- Security TWENTY
- Women in Security
A spear phishing simulation product company predicts that phishers will be changing their tactics in 2013 – resorting to targeted spear phishing emails rather than the mass mails of the past.
Spear phishing is a tool for criminals targeting specific individuals or companies by masquerading as a trustworthy, legitimate electronic communication but with a sinister intention. They don’t send out thousands or millions of mails any more, instead they pick a handful of individuals inside the companies they want to infiltrate, and then they very carefully research them and tailor the message so that it is relevant to the recipient, or uses emotions such as fear, greed or curiosity, to get the recipient to react – either by clicking a link, opening an attachment or providing personal information. That action can then let the hacker gain access to the corporate network in order to acquire sensitive information such as usernames, passwords and R&D information etc.
Rohyt Belani, CEO at PhishMe says: “If 2012 was the year of BYOD, 2013 will be the year of mobile malware designed to take advantage of it. We have seen a growth in consumer apps that violate privacy, for example by tracking your GPS data, but in 2013 we will see criminals targeting mobile device users, specifically with the intention of getting inside their corporate email system.”
“For example, if a user receives an email (or SMS) that appears to be from a friend, suggesting that they check out a wonderful new app, then they can easily be tricked into clicking a link they shouldn’t. (Especially as it is much harder on a mobile device to check the underlying URL for a link or the email headers – signs that will show an experienced user that something isn’t quite what it seems.) Just one click could install malware on the device, which accesses your corporate email account and sends out emails to your colleagues, perhaps directing them to another link to download more malware onto your corporate network.”
He adds: “If users have devices that they use for both personal and corporate purposes, they must be security aware. Just like your colleagues wouldn’t appreciate you coming into a work with the flu, because you might pass it on to them, don’t let your infected mobile device do the same to the corporate network! It all comes down to user education – so unsuspecting employees don’t fall victim.”
In addition, Rohyt believes that we will see an evolution in the type of spear phishing emails users might receive. He says: “Currently a phisher might send an email to John saying ‘It was great to meet you at XYZ event last week, here’s a link to some of the research we covered on the day which might be interesting to you’ (because the criminal has seen from his Twitter feed that John was at an event last week). But John might not remember meeting that person and might feel a bit suspicious and not click on the link. However, criminals are starting to build up trust by using a two-pronged approach to spear phishing to try to make the automated emails seem more human. So the criminal might initially send an email to John saying ‘It was great to see you at XYZ event last week, I’m just working on a report that I think you might find interesting – I’ll send it over to you tomorrow.’ And lo and behold, tomorrow comes, John receives the email he has been told to expect, and his defences are down – so he is much more likely to click the link. And the criminal has his way in to the network. The best technological defences are unlikely to stop an email like this, so you have to train your users what to look out for.”
Spear phishing attacks are performed by humans, against humans. For that reason, while software exists, relying on technology alone is not enough, it is claimed. Instead, companies are said to need to employ a holistic approach – antivirus and filters that will remove more basic, generic attacks, combined with immersive education that measures and changes behaviour so that end users become sensitive to warning signs, and understand the correct process they need to report suspicious emails.