Learn About This Dangerous Type of Phishing and How to Prevent It
A survey of managed service providers and in-house IT professionals conducted by our cyber security partner KnowBe4 revealed that phishing/spear phishing is the number three cyber threat that “keeps them up at night.” Other studies show that spear phishing stands to be one of the fast-growing types of cyber-attack in 2019.
Spear phishing is a hacking method that targets a specific organization and its users via emails — seemingly from trusted sources — in an effort to convince them to click on a link or download a file that would compromise network — and ultimately — business security. It is a type of attack often referred to as ‘social engineering’. Phishing, in general, refers to emails sent to mass audiences, a practice referred to as ‘spray and pray’.
Spear phishing takes more work on the part of the attacker, but it’s far more likely to result in more valuable results — like confidential client information, business secrets, and monetary gain. According to research from security software firm Trend Micro, an astounding 91% of cyber-attacks begin with a spear phishing email.
While spear phishing affects every industry, it’s easy to see that financial companies make a particularly lucrative target. And so, it’s critical that such firms understand how spear fishing works and how to prevent it.
How Does Spear Phishing Work?
First, the cyber criminals identify organizations where they believe they stand to reap valuable data or actual dollars. Then they find out who has the information they seek or the power to do financial transactions and go after the particular person or people.
There are a number of steps in orchestrating the attacks:
- Gathering the email addresses they need – There are several ways they get their hands on your organization’s email addresses. The top one is to use scripts to harvest email addresses from the large search engines. You’d be surprised how many of your employees’ emails are discoverable on the Internet. The bad guys also find social media liked LinkedIn good sources of emails and other information about your users. The easiest way they have to get emails is right on company websites.
- Overcoming your antivirus protection – Again, your own online information can provide a useful tool for hackers. Just a quick search of your open system admin positions can yield your antivirus program and version. Hackers also use legitimate penetration testing tools to look for vulnerabilities they can exploit. Once the AV is known, it's installed on a test bed to make sure the spear phishing emails will reach the designated inboxes without problem.
- Creating a safe exit path for reply emails, data and other actions – Hackers can't get the information out of the organization they are attacking unless the payload delivered with the attack allows traffic to exit the organization. A popular payload is called ‘reverse_https.’ It creates an encrypted tunnel back to the hacker’s server. This makes it difficult for security software or firewalls to detect trouble. Exiting phishing data all looks like normal https traffic.
- Avoiding spam detectors – To assure the emails reach recipients, will purchase a valid domain name from a resource like GoDaddy, using the free email server that comes with the domain and set it up so that emails appear to be from a legitimate source. It's also easy to change GoDaddy Whois information to match any targeted domain.
- Creating the email messaging – Hackers research recipients to see who they frequently communicate with. Social networks are a rich source of this information. They then create what are known as socially engineered messages to entice the recipient to act according to request in the email.
- Reaping the rewards – Once a recipient has clicked the link or downloaded the file that will install the email’s payload, the hacker now has access to the company’s network and the additional info that will complete the attack’s objectives.
Some Spear Phishing Examples
The following examples are based on actual attacks:
- An employee received an email from his ‘CEO’ asking that he reply with certain details about the company’s bank’s options for international wire transfers. After he replied, the ‘CEO’ emailed again to say that he was unavailable to send the transfer and asked the employee to be sure to do it for him by the end of business. The quotes around CEO tell you that the sender was actually a hacker in a foreign country seeking to exploit the real CEO’s trusted relationship status for financial gain. Fortunately, the employee had undergone cyber security awareness training. He became suspicious, called the CEO to confirm the request and notified IT when he learned it was spear phishing.
- To exploit a Microsoft vulnerability in security software, the hacker used an attachment to a spear phishing email to deliver the Remcos remote access Trojan via Microsoft PowerPoint decks. The sender's address was spoofed to look like a message from a business partner and the email was written to look like an order request, with an attachment purporting to contain important related information. Again, the recipient found that something didn’t feel right and failed to click on the attachment. Had she done so, Remcos would have allowed keylogging (seeing what people are typing), screenlogging (seeing where people are going online,) control of webcam and microphone recorders, and the ability to download and execute additional malware. The company would not even know what had happened until it was too late.
- Spear Phishing has also delivered ransom ware attacks — installing malware that locks and encrypts a company’s data and demanding a ransom for the key to unlock it. Remember that spear phishers have done their homework. They know what companies have deep pockets and who can pay enough make spear phishing worth the trouble. There are so many examples of this that we won’t pick just one.
What to Do About Spear Phishing
There are many things your company can do to help prevent spear phishing. Some of them are evident from earlier information. For example, don’t have a list of employee names and email addresses on your website.
Number one, though, is to have a solid cyber security training program in place. In each of the specific examples above, the hacker was foiled because the employee smelled a rat. They had all received phishing awareness training. Their companies had worked with a cyber security professional like us in this process, which included sending phishing emails to their employees to see who would click and be susceptible to a real attack. Once identified, those employees received additional training.
If you’d like more information about preventing spear phishing, please contact Soundshore Technology Group’s cyber security experts by email to firstname.lastname@example.org. While you’re here, please take a look at our full array of cyber security services.
You might also be interested in our on-demand Cyber Security Training Webinar. Replay it to learn how you can easily implement training software and ensure your company’s data is safe and secure.
Key topics covered:
- How the SEC evaluates cyber security policies
- The characteristics of a robust cyber security training program
- How to successfully implement an employee training program to cyber security