[BreachExchange] Spear phishing: How it works and how to avoid it

[Audrey McNeil]

http://www.itproportal.com/2016/05/05/spear-phishing-how-it-works-and-how-to-avoid-it/


Unlike spam or phishing emails, which involve a broad and varied range of
targets, spear phishing is a highly-targeted email attack against a
specific group, organisation, or even person. The main aim of a spear
phishing attack is either to obtain unauthorised access to sensitive data,
whether this is intellectual property, financial data, trade or military
intelligence, or to get the recipient of the email to act on a command,
whether this is to transfer money or share confidential data.

What does a typical spear phishing email look like?

Spear phishing emails are extremely deceptive as they typically attempt to
represent an identity that is known and trusted, and look very similar to a
legitimate email someone would expect to receive during the course of a
work day. A common spear phishing example is when an email seemingly from a
CEO/CFO is sent to member of senior staff asking for a specific sum of
money to be transferred into an unfamiliar account. Spear phishing emails
may contain a link, directing the victim to a malicious page, or an
attachment with embedded malware. However, a common and growing style of
spear phishing attack does not contain such a malicious ‘payload’, but
simply contains socially engineered content, either asking for an action to
be carried out, or asking for passwords, financial details, or other
protected information.

What precautions need to be taken to avoid being the victim of a spear
phishing attack?

Today’s businesses have to exercise a degree of caution by using tools to
alert organisations to suspicious emails, regularly training employees and
having robust processes in place. In addition, companies should leverage a
cybersecurity solution that enables them to detect spoofed emails before
the messages are delivered to employees. With the right approach,
enterprises can prevent their businesses from being victims of carefully
engineered and targeted attacks.

What social engineering tactics are cybercriminals deploying when
constructing phishing emails?

Spear phishers are much more sinister than spammers – for example, they
will likely know enough about a target to personalise the email greeting to
include a first name instead of a generic ‘Dear Sir’. Cybercriminals may
also know details such as where someone works, who their manager is, and –
if the target regularly posts work-related messages on social media – if
they’re off-site at a conference. By referencing these details in an email,
cybercriminals are able to create a message that seems legitimate, making
the victim more likely to respond with the requested information.

Spear phishing messages also claim to be sent from an identity – an
individual or a brand – that is known and trusted by the recipient. Spear
phishers use this identity in the ‘From’ header of the message, the content
of which is prominently displayed in most email applications. When
possible, criminals spoof the actual email address of the identity they are
trying to represent. Alternatively, they use a ‘lookalike’ email address,
attempting to trick the recipient into believing the message came from the
trusted individual.

What are cybercriminals doing in the lead up to a phishing scam and what do
they expect the outcome to be?

Sophisticated cybercriminals are increasingly investing time in getting to
know their victims – their names, email addresses, locations, and even the
business processes within their organisations. Spear phishers also research
the identity that they use for spoofing, often leveraging social media
feeds and public company information to understand their schedule, their
relationship to the victim, and sometimes even their writing style.

Cybercriminals are also using legitimate cloud services and public cloud
infrastructure to send out their attacks. With the ready availability of
such services and the low volume of messages required for such targeted
attacks, criminals are able to send spear phishing messages at a low cost.
By using servers or services that are often shared with real companies,
criminals are able to exploit the positive reputation of the cloud
providers.

With the type of personal information described above which is increasingly
readily available online, and the prevalence of inexpensive cloud
infrastructure, savvy cybercriminals are equipped with the resources to
create carefully engineered emails that evade existing security solutions
and successfully trick users into handing over confidential information or
making fraudulent payments.

Why does combating targeted email attacks, data breaches, and financial
loss need to be a 2016 priority for enterprises?

If a business wants to keep its name out of the next headline, it’s
imperative it addresses the primary vector criminals are using to attack:
email. Measures like training employees to detect bad emails and financial
controls to stop unauthorised wire transfers make good sense, but they
don’t address the root of the problem. The core issue is that businesses
need to put into place measures to ensure that only trusted emails enter
the mailbox of their employees, rather than expecting them to analyse the
trustworthiness of every email on their own.

How can we restore trust to the email ecosystem?

When it comes to protecting employees from spear phishing, a ‘one size fits
all’ approach to email security doesn’t work. Attacks are becoming more
frequent, more complex, and more intelligent. There is no single solution
available that can solve the breadth of this email security problem. What’s
needed is a mix of multiple controls – a cocktail of complementary
solutions that provides a multi-layered approach to cybersecurity where
prevention, early detection, attack containment, and recovery measures are
considered together. At the core of this should be a solution that focuses
on establishing the authenticity and trust of each message sent to your
employees.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160505/742162d5/attachment.html>