Beware "Spear-Phishing" attacks!

I just ran across an interesting Tech Crunch article on spear-phishing, by Tom Chapman, a former Navy intelligence officer who now serves as director of cyber operations at cybersecurity firm Edgewave. In the article, he explains the threat and some countermeasures, with just the right amount of detail.

If the definition of spear-phishing, or the immediate danger of it, isn't obvious to you, I strongly recommend that you take a few minutes to learn something about this important subject.

Click here to read the complete article.

In case you're the kind of person who is hesitant to follow miscellaneous links on web pages, here are some excerpts from the article that the link references.

If terrorists ever orchestrate a cyber attack against the U.S., the odds are 9 in 10 that spear-phishing will be the first step of their assault. The same technique that has breached Sony, Anthem, Target, the Pentagon and thousands of organizations every year, spear-phishing is used in some 91 percent of cyber attacks, according to the security firm Micro Trend. We can either spread awareness of spear-phishing now or suffer the consequences later.

Spear-phishing, like phishing, involves emailing a malicious link or file. Whereas phishers send mass emails in hopes of stealing credit card information, Social Security numbers and login credentials from as many people as possible, spear-phishers are more precise. They usually target one or few individuals at an organization, and they conduct extensive research in order to craft a very personal and convincing email. The spear-phisher has a very specific and often more sinister objective than the phisher.

To prevent spear-phishing attacks against our government, companies, friends and family, we all need to understand the mechanics behind these assaults. With this shared knowledge, we can then take collective measures to reduce the likelihood and consequences of spear-phishing.

The spear-phisher’s playbook

Spear-phishing is based on the premise that slipping through a side entrance is easier than breaking down the front door. When you picture spear-phishing, Swordfish or other hacker movies are the wrong image – we’re not dealing with cyber geniuses who bang away on the keyboard until they control the entire network. Effective spear-phishers are really social engineers. They are experts at appearing to be someone you know and trust.

Let’s say I want to attack good old Acme Corporation. First, I would look up everything I could find out about Acme – who works there, what they do, the latest news, etc. I examine its website, public records, social media, news article and whatever else I can find. My target is probably someone with administrator access to the company network – generally, someone in IT.

IT people are easy to identify. Even if I couldn’t find them on LinkedIn or Acme’s website, I could pretend to be a customer with an issue, send an email to tech support and ask for an IT admin to call me.

Once I have my target(s) – let’s say it’s Jane Smith in IT – I dissect her network. What LinkedIn groups is she part of? Who does Jane communicate with most often on Facebook? What do public records turn up? What are her hobbies and interests? Based on this exhaustive research, I craft an email Jane is likely to open and click.

If, for example, she’s active in a LinkedIn group about cybersecurity, I’d join that group, copy their exact branding and perhaps send an email that invites Jane to discuss spear-phishing (oh the irony…). Of course, the “LinkedIn” link will either direct her to a malware site or download an embedded, executable file onto her computer. This malware allows me to steal her Acme network credentials.

Fighting back against spear-phishers

Spear-phishing can affect an entire organization – or country – by targeting just a few individuals. To prevent spear-phishing, everyone in an organization has to share the responsibilities of defense. Effective spear-phishing defense has three components:

Email filtering with a human touch

The first line of defense against spear-phishing is a good spam filter. Essentially, filters analyze and score emails based on the server, the sender’s reputation, spelling and other criteria. However, most filters are black and white – if the score is above X points, it goes through. If it’s below X, spam folder.

Top filters are only 99 percent accurate, which sounds reassuring until you consider that the business world sends and receives 108.7 billion emails per day, according to The Radicati Group, a technology research firm. In other words, over 1 billion business emails per day will be misidentified. Of course, spear-phishers understand how filters work and attempt to trick them.

This is why I recommend using a filter that acknowledges a gray zone around X and uses real human beings to evaluate these ambiguous cases. Human beings can make observations and catch red flags that machines currently can’t.

Organization-wide training

Spear-phishing is preventable if employees know how to identify and avoid it. Teach people to be skeptical of all emails. More specifically, train people to:

Avoid clicking email links. If your LinkedIn group sends an email about a new discussion topic, don’t click. Go to your URL bar and manually visit LinkedIn if you wish to contribute.

Hold their mouse over hyperlinks to see where they actually direct. A foreign country code, like .ru or .cn, should tip you off that something’s fishy.

Never, ever email passwords or banking information, no matter how safe it looks.

Immediately contact IT if they open or click something suspicious. Depending on the case, changing the username and password is sufficient. Other times, IT must delete the account.

24/7 network monitoring

Last year, the Sony hackers were able to steal hundreds of terabytes of data; that should have never happened. If IT personnel were monitoring the network, this activity would have been impossible to miss.

IT must monitor data logs for anomalies 24/7. If 10 GB of data are flowing to China at 2 a.m., that’s suspicious. Someone needs to follow up. Also, IT should monitor outbound traffic flow. If the company is sending out an unusually high volume of emails, that could be a red flag, too.

Don’t let IT fall into the trap of believing that expensive software will make the organization safe. With spear-phishing, cybersecurity solutions are just like security cameras – they can record the real-time events, but they won’t prevent robbers from walking out with all your data. Human beings have to take action.