To give credit where it’s due, traditional phishers have matured. Rather than the spammers of yesterday, today they masquerade as legitimate businesses, encouraging individuals to visit fake websites.
Their intention is to farm usernames and passwords to gain access to the valuable data stored on corporate networks. However, the technique itself is still fairly crude, relying on mass email communication with the hope that at least one individual will be lured into their trap.
Conversely, spear phishers have turned professional. Using techniques modelled on modern direct marketing methods, they select a small group of individuals at a target company. They then research these individuals to carefully create a tailored message that is relevant to these recipients, and one they’d expect to receive.
The reality is spear phishing attacks work, for two reasons:
1) False security
Spear phishing is a technical attack and many misguidedly assume technical controls, such as anti-virus software, will protect them. Unfortunately, as the Nitro attacks last year demonstrated, this isn’t true. The campaign, designed to steal R&D and other valuable data, hit the chemical and defence sectors among others. The aim of the attack was to access highly sensitive information about chemical compounds and advanced materials used by the military. Analysis of the 100 affected computers traced the attacks back to a phishing email campaign.
2) Criminals are getting smarter
Just as with a successful business, criminals recognise that understanding their target market is key to launching an effective spear phishing attack. And it works! RSA is testament to that. Two different emails were sent to a handful of employees with the subject line “2011 Recruitment Plan”. A single individual’s interest was piqued and they opened the message and clicked on its attachment. Their action unleashed a zero-day exploit that installed a backdoor through an Adobe Flash vulnerability, with inevitable results.
Organisations need to stop thinking of spear phishing attacks as technical and start treating them as a personal assault. People’s idiosyncrasies are targeted and attacks are designed to exploit people’s emotional responses of fear, curiosity, and greed. So although software solutions can provide part of your defence platform, they should only be one part of the solution.
Despite the care that attackers put into their campaigns, there will almost always be something amiss to give the game away. The following can help determine whether an email is genuine or not.
What it says
- While criminals will tailor the message, it will still be generic enough to be interesting to many, so question if it is really relevant to the recipient;
- Phishing attacks usually work because they provoke an emotional response in the reader. If it evokes fear, greed or curiosity it should be treated with caution;
- It is impossible to win a case of sparkling wine in a raffle when you haven’t bought a ticket or there is no raffle – whatever the congratulatory email says;
- Does your IT support usually ask you to click a link to install a software update? And, if it does, is the link they have sent you a recognisable address? If not someone may be trying to send you to a false site;
- Finally, what is the spelling like? Formal communications are usually checked before they are sent out. Poor writing and bad grammar can be indicators that all is not as it seems.
Who’s saying it?
- Is the sender known and are they using their standard email address? Would the CEO really send a message from a webmail account?
- Is the recipient expecting that message? And is the sender behaving in a way that is expected? Any deviation from normal behaviour should ring alarm bells, whether that is distributing gifs, encouraging people to click on a link or forwarding chain mail.
Everyone has a role
Because people don’t expect their inbox to contain anything other than legitimate business communications, when an illegitimate mail arrives they are unlikely to be suspicious. This is where the problem – and the answer – lies.
Users need to know that email is not a trusted communication channel and exercise caution when clicking links or opening attachments. Encourage them to verify the email with the sender if they’re concerned.
Immersive training techniques are effective at drilling the message home. Send test messages to users and provide immediate feedback to anyone who falls for the scam. Repeat using different attack methods, emotional manipulation techniques and themes to make users more aware and more resilient to attacks.
As an organisation, introduce processes for users to follow if a malicious email subverts
controls. Forward the email to the person in the organisation best placed to determine its
authenticity and share the results with employees about the types of attacks that have been
received elsewhere in the organisation, so mistakes don’t spread.
The power to defeat a spear phishing attack is distributed throughout the workforce – but you need to tell them about it.
Scott Greaux is vice-president of product management and services at security awareness training firm PhishMe
This was first published in November 2012