Sophisticated spear phishing attacks becoming more common

SMBs must focus on prevention as data security, financial costs of breaches climb

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Spear phish­ers con­tin­ue to pierce even well-defend­ed net­works, caus­ing grave finan­cial wounds.

Spear phish­ers lure a spe­cif­ic indi­vid­ual to click on a viral email attach­ment or to nav­i­gate to a cor­rupt­ed Web page. Mali­cious code typ­i­cal­ly gets embed­ded on the victim’s com­put­ing device, giv­ing con­trol to the attacker.

A recent sur­vey of 300 IT deci­sion-mak­ers in the Unit­ed States and the Unit­ed Kingdom—commissioned by threat-pro­tec­tion solu­tions provider Cloud­mark—found that a spear-phish­ing attack pen­e­trat­ed the secu­ri­ty defens­es of more than 84 per­cent of respon­dents’ organizations.

Free resource: Plan­ning ahead to reduce breach expenses

Spear phish­ing con­tin­ues to turn up time and again as the trig­ger to mas­sive net­work breach­es, includ­ing wide­ly pub­li­cized attacks on JPMor­gan Chase & Co., eBay, Tar­get, Anthem, Sony Pic­tures and the U.S. Office of Per­son­nel Management.

Angela Knox, Cloudmark senior director of engineering and threat research
Angela Knox, Cloud­mark senior direc­tor of engi­neer­ing and threat research

Crim­i­nals have achieved high suc­cess rates with spear-phish­ing attempts, and that suc­cess is breed­ing even more attempt­ed attacks,” says Angela Knox, Cloudmark’s senior direc­tor of engi­neer­ing and threat research.

Respon­dents to Cloudmark’s sur­vey said that, on aver­age, their orga­ni­za­tions lost more than $1.6 mil­lion from spear-phish­ing attacks dur­ing the 12 months pri­or to the survey.

Spear phish­ers install mal­ware, seek out priv­i­leged access accounts, and scour breached net­works for con­fi­den­tial busi­ness plans, infor­ma­tion about cur­rent nego­ti­a­tions, and oth­er valu­able data. And the attack­ers are in a posi­tion to manip­u­late, dis­rupt or destroy systems.

Relat­ed video: CEO fraud caper nets $450,000

Attacks on banks, cred­it unions and pro­fes­sion­al ser­vices firms that help con­duct finan­cial trans­ac­tions often focus on per­suad­ing employ­ees to wire mon­ey to the phish­ers’ accounts.

Even if the mon­ey can be recov­ered, it takes time and effort to recov­er it,” Knox says. “In one high-pro­file inci­dent, a com­pa­ny lost $46.7 mil­lion due to email spoofing.”

Resist over­shar­ing

One rea­son spear phish­ing per­sists is because peo­ple reveal a wealth of per­son­al and behav­ioral data on the Inter­net. Attack­ers tap this infor­ma­tion to pro­file vic­tims and cre­ate email and social media mes­sages craft­ed to appear to come from a trust­ed source—in a con­text that puts the tar­get­ed vic­tim at ease.

The end game: Get the per­son to open a viral email attach­ment or click to a mali­cious Web page.

Every­one is now a tar­get, and users can no longer depend on spelling mis­takes or ran­dom scams,” says Chester Wis­niews­ki, senior secu­ri­ty advis­er at anti­mal­ware ven­dor Sophos.

Peter Cassidy, Anti-Phishing Working Group secretary general
Peter Cas­sidy, Anti-Phish­ing Work­ing Group sec­re­tary general

Peter Cas­sidy, sec­re­tary gen­er­al of the Anti-Phish­ing Work­ing Group, an inter­na­tion­al coali­tion fight­ing cyber crime, says spear phish­ers in recent years have gone to greater depths in focus and planning.

These days, it’s not uncom­mon to see an attack that tar­gets spe­cif­ic per­son­al­i­ties for their access with­in an enter­prise and loads a mal­ware pay­load to exe­cute an exploit that will open a path­way the attack­ers are wait­ing for—and will use to gain access to data they prize,” Cas­sidy says. “Talk about orches­tra­tion! Stravin­sky and these guys would have a lot to talk about.”

Employ­ees part of solution

A pri­ma­ry defense is to con­tin­u­al­ly train employ­ees to be vig­i­lant, and a cot­tage indus­try of train­ing ser­vices and tech­nolo­gies has arisen in recent years to assist com­pa­nies off all sizes. But even trained employ­ees remain sus­cep­ti­ble to sophis­ti­cat­ed trickery.

Near­ly 80 per­cent of orga­ni­za­tions sur­veyed by Cloud­mark report­ed using staff train­ing to pre­vent attacks. Of orga­ni­za­tions that test their employ­ees’ respons­es to spear-phish­ing attacks, only 3 per­cent said that all employ­ees passed. Respon­dents esti­mat­ed that 16 per­cent of staff mem­bers failed their orga­ni­za­tions’ most recent spear-phish­ing tests.

Humans are flawed,” Wis­niews­ki says. “You can nev­er stop spear phish­ing entire­ly,” because “it is not a tech­ni­cal prob­lem that can be solved.”

It’s human nature for employ­ees who spot some­thing wrong or who believe they may have been tricked to hes­i­tate report­ing the inci­dent. Yet quick report­ing is a key to reme­di­a­tion. “Acci­dents hap­pen, but detec­tion and reme­di­a­tion are more suc­cess­ful the less time the crim­i­nal has to take advan­tage of your errors,” Wis­niews­ki says.

More on spear fish­ing and security:
The most-trust­ed brands are often phish­ers favorite prey
Info­graph­ic: Hack­ers cast phish­ing lures into cor­po­rate waters
Putting effec­tive data risk man­age­ment with­in reach