Spear phishing is a very common form of fraud used by cyber criminals where the attacker tries to find out information such as login credentials or account information by pretending as a reputable entity or a person by using email, instant message or other communication channels. Spear Phishing is an email spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. Instead of sending an email to millions of potential victims, cyber attackers send spear phishing messages to a very few selected individuals, like five or ten targeted people. Let’s look at a case of spear phishing to get more insight into the way cyber criminals target an organization.
One Certified Forensic Accounting Professional was engaged by a pharmaceutical company with a request to conduct a routine assessment of its system security. During his analysis, he discovered that some of the client’s PCs were infected by a certain malware. This malware was transferring research data to a location which was based out of Indore. Head office of one of the competitor’s pharmaceutical company was also based in Indore.
Business faced a cyber attack, when a junior research scientist unknowingly helped to infect the PC of a senior scientist. The trouble began when he received an email with malicious PDF document from a source which appeared to be legitimate. Neither the source nor content appeared suspicious; the junior scientist opened the attachment. When its contents turned out to be unfamiliar, he sought guidance by forwarding the message to the senior scientist who also opened the attachment.
The attachment appeared to have come from some vendor who was also a part of the research work. Junior scientist had no way of knowing that his email account was compromised. When the attachment was opened, it executed a malware that infected their PCs and spread to sensitive system modules that the senior scientist had access to. Once the hackers were able to scan through the entire system, they could simply take out the information they wanted to access. Some very important research and business plans. To get the valuable information the competitor never had to enter the premises of the victim’s pharmaceutical company. The total damage was calculated to be Rs. 7.6 crores.
The hackers were anxious not to draw attention of their attempt, so they sent only one message to one carefully selected user — the junior Scientist. When the competitor company hosted a conference related to the subject, an email was sent to the senior scientist. It was an invitation requesting the senior scientist to be a speaker in a conference. The mail reached him when senior scientist was on vacation and his email sent an auto-responder email. This email also requested to contact the junior scientist in case of emergency. In most of the cases of spear phishing they have to do extensive research and investigation Sometimes, hackers explore the firm’s ‘email address-naming’ convention. So, when the technological part of their scheme — a virus – is ready, the hackers know to whom to send it.
How does it work?
The "phisher" falsely claims to be an established legitimate enterprise and uses email to direct the user to visit a website, where they are asked to update personal information such as passwords, credit card and bank account numbers. These websites are bogus or fictitious websites, created to look like the real ones. But the motive is to steal the user's information. Spear phishing attempts are not typically initiated by “random hackers”. They are more likely to be organized by perpetrators targeting to obtain financial gain or trade secrets. They generally originate from a trusted source or from someone in a position of authority.
This scam uses social engineering - a non-technical method that relies heavily on human interaction and often involves tricking people into break the normal security procedures. The “phisher” will research social media sites and/or corporate website to gather their information in an attempt to make the email appear to be legitimate to the recipient. These phishing campaigns are often build around the current year’s major events, holidays and anniversaries or take advantage of breaking news stories, both true and fictitious.
Popular Spear Phishing tactics:
- Thrives on familiarity – the greeting on the email message is likely to be personalized: “Hi Ram” instead of “Dear Sir.”
- Email may make reference to a “mutual friend” or a recent online purchase you have made or create a credible, influential alert message like account alert, update your information, mandatory password change, etc.; It may also include a link to a website used for gathering information.
- Use of the legitimate company's domain name in the "from" portion of the "BAIT" email: @ebay.com, @paypal.com, @citibank.com
Impact of Spear Phishing
Successful Spear Phishing attacks can have significant implications for organisations. The more serious implications of becoming the target of a cyber-attack are listed below:
-
Theft of sensitive information:
An adversary may steal commercially useful information such as trade secrets, merger and acquisition plans, engineering designs, software codes or details of research programmes. This could result in the loss of competitive advantage and have significant financial loss.
-
Business impact:
Once on a network, an attacker may seek to delete or alter data with the aim of disrupting business operations. Once the attacker gain access to the system based on the access level the attacker could make alterations to company data, log files, configuration settings, and user passwords or alter code for applications running on the network leading to compromising the system.
-
Secondary use of compromised machines:
An attacker can use a compromised machine to conduct attacks against other individuals or networks. This may involve sending Spear Phishing emails to contacts from a compromised user account. This can cause severe damage to the reputation to the compromised victim of the organisation, as its customers and suppliers will initially point these communications to the sender of the email.
-
Incident response and recovery costs:
Investigating and recovering from a compromise can be expensive and time-consuming. The cost will depend on what time the network was compromised and when the attack was identified by the user. It will also depend on the cost of recovery and the steps needed to prevent the risk of an attack and to reestablish the presence on the network.
How to defend against Spear Phishing attacks
In order to successfully reduce the risks posed by Spear Phishing attacks, organisations should seek to achieve a good balance of educational awareness and effective technical controls.
Security awareness training: An important measure in defending against Spear Phishing attacks is ensuring a high level of security awareness among staff. Employees should be educated about the changing nature of Spear Phishing attacks. An attacker will look to exploit an employee’s lack of security awareness. The first step to protecting yourself against these targeted attacks is to understand that ‘you may be a target’. You and your organization probably possess sensitive information that someone else might want, or can be used to access another organization that might be the attacker’s ultimate goal.
Take the following precautions to safeguard yourself and your organization from spear Phishing Attacks
- Limit sharing personal information in mail forums or any other social media platforms. The more personal details you share it is easier for cyber attackers to craft a spear phishing email that appears relevant and genuine.
- Verify the source of the mail if you receive an email that asks you to open an attachment or click on a link or requests sensitive information. If the email appears to come from a company or a person you know, cross check with the contact details you already have on file and contact the sender and verify that they only sent you the mail.
- Support your organization’s security efforts by following the appropriate security policies and making use of the security tools that are available to you, such as antivirus, encryption and patching.
- Always remember that technology cannot filter and stop all email attacks, especially spear phishing emails. If an email seems a bit odd at first sight, read it carefully. If you are concerned that you may have received a spear phishing email or fallen victim to spear phishing attack, contact your help desk or information security team immediately
Ask these question to yourself when you receive an email with a suspicious link or attachment.
- Who is the sender?
- The employee can verify with the source whether it has definitely come from them
- Is the style of writing consistent with the sender? Does anything appear unusual about the tone, spelling or urgency of the email?
- Is the request irrelevant (e.g. to open a file the user wasn’t expecting)?
- Have other colleagues received a similar email?
These questions can help employees identify Spear Phishing emails. When training staff, it is important to make them aware of company policies regarding communication and security policies. These Spear Phishing attacks can lead to huge losses financially for a company or an organization. It can also cause reputational damage for the organisation. Hence, it is important to employ proper security measures and awareness among the employees is implemented by the organizations as a first aid, in order to mitigate the effects of such attacks. The adoption of proper security measures will reduce the chances of occurrence of such attacks. Technical solutions can only aid to identify malicious e-mails. Proper training to employees can help users from falling preys of social engineering schemes or legitimate-looking e-mails. Still its not possible to completely eliminate it. Government agencies and security companies are the most targeted by spear phishing attacks, and hence proves that, regardless of the magnitude of the technical security solutions employed, the actions of even just one unaware user can be potentially disruptive.
References: