Previously we mentioned a news item that claimed the International Monetary Fund had been the victim of a “spear phishing” security breach. It seems that this is far from an isolated incident and that malicious groups are moving away from the more “traditional” methods of blanket spam campaigns and towards the more targeted (and normally massively more effective) approach of using spear phishing.
Cyber criminals are scrapping widespread malicious email campaigns for more targeted attacks.
“Cyber criminals are balancing competing priorities,” a Cisco report said. “Infect more users or keep the attack small enough to fly under security vendors’ radar.”
The report revealed a dramatic drop in profits accrued by criminals who launch traditional attacks, such as delivering malware-laden or phishing emails. Not surprisingly, Cisco researchers estimate that the returns for mass email-based attacks have fallen from $1.1 billion annually in June 2010, to $500 million annually this month. In that same period, daily spam volume sharply has fallen from 300 billion messages per day to 40 billion.
and further on
“For an individual campaign, the economics of a spear phishing attack can be more compelling than for a mass attack,” the report said. “The costs are significantly higher, but so too are the yield and benefit.”
This is an important thing to remember about spear phishing. Unlike traditional spam, where a huge volume of email is sent out in the hope that someone will be foolish enough to take them up on the offer, spear phishing is more targeted.
What can you do about spear phishing?
Without proper security awareness training, victims will almost always fall for the scams and it is a very effective way for hackers to penetrate a security boundary.
At a basic level, spear phishing is where hackers will research a target (or a target company) well enough to have a good idea of a “victim” and what will be a successful approach. Once this has been worked out, a carefully crafted email is put together, normally with something the victim will trust, expect to see and be willing to “click on” (either opening a file, or visiting a website). Once this happens, whatever payload the attacker wants to use is deployed inside the target network and frequently with enhanced privileges.
A common example is a finance department getting an email containing a PDF claiming to be an invoice, but the attacker has used Metasploit to embed a dangerous payload. When the recipient of the email opens, what may well look exactly like a legitimate invoice, the payload in the PDF is activated and the attacker is inside the security boundary.
The effectiveness of a spear phishing attack is entirely dependent on how much effort the hacker puts in at the research phase and how much information your organisation displays to the outside world. As the SC Magazine article said, the costs are significantly higher than a random spam email from a bank you dont use, but the impact and effectiveness is an order of magnitude greater.
As part of your security risk management approach you need to consider the risks and issues around spear phishing attacks. When it comes to protecting your network, the initial effectiveness of spear phishing attacks means you have to fully ensure that you have defence in depth across your infrastructure.
The first line, as always is making sure your employees are properly trained and aware of how to handle incoming electronic mail. You need to ensure you have an updated, functional anti-virus package that scans incoming traffic and is able to identify suspicious behaviour on execution. Also consider setting up packet inspection on the firewall – and url filtering at the cache – can close down the issues around users clicking on tainted URLs and making sure that every user account has the minimum access rights needed to perform their duties.
Security is never 100% but by following these simple measures you can reduce the likelihood of being a victim and, if you are, you reduce the damage the hackers can cause.
If you want more advice on how you can improve your security and resilience, how you can train your staff or get the benefits of a dedicated security assessment covering everything from your physical perimeter to your IT infrastructure, then get in touch with Halkyn Security Consulting and find out how our security experts can help you.