Over the past few years, people have come to expect standard phishing attacks. Not only are we suspicious of emails from people we don’t know, today we even suspect perfectly legitimate emails from the likes of PayPal and Amazon.
Besides the advancing knowledge and savviness of consumers, the majority of corporations have also now invested in advanced email gateways that do an excellent job of protecting their users from receiving phishing emails in the first place.
Unfortunately, the decline in successful phishing attacks has not gone unnoticed by the perpetrators and this means that cybercriminals have also upped their game. In order to get around gateways and allay suspicions, a more targeted and insidious attack is required – today it’s spear phishing that is the weapon of choice, delivered by email.
But it is not simply a valid email address that ensures the success of spear phishing. These attacks are far from the random, rapid and scattered attempts that phishing employs.
Victims of spear phishing are carefully chosen, researched and considered prior to the first email attempts to gain the user’s trust.
In the Francophoned attack, for example, the administrative assistant of a vice president at a French-based multinational company received a phone call purporting to be from another company vice president. He instructed her to process an invoice she had received via email a few minutes earlier. The caller was an imposter and the ‘invoice’ was a remote access trojan (RAT) configured to contact a command-and-control server in Ukraine.
The IT team itself is also far from immune to these advances – with their privileged access, administrative rights, and a tendency to exclude themselves from some of the protections that the rest of the company enjoy. They are often the target for spear-phishing attacks, as the attackers know these users will probably have elevated privileges within the IT environment, and access to the systems used to manage the organisations IT.
The lengths that criminals will go to in order to be perceived as a trusted source are considerable, and extremely concerning. Weeks of work will go into researching and developing exactly the right, plausible email, and it may be many more months or even years before the malware is deployed, as each message is innocently forwarded and passed around the company.
While smaller companies might assume they are safe from these methods, attackers have also been known to attack a third or even fourth party removed from the major corporation they are attempting to access.
From legal firms to vendors to suppliers, there seem to be few avenues that these criminals have not targeted. As was the case with the Target data breach, where a suppliers network credentials were stolen and used to access Target’s IT systems.
So how to defend an organisation from this new threat? The first step is to understand both the attackers and their methods.
Begin by asking what motives someone might have to attack the organisation – what information would be beneficial to competitors and which data simply cannot be lost or modified? That is most likely to be a target and therefore requires the greatest protection.
Secondly, ensure that users are educated. Make sure all staff members are taught how an attacker may structure the attack, how an email address or phone number can be easily faked, and how hyperlinks can take users to an expected destination.
After addressing education, it’s important that user behavior is also considered. This means showing users how to hover over hyperlinks to see where they actually point to, how to recognise suspicious text and grammar, and what to do if they receive a suspicious email.
>See also: ‘Cyber resilience’ is the new boardroom priority
Finally, address the technology. While anti-virus solutions have proven to be largely ineffective at preventing spear phishing, there are other technical solutions that are effective.
Some of the latest are able to automatically rewrite any and all URLs in inbound emails, scanning each target webpage and ensuring that each time a link is clicked on by the end-user, it is clean and risk free. Do the homework and invest in the right systems.
Sourced from Orlando Scott-Cowley, director of technology marketing, Mimecast