Spear-Phishing Attacks in the Cards for the Next Year
With the avalanche of security breaches this year, spear phishing attacks are to be expected in coming months. Hackers eviscerated data servers of highly visible companies and state institutions, (most recently NASA and the FBI) and had user private data put out on display – some on underground forums, but mostly on the Internet for everyone to see and use.
This provides criminals a lot of information- likely enough to initiate spear-phishing attacks and more complex strikes against their targets.
Imagine this scenario: an unsuspecting employee receives an e-mail. Upon opening the attachment, he executes it and silently installs an advanced persistent threat on a network node within the enterprise.
The attachment is the perfect disguise for planting an advanced persistent threat, as it’s usually a PDF file or a buggy Office document that are both allowed through the company firewall and look inconspicuous enough for the user to run it. After successfully breaching the network machine, a criminal can remotely connect to the vulnerable network and act. Either on the spot or silently lurking around as part of a long term spy operation.
Users should look at spear phishing as the point of entry for more complex attacks.
Spear phishing is a targeted attack that takes extensive time for documentation. It is always part of a precision operation with clear goals, such as to compromise the security of a company, plant, or institution, or to steal top-secret information, or intellectual property. The purpose is to gain extensive intelligence about the target, to make it bleed money or lose credibility.
Nowadays, attackers pay extra attention to details as they turn their creations against high-profile targets such as military staffers, nuclear plant engineers, CEOs or government representatives. Today, anyone can be a victim.
What’s to be done?
- A good antivirus with a state-of-the-art anti-spam feature, running at the gateway, should be the first line of protection against spear-phishing.
- The company should run intrusion-detection mechanisms at the network perimeter.
- Proper network architecture should contain the infection to a specific subnet, preventing the infected computer from accessing other departments’ network resources. This will minimize the impact over the company.
- Employees should be trained to spot fake messages or requests. Also useful are security protocols; not opening attachments without scanning them, or reporting any suspicious incident to IT.
- An approach that is more restrictive but yields the best results is whitelisting rather than blacklisting. It involves creating a list of websites required for business purposes for which the network administrator should grant access. Other resources (URLs or applications that connect on various ports) are blocked in the firewall. This approach ensures that the user can’t physically visit a malicious URL even if they opened the spammy message and clicked it deliberately.
Remember that, contrary to general phishing attacks, avoiding spear-phishing it is mainly a matter of prevention rather than mitigation. If the success of a spear-phishing attack is based on research, it is imperative that users protect their online persona at all times, at all costs.
Respecting basic security measures such as keeping different passwords for different accounts, regularly renewing passwords, and never accessing accounts from computers users don’t own or via access points they don’t completely trust can make the difference between a successful spear attack and a fail.
Comments, pictures, check-ins and links posted by users on social networking platforms paired with private e-mail conversations are the bits and pieces of someone’s life that, put together, help scammers create accurate impersonations or lures for a successful spear-phishing attack.
So, if you don’t want to deliberately help a stranger use trust relationships and familiar circumstances to attack you or the company you work for, be discreet in sharing details about your private and professional life and treat any e-mail or request with utmost caution.