Everyone has heard of the Nigerian King Scam and it is often used as an example when describing what exactly phishing is. The problem with using it as an example is that it makes phishing seem like a minor threat, something only an idiot would fall for.
This is in stark contrast to reality, where phishing has evolved to become a major threat to organizations and a large source of income for scammers. While modern spam filters have done wonders to combat mass, undirected phishing scams, they do little to combat a more serious and directed threat, Spear Phishing. Find out what it is and how to combat it in this blog post.
Spear Phishing is essentially a targeted phishing campaign against a specific group or person. In a stark contrast to regular phishing, which generally consists of sending millions of emails to random email addresses, a Spear Phishing attack might consist of only a couple emails that are specifically tailored to the attacker’s target.
Attackers tailor these emails by first gathering information on their target, usually through social media websites, and develop the attack based on what they discover. For example, an attacker might see that their target has a user account on a photo hosting website that contains pictures of his large collection of antique fly-fishing rods and is also very active on a fly-fishing message board. With this information the attacker can create a tailored email that takes advantage of the target’s interest.
In this scenario the attacker spoofs the email of a popular fly-fishing magazine and uses it to pretend to be a writer for said magazine looking to set up interviews with antique fly-rod collectors for an article. The email will mention that the “writer” noticed the target seemed very knowledgeable on the earlier discovered forum and would make a great interview subject. The attacker then attaches an infected PDF explaining that before the interview is set up the target must first fill out the attached PDF stating consent. To bait the hook the “writer” might even offer a related reward for agreeing to be interviewed. When the target opens the infected PDF a backdoor will be created and the attacker now has access to the target’s network, bypassing any exterior network defenses completely.
Why the Attacks are so Harmful
The reason these attacks are so insidious is that they are perpetrated by a more advanced attacker then the usual spammers one associates with phishing. These attackers often pair Spear Phishing attacks with advanced attacks; like custom payloads encoded specifically to bypass virus definitions modern anti-viruses use to detect malicious code or even 0-day exploits.
Since these attacks are the work of knowledgeable hackers they also do much more damage once a network is compromised. A paper by FireEye said the damage done by Spear Phishing was 20 times more expensive per individual compared to normal phishing.
Defenses Against Spear Phishing
While the threat might seem difficult to combat, there are defenses against the threat of Spear Phishing. The most vital of these is security awareness. Phishers have always relied on security-unaware employees downloading infected files or following malicious links for successful attacks. Removing this variable through proper security awareness training is the best bet against phishing, bar none.
Employees should regularly be made aware of common phishing techniques through the use of an effective phishing assessment program. If a company doesn’t already have one, using the documentation provided by SANS makes it easier to establish a regular phishing assessment program. Doing so offers two major benefits:
- Known Risk: Knowing how likely your employees are to fall for a phishing attempt allows a business to quantify the risk they face from security-unaware employees.
- Risk Reduction: Alerting an employee when they fall for a test phishing email and explaining how they could have detected it was malicious, enforces a good security mentality and reduces they likelihood of them falling for another phishing attempt, whether it’s a test or not.
As always awareness is key when confronting security concerns, especially Spear Phishing. Here are a few pertinent articles and papers on the Spear Phishing threat.
- A real world example of a Spear Phishing attempt (https://zvelo.com/blog/entry/spear-phishing-attacks-a-real-example)
- A paper by The Centre For The Protection of National Infrastructure on the Spear Phishing threat (http://www.cpni.gov.uk/documents/publications/2013/2013053-spear-phishing-understanding-the-threat.pdf?epslanguage=en-gb)
- A survey of IT Security personnel on the topic of Spear Phishing done by Microsoft (http://www.proofpoint.com/downloads/Proofpoint-Spear-Phishing-and-Info-Security-Survey-Findings-July-2012.pdf)
Director’s Comment: We are seeing more of these attacks in healthcare as IT departments harden the perimeter. Attacks on healthcare organizations are on the rise because of the wealth of information available. These targeted attacks are so dangerous because most healthcare organizations assume the perimeter defenses will protect them and internal networks are typically built for access, not for protection.
Find out how a hacker can get into your secure health IT infrastructure in our FREE ‘Tales from an Ethical Hacker’ webinar.