[BreachExchange] Who gets spear phished, and why?

[Destry Winant]

https://www.helpnetsecurity.com/2018/10/19/who-gets-spear-phished/

The story of nearly every notable data breach in recent memory begins
in pretty much the same way: Once upon a time, someone got spear
phished… Whether it’s a government agency or a Fortune 500 company,
spear phishing is a serious threat, with losses topping $675 million
in 2017 in the US alone.

The phishing attacks that incite data breaches take diverse forms.
Sometimes the root of a data breach is a malicious link in an email
from a hacker. On other occasions, a victim might make a wire transfer
or divulge confidential information to the hacker, thinking he or she
was a colleague or business partner.

Spear phishing is one of the most successful methods of cyberattack.
It is a reliable way for malicious actors to access protected digital
assets. One countermeasure involves increasing employee awareness
about spear phishing through training. This is a good idea, but often
these programs focus only on senior executives. In reality, there are
other common spear phishing targets within the organization. To make
anti-spear phishing as effective as possible, it’s worth exploring who
the preferred targets tend to be and adapting security controls to
meet the level of risk.

Spear phishing: A brief recap

Spear phishing is a highly targeted, personalized form of phishing.
Whereas a phishing email attack is broad in scope and largely
undifferentiated (e.g. “I am a Prince with a frozen bank account…”),
spear phishing emails are written by attackers who know the
target—their name, where they work, what they do, their interests and
hobbies, etc.—so that they can be believable in impersonating a
colleague or business acquaintance.

For example, a spear phisher might research the target’s social media
accounts and other online sources of information, including recent
data breaches, to determine his or her role in the target organization
along with his or her personal relationships within the company. The
attacker can then research learn the responsibilities of these
co-workers. Armed with this information, the spear phisher can send an
email requesting a fraudulent wire transfer or asking them to disclose
confidential information.

Normally, sensible people wouldn’t follow through on these requests,
but the attackers typically contrive some sort of plausible emergency
to get through the email recipient’s defenses. They might send a
message on a weekend, pretending to be away from a work PC, and so
forth. They might impersonate a senior executive, using the
organization’s command structure to pressure the recipient into
disclosing information he or she was told not to share, and so forth.

The spear phishing attacker may also engage in spoofing, tricking the
email recipient into thinking the message originated from inside the
organization. In some cases, this kind of attack will substitute
letters or URL extensions to make a message look like it’s from one
company, but actually comes from another, e.g. spelling apple.com with
a capital I (as in Irving) instead of a lowercase l (as in loom).

Target group: People with access to valuable data

People with access privileges to valuable data are naturally among the
most desirable targets for spear phishing attacks. This group includes
senior executives, of course, but also their staff members and
assistants; the latter manage the executives’ email and calendar, and
therefore are just as valuable as a target.

It’s worth noting that spear phishers often engage in sequential
attacks. Like, they’ll pretend to be the CEO and tell her assistant,
“Remind me of my email login? I always forget…” Then, they’ll pretend
to be the assistant and trick the CEO into sharing some confidential
information about their travel plans. Then, they’ll impersonate an IT
staff member and call the CEO to get her highly privileged network
login credentials.

Finance and legal staffers are also valuable spear phishing targets.
Some spear phishing attackers are looking for trade secrets or
confidential information about future merger and acquisition (M&A)
deals. With the latter, they can engage in insider stock trading. They
might be interested in stealing product designs or strategic plans,
and selling them to rogue nation states.

Impersonating financial and legal executives offers an effective way
to trick employees into sending money into fake overseas corporate
accounts. For instance, if the attacker knows that a particular deal
is being negotiated by the legal department, he or she can impersonate
the CEO and request a confidential wire transfer to “complete the
deal.” The recipient would probably assume the request was legitimate.
How else would anyone know about a hush-hush M&A deal?

Target group: High-risk behavior or non-functional attributes

Sometimes, it’s non-executive employees who are most at risk for spear
phishing. A person lacking in tech savvy or someone unfamiliar with
cybersecurity policy is a great candidate for email-based trickery.
How does the attacker know who these people are? One way is to mine
information stolen in earlier data breaches – such as the recent
Facebook and Google+ breaches – and use that to identify targets or
impersonate their coworkers. Alternatively, the attacker can scour
social media and find employees who are careless or naïve enough to
publicly post information about their work that can help the phisher
spoof their identities.

Bring Your Own Device (BYOD) policies create opportunities for spear
phishing attackers as well. If the phisher knows an organization has a
BYOD policy, he can use the “I’m on my personal phone and can’t log
in” excuse to get another employee to share log in credentials. A lack
of clear policies further helps the phishing attacker. An organization
with loose controls over fund wire transfers, for example, is exposed
to the risk of fraud from spear phishers who impersonate senior
executives and request money wires.

Target group: External people and entities

Non-employees are also susceptible to spear phishing attacks. In fact,
employees of contractors and other external entities are even more
vulnerable to being tricked into sharing information about another
company. An IT outsourcing vendor, for example, could provide a spear
phisher with a potent set of targets for attacks that yield network
login credentials, e.g. the target might not be able to verify the
identity of a person requesting network access.

Spear phishing is a serious cyber security threat. As so many
devastating incidents have shown in the recent past, it’s one of the
most effective means of penetrating a hacking target. Policies and
anti-phishing tools need to be well-tuned to the nuances of this
insidious form of attack. Not all employees have the same level of
vulnerability, however. It is a good practice to assess spear phishing
susceptibility by employee role and adjust countermeasures
accordingly.

Moreover, in addition to user training, organizations must broaden
their email filtering capabilities to encompass internal email
scanning. The reason is that hackers are increasingly harvesting
Office 365 credentials (through standard phishing attacks or by
purchasing them on the dark web) in order to send targeted spear
phishing emails from perfectly legitimate accounts. In these
scenarios, it’s virtually impossible for the recipient to detect the
fraud, no matter how well trained or vigilant they are.