Spearphishing can be the start of a bigger attack and difficult to defend against, but by encouraging customers to employ robust security training and policies MSPs can help companies become more secure, says Ian Trump.
While we’ve become very effective at cutting out the bulk of traditional phishing email attacks, the bad guys have raised their game. In the past couple of years phishing has taken a more sinister turn with the advent of spearphishing, and even more recently whale phishing, which specifically targets high-ranking company executives.
So how are these different from your traditional phishing email? Put simply, more effort has gone into them – they’re researched so they sound more plausible and they are designed to look like they come from someone you know or someone in authority in your organisation. This makes them very difficult to defend against from a technology standpoint as they’re based on old-fashioned confidence tricks; they gain your confidence and then they sting you.
This represents a definite shift in the attack model, although phishers have always needed to use someone in authority to generate a response or at least create a sense of urgency. It’s not every day that Joe user gets an email from his CEO and why would the CEO send out anything suspicious?
The harsh reality is that most major data breaches in past few years have been the result of spearphishing attacks on an organisation that have included either a malicious attachment, a link to a website seeded with malware or simply requests from executives to transfer large sums of money.
The way businesses are run today, it’s not difficult to research and target a spearphshing attack. An understanding of what companies are up to and getting knowledge of their internal structures can be gained from either the company’s own website or from social media and news stories. Cyber criminals are not particularly discriminating in why they attack; generally if you have customers and there is the opportunity to steal IP, payroll information or anything like this then you’re a potential target.
Sadly, the old systems aren’t as effective here. With traditional phishing attacks, cloud-based email systems would analyse the emails, open attachments to see if they’re malicious, and compare them to email lists of known spam. But these more targeted attacks are on the rise. According to the U.S. Federal Bureau of Investigation (FBI), whaling email scams – where emails purport to come from CEOs – alone were up 270% from January to August 2015. The FBI also reported business losses due to whaling of more than $1.2 billion in little over two years, and a further $800 million in the six months since August 2015. So MSPs need to be aware of them and work with their customers to protect against them.
So what sort of mitigation strategies do you need to put in place?
Address spoofing is huge in the effectiveness of these attacks. So having some form of email filtration system in front of the primary email servers, can at least reduce the amount of scam emails that come from the internet. This poses another problem, that the only emails that come through are usually very targeted or very well crafted. A lot of the time, even with a perimeter email filtration system, the CEO scam emails will come through undetected and at this point we need to rely on the end user to recognize the phishing email and report it to IT.
The number one strategy for spearphishing emails is user awareness training. While technology can help weed out the more obvious attacks, the best defence is to have robust policies in place internally. Employees need to be empowered to ask themselves: is this really the type of information the CEO, for example, would be asking for? In many cases a simple call to the sender to verify anything unusual will prevent an attack. In the event of requests for money transfers, having a multi-level sign off process is essential.
Here, more communication internally in the organisation can be a life-saver. Busy executives who speak with each other on a regular business and share future plans and developments are effective techniques in preventing this sort of fraud from occurring. Substantial “surprise” or “emergency” payments – no matter what the premise – are unlikely to be successful if executives are in touch with each other regularly and communicating future activities in weekly or monthly calls. With the addition of a minimum of two authorizing executives to sign off an external transaction, this anti-fraud safeguard is effective in stopping these scams from being successful. Working with the company’s financial institution to ensure transactions over a certain amount are “held” for a period of time before “release”, or requiring the bank to check with the CFO/CEO to get verbal authorization for release of funds, is another excellent safeguard for organisations to take.
Last but not least, phishing your own users can help to educate them about the dangers. There are companies that provide the service of crafting spearphishing emails and attaching user awareness campaigns in the event that a staff member clicks on the phishing link. The awareness portion is usually just a short video to watch that would be similar to the user awareness training mentioned above but delivered in an ad-hoc method to the staff member.
Spearphising attacks are usually the prelude to a major attack on your network. It’s a carefully researched and orchestrated attack and is a very dangerous type of attack. What comes next could be very bad for your customers, so MSPs need to ensure their customers are on their guard.
For more advice on understanding and defending against Spearphishing and other security threats, download our free Cyber Threat Guide.
Ian Trump is security lead at LOGICnow
You can follow Ian on Twitter at @phat_hobbit