Spear Phishing in a Barrel

In a previous professional life, I spoke to numerous audiences about blended web and email threats. Part of my standard presentation included a slide that addressed spear phishing specifically. Before addressing spear phishing, I typically asked the audience if they knew what spear phishing was. Occassionally, some wise guy said something like, “it’s when you go fishing with a spear” (this was typically followed by groans from everyone else in attendance). More often, however, I was greeted by a roomful of blank expressions. This, of course, was the reaction I was hoping for, so that I could play “Smart Security Guy” and explain spear phishing to the people gathered before me.

Spear phishing has become much more familiar to us over the last few months. Recent high-profile security breaches have brought this type of attack to the forefront. Spear phishing is to blame as the root cause of some of these attacks, as it is often the first step an attacker takes before launching an APT (Advanced Persistent Threat) attack. Millions of email addresses have also been recently compromised in other well-publicized attacks, making the likelihood of future spear phishing attacks much greater.

In essence, spear phishing refers to a type of social engineering attack that targets a specific organization by posing as a trusted entity (bank, credit card company, partner, vendor, etc.), typically by spoofing an organization’s email and web site. See this Security Week article from my colleague Jon Heimerl for an example. The attacker’s motivation is normally either theft (confidential data, financial information, passwords) or the planting of malware (trojans, keyloggers, botnets, etc.) on a user’s computer. This malware may be used to get network access or set up a botnet.
These attacks aren’t like typical spam or phishing attacks. Spear phishing is more targeted and more difficult to stop. Attackers may research their target in advance to craft an email that a user is more likely to open and click on, using social media and other resources to glean information. The more information an attacker can gather on a target, the more targeted (and successful) their attack will be.

Attackers may even pose as an internal resource by spoofing the organization’s domain. Some recent breaches occurred as the result of email that was made to look as if it were sent by the organization’s IT and HR departments. Well-meaning users clicked on the email, downloading the malware to make the attack possible.
Don’t let your users be fish in a barrel. Protect your organization from spear phishing attacks and the consequences they can bring.

The FBI has published a list of suggestions on what to do to protect yourself against spear phishing:

• Keep in mind that most companies, banks, agencies, etc., don’t request personal information via e-mail. If in doubt, give them a call (but don’t use the phone number contained in the e-mail—that’s usually phony as well).
• Use a phishing filter…many of the latest web browsers have them built in or offer them as plug-ins.
• Never follow a link to a secure site from an e-mail—always enter the URL manually.
• Don't be fooled (especially today) by the latest scams. Visit the Internet Crime Complaint Center (IC3) and "LooksTooGoodToBeTrue" websites for tips and information.

Source: FBI.gov

Other precautionary measures include:

• Security awareness training – Train users to recognize phishing attacks and to not give their password or login information to ANYONE (including company IT departments) requesting it via email. Offer to have offenders publically flogged in the company break room while their co-workers enjoy cake and watch.
• Employ strong anti-spam technology at the gateway or in the cloud – Leading email filters will block over 99% of malicious email and spam, including many phishing attacks.
• Deploy web filtering and/or next-generation firewalls – Stop malware downloads before they happen. Users are going to click things, stop them from downloading malicious files.
• Use data loss prevention (DLP) – Detect confidential data leaving the network.
• Keep patches and anti-virus software (prerably with an anti-malware component) updated – Duh.
• Monitor what’s happening on your network – An MSSP or a SIEM can detect anomolous behavior on the network and may be able to detect that a user has been to a malicious web site.

Solutionary employs multiple malicious host lists and known blacklists to detect when users visit potentially malicious web sites. We can also detect APT attacks by monitoring endpoints, network devices and security devices. APT attacks move low and slow, and they require active monitoring for detection. See our Threat Intelligence webinar series or read our APT white paper for more information.

Attackers continually adapt their tactics, especially when the prizes can be so large. Even seemingly harmless email can be malicious in nature. Protect yourself and your organization from these dificult-to-detect attacks. Remember, it’s usually the slow-moving fish that gets speared first.