What You Should Know About Spear Phishing Attacks

June 7, 2016 | Views: 2815

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

In the past few months, we’ve heard about a range of business email compromises. Spear phishing, the method used in these attacks, represents consistent threats that have companies on high alert.

These attacks are growing in number and are getting more sophisticated in nature – targeting individuals and employees in various organizations to gain entry into a corporate network. Traditional solutions can’t prevent such attacks all the time and the question is no longer if you’ll be breached, but when.

When we talk about business email compromises, we’re referring to a type of spear phishing attack that scams the victims to wire funds. The typical pretext is built around secret or urgent business matter. There are several other variations, but generally that’s the main focus. Sadly enough, it works. The bad guys are typically targeting Chief Financial Officers (CFOs) or any other individuals in the organization that posses the ability to process wire transfer requests.

This type of attack is performed by sending an email that impersonates someone in the organization with high authority – typically the Chief Executive Officer (CEO). The message asks the unsuspecting recipient to send funds quickly to a bank account that’s actually owned by the attacker.

Some other variations of business email compromise include:

  • invoices from suppliers (also known as Supplying Impersonation)
  • payment requests by executives (CEO Fraud)
  • masquerading

 

Despite the publicity about spear phishing in the past few years, these campaigns continue to be extremely successful and profitable for the bad guys. The main reason is because they exploit people and not technology. Employee endpoints have become the path of least resistance into an enterprise network. In the past, it was believed that proper education would prevent phishing attacks. Even with significant time and resources invested in education programs, these attacks continue to work.

The threat actors are often able to identify key details of how the business works, what suppliers they use, how their invoices look, who their corporate attorneys are and who reports to whom. They use all this information to create a very convincing pretext that has a very good chance of making it through the human firewall.

Even though most organizations have email security and spam filtering tools, attackers have gotten good at slipping their emails past these technologies. Once it reaches the victim’s inbox, it’s up to the user to recognize it as a scam and report it to the right people. Security awareness helps a lot, which means training the users and testing them, so they’ll know what to look for and how to spot a scam. However, even the best training does not eliminate risk – especially against the more convincing scams.

If the victim falls for the pretext, effective or ineffective policies and appropriate procedures (to authorize wire transfers, for example) come into play. Attackers typically try to bypass these controls by building enough urgency to make victims act outside proper procedures or by requesting a routine change that doesn’t need further approval.

Spear phishing attacks are very difficult to halt with security tools. Fundamentally, they succeed through social engineering and not technical exploitation. Organizations muse reduce their exposure through rigorous security awareness training that includes phishing simulations tests.

Yet, it doesn’t matter how much awareness training you do, 100% of your users are not going to do the right thing 100% of the time. The most important thing is to plan out on how to respond to the attacks that make it through. The organizations security team need to act as quickly as possible and mitigate them before the damage is done. They’ll use their expertise and resources to analyze and respond to these attacks effectively.

 

Fighting against the advance of spear phishing is not only about buying a new security tool, but also looking at the processes of how to stop spear phishing attacks.

Phase 1 – Prevention: This is about limiting the ability of an attacker to land a spear phishing email in the user’s inbox. A good starting point is to make sure that your filters are properly configured. For example, ensure your email anti-spoofing is correctly configured. This will help to prevent attackers from pretending to be someone inside the company with a valid email address.

Phase 2 – Detection: Inevitably, some percentage of phishing emails will look very similar to legitimate communications. Yes, the spear phishing emails need to be automatically blocked or quarantined prior to reaching the user’s inbox. This phase is all about “listening” for these attacks and recognizing them as potential threats.

Phase 3 – Analysis: Once you’ve detected an attack, it’s important to know what to do. But, you may not know anything about the attack itself, other than it’s probably malicious.It’s important to understand if it’s just spam that made through your filters, ransomware that you need to clean up, or even possibly a Remote Access Trojan (RAT) leveraged by organized cyber crime groups, whose objectives are to hijack email account from business executives. The main objective of the analysis phase is to establish threat context, extract Indicators of Compromise (IOCs) and from there, determine the best mitigation strategy.

Phase 4 – Mitigation: From the moment you’re able to understand the threat, and the best way to stop it, it’s time to act to eradicate the threat. You should follow your incident response plan. If the previous phases worked well, you should be able to respond to incidents with minimum business impact.

 

Summary

It’s impossible to prevent enterprise users from opening email attachments or links, since it’s a routine part of their everyday activity. As long as we depend on online information, spear phishing will remain a threat.

In order to stop spear phishing attacks effectively, organizations must prevent drive-by downloads and protect enterprise credentials with two-factor authentication for email, where available. It’s also advisable that companies avoid publishing information about their employee’s activities on their web sites or through social media. Attackers using these schemes often try to uncover information about when and where a targeted organization’s executives will be traveling or are out of office.

 

Thanks for reading and stay safe out there.

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
1 Comment
  1. Excellent article

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel