Awareness : Security Awareness Tips

Spear Phishing: Human Error Remains the Weakest Link in Security

By now most of us are aware of fake emails that claim to come from your bank, credit card company or well known companies such as PayPal and eBay. Phishing is the term used to describe these malicious emails. Millions of these emails can go out at one time and hence they must be very general. An example would be an email claiming to be from a customer service department, with an urgent message to update account information. An evolved form of the normal mass attack phishing method is spear phishing – which involves carefully crafting a very specific message targeting one or more individuals in leadership or influential positions in a particular organization. Many organizations have deployed spam filters which should block most normal phishing attacks. However these spear phishing emails are much more likely to pass through these filters because a relatively small number of them are sent out.  The targeted individuals will probably have access to large amounts of company data as well as major financial accounts. They may access this information from their office or home. The goal is to get them to open this spear phishing email, and click on a link that goes to a malicious website or open an attachment that installs malware. Such malware could include keylogger trojans that record all keystrokes, including your username, password, security question etc when visiting an online banking site, or accessing a private company database. In a matter of a few days the hacker could have access to multiple personal accounts and company passwords which could lead to large individual and company loss.

According to a report by IT security firm Trend Micro, spear phishing typically begins with research on who to specifically target within the organization. Websites such as LinkedIn as well as Facebook and Twitter provide a ready, potential source of information for cybercriminals to research their target. In particular they are looking for information on what the individual’s interests are, where he or she has been and other recent activities. The goal is to craft a personalized, compelling message with real details of the target’s recent activity.

Victims of spear phishing include people who oversee corporate security. One such example is a security technology executive from Symantec, a major security software company, who received an e-mail from what appeared to be his employer’s human resources department that asked for personal information to make a payment. Another very prominent example is RSA, another major information security firm. An employee received a message entitled “2011 Recruitment Plan” and opened an attached Excel file which installed a backdoor program to the company’s network. These two companies are examples of companies with very sophisticated information security defenses, but they were both breached by spear phishing methods. Proof that human error remains the weakest link in information security.

The sophistication of these attacks continues to evolve but there are steps you can take to protect yourself and your organization.

How to avoid being a Spear Phishing victim

  • Do not read business email or access company information resources from devices that are not patched frequently. Patching refers to the process of regularly updating operating systems and application software, including browsers. An unpatched device provides an avenue for a potential vulnerability in the device (laptop, smart phone, tablet etc) software to be exploited. Popular applications that should be updated regularly include Microsoft Office, Adobe Acrobat, Reader, Flash, Apple iTunes, and Oracle Java.
  • If anti-malware software is available for your device, use it. Effective use means regular updating and running of scans. McAfee VirusScan is available for University faculty, staff and students.
  • Keep in mind that most companies, banks, agencies, do not request personal information via e-mail. If in doubt, call the company but do not use the phone number contained in the e-mail—if the email is fake then that number could be fake as well. Look up a contact number by visiting the company site directly or by using a number from a previous genuine correspondence.
  • Use a phishing filter. Many of the latest web browsers have them built in or offer them as plug-ins. They are not guaranteed to work against spear phishing attacks but are still a potential protective layer.
  • Never follow a link to a secure site from an e-mail—always enter the URL manually.
  • Be especially cautious of link shortening services that use tinyurl.com, popular on Twitter.
  • Hover your browser over a link in an email and examine the URL very carefully. Do not click. Most browsers now allow you to see the URL or domain name that the link will take you to. Be especially cautious of uncommon domains extensions such as .cn, .br, .ru. .ro, .ee, .ua etc. Countries with strong hacking activity include Russia, other Eastern European countries, China and recently, Brazil.
  • Use different, complex passwords for your personal and company accounts. If someone obtains your Gmail account password, you do not want that same password being used to access your bank, company database or electronic medical record (EMR) system. It is a pain to manage all these passwords but one possible solution is use of password management/keeper software.

For more information:

Posted: May 3, 2012