momius - stock.adobe.com
Brand impersonation is being used in 83% of spear phishing attacks, making it the most popular form of this type of targeted attack, research shows.
These attacks are designed to impersonate well-known companies and commonly-used business applications and are well designed as an entry point to harvest credentials, carry out account takeovers and steal personally-identifiable information (PII), according to a report by security researchers at Barracuda Networks.
Using carefully-designed templates that impersonate top brands, scammers send an email claiming that the targeted individual’s account has been frozen and providing a link to reset the account password. The link typically takes victims to a legitimate-looking phishing website designed to harvest login credentials.
Microsoft and Apple are the most-impersonated brands in spear phishing attacks, the researchers said, based on an analysis of 360,000 spear phishing emails in a three-month period.
Spear phishing attacks are designed to evade traditional email security, including gateways and spam filters. They are typically sent from high-reputation domains or already-compromised email accounts and do not usually include malicious links or attachments, enabling them to bypass most traditional email-security techniques rely on blacklists and reputation analysis, the report said.
The attacks also typically use spoofing techniques and include zero-day links hosted on domains that have not been used in previous attacks or that have been inserted into hijacked legitimate websites. As a result, they are unlikely to be blocked by link-protection technologies.
The attackers also take advantage of social engineering tactics in their attacks, including urgency, brevity and pressure, to increase the likelihood of success, the report said.
Read more about spear phishing
- In November 2018, dozens of US Democratic National Committee (DNC) email addresses were targeted in a spear phishing campaign.
- A cyber espionage group dubbed Whitefly has been identified as the perpetrators behind Singapore’s largest data breach to date that used malware distributed through spear phishing emails.
- Email is the number one entry point for data breaches, which includes targeted email attacks such as business email compromise and spear phishing.
The second most popular form of spear phishing attacks, accounting for 11% of attacks monitored, are blackmail scams, which include sextortion attacks.
In these attacks, scammers typically claim to have a compromising video, images or other content allegedly recorded on the victim’s computer. They threaten to share this content with the targeted individual’s email contacts, unless they pay up.
With about 1 in 10 emails being a sextortion attack, employees are twice as likely to be the target of blackmail than business email compromise (BEC), which accounted for just 6% of attacks monitored.
Although BEC attacks – also known as CEO fraud, whaling and wire-transfer fraud – make up only a small proportion of spear phishing attacks, they have resulted in more than $12.5bn in losses since 2013, according to the FBI.
In BEC attacks, scammers usually impersonate an executive, partner or another trusted person in an email by compromising their email account, requesting a wire transfer or personally-identifiable information from finance department employees or others with access to sensitive information.
Business email compromise attacks
According to the Barracuda research, Gmail accounts are used to launch 30% of business email compromise attacks.
The study shows that spear phishing attacks are timed to exploit security weaknesses and other potential vulnerabilities around holidays and other events, such as tax season. The week before Christmas, the number of spear phishing attacks spiked to more than 150% above average, the study shows.
“Hackers know the end of the year is a flooded with a lot of activity, including email communications, and try to take advantage by launching attacks at distracted and busy employees. IT and security staff resources are typically stretched at the holidays, as many people take vacation time, and they may not be as vigilant or have as much time to monitor potential phishing attacks,” the report said.
Preventing spear phishing attacks, the report said, requires the right combination of technology and user security training.
In the light of the fact that scammers are adapting email tactics to bypass gateways and spam filters, the report recommends that organisations consider purpose-built technology that does not rely on looking for malicious links or attachments, but uses machine learning to analyse normal communication patterns and spot anomalies.
The report also recommends deploying technology that uses artificial intelligence to recognise when accounts have been compromised and that remediates in real time by alerting users and removing malicious emails sent from compromised accounts.
In light of the fact that domain spoofing is one of the most common techniques used in impersonation attacks, the report recommends using the Domain-based Message Authentication, Reporting and Conformance (Dmarc) email authentication and reporting protocol. Dmarc authentication and enforcement can help stop domain spoofing and brand hijacking, while Dmarc reporting and analysis helps organisations accurately set enforcement, the report said.
Other recommendations include using:
- Multifactor authentication (MFA) to provide an additional layer of security.
- Training to help employees recognise and report attacks.
- Regular proactive searches to detect emails with content known to be popular with hackers.
- The right combination of technologies and business policies to ensure emails with confidential, personally-identifiable and other sensitive information are blocked and never leave the company.