. Last year, it was confirmed that a spear phishing campaign named ‘Nitro’, which was designed to steal R&D and other valuable data, hit the chemical and defence sectors among others. The aim of the attack was to access highly sensitive information about chemical compounds and advanced materials used by the military. Analysis of the 100 affected computers traced the attacks back to a phishing email campaign.
Early victories
Spear phishing is attractive to attackers because it is so effective. There are two primary reasons:
1) A smarter kind of criminal
Just like legitimate business, the most effective spear phishing attacks will be based on understanding the market. Criminals research, collect and cross-reference data about the organisation they are targeting, as well as the people who work there. Messages are tailored and look like standard business communications that people would ordinarily expect to receive. The Nitro attack relied on just a few emails that appeared to be a meeting invite from business partners. When larger numbers were sent, they claimed to be a security update.
2) A confused response
Because spear phishing uses technical means to attack organisations, the standard response has been to rely on technical controls, such as anti-virus software. Less emphasis has been placed on informing and educating users. Unfortunately, as the public attacks last year demonstrated, this is the wrong way round. Because people don’t expect their inbox to contain anything other than legitimate business communications, when an illegitimate mail arrives they are unlikely to be suspicious.
Taking on spear phishing
Spear phishing attacks are in fact very human affairs. People’s idiosyncrasies are targeted, and attacks are designed to exploit people’s emotional responses: fear, curiosity, and greed. So although software solutions can provide part of your defence platform, they should only be one part of the solution. Anti-virus technologies and filters can be used to remove basic, generic attacks, while users are educated to spot signs that an email is illegitimate, and policies and procedures are developed for reporting anything suspicious.
Despite the care that spear phishers put into their campaigns, there are almost always telltale signs that indicate all is not well. It is essential that your users know what to look for in both the behaviour of the sender and the content of the email. The answers to the following questions can help determine whether an email is genuine or not.
The sender
•Is the sender known to the recipient, and are they using their standard email address? An email that appears to come from the CEO but is sent from a web-mail account should raise a red flag.
•Is the recipient expecting that message? And is the sender behaving in a way that is expected? Any deviation from normal behaviour should ring alarm bells whether that is distributing GIFs, encouraging people to click on a link, or forwarding chain mail.
•Does it sound legitimate? There are plenty of people who are surprised to discover that UPS has a parcel for them when they haven’t ordered anything: the email informing them is certainly illegitimate, but they will still respond.
The content
•What kind of response is the email trying to provoke? Phishing attacks usually work because they provoke an emotional response in the reader. Any emails intended to evoke fear, greed or curiosity should be treated with caution.
•Is it too good to be true? It is impossible to win an iPad in a company raffle when you haven’t bought a ticket or there is no raffle – whatever the congratulatory email says.
•Is the email specific to the user and does it make sense? Criminals may rely more on personal data but they still keep messages generic enough to pique the interest of many recipients.
•Does your IT support company request usually ask you to click a link to install a software update? And, if it does, is the link they have sent you a recognisable address? If not someone may be trying to send you to a false site.
•Finally, what is the spelling like? Formal communications are usually checked before they are sent out. Poor writing and bad grammar are often an indicator that all is not as it seems.
Of course, most inboxes contain messages that fall under one of these categories – email is still regarded as an informal communication tool and errors and oddities occur. But an email that ticks a number of these boxes should be treated with caution.
Procedures
The power to defeat a spear phishing attack is distributed throughout the workforce. So how do you make sure that that all users are up to speed?
•Use immersive training techniques: mock up a typical phishing email, send it to users and provide immediate feedback in the form of education to anyone who falls for the scam. Repeat, but vary the attack method, emotional manipulation techniques and themes, to make users more aware and more resilient to attacks.
•Routinely remind users of the need for caution when clicking links or opening attachments. Encourage them to use alternative communications channels – such as a phone call or a face-to-face meeting – to verify the email with the sender if they aren’t sure that it is genuine.
•Should a malicious email subvert your controls and land in a user’s inbox, encourage them to forward it to the person within the organisation best placed to determine its authenticity rather than simply deleting it. Once the message has been examined, let the user know what the outcome was so they can learn from the experience.
•Share information with employees about the types of attack that have been received elsewhere in the organisation so that mistakes don’t spread.
•Display examples of phishing emails on your intranet so any suspect emails can be checked against others previously received.
It is possible to avoid becoming the victim of even the most determined spear phisher but the key to your defence is user engagement and understanding. Setting standards for responsible email management and encouraging good habits among users is the most effective way to address the problem. Not only will education ensure people continue to do the right thing against spear phishers, it will put you in the best position to address whatever the criminal fraternity decides to throw at you.
