Spear Phishing
Understanding an Evolving Security Threat
Spear Phishing: Understanding an Evolving Security Threat
Table of Contents
Executive Summary...... 3
Introduction...... 4
Spear Phishing Overview...... 5
The Enterprise Spear Phishing Risk...... 7 Why a Single Breach Can Be So Damaging...... 7 A Breach Involving Users...... 8
Potential Business Impacts of Successful Spear Phishing...... 11
Mitigating the Phishing and Spear Phishing Risk...... 13 Anti-Phishing and Anti-Spear Phishing Solution...... 14
Conclusion...... 15
2 vadesecure.com Spear Phishing: Understanding an Evolving Security Threat
Executive Summary
An increasing portion of emails are sent with criminal intent. Phishing, a hacking technique that tricks email recipients into clicking on malware links or divulging personal information, is growing in sophistication and volume. One of the most alarming variants is known as “spear phishing.” Spear phishing personalizes attacks, often sending emails that include the names of friends and co-workers or other personalized data to lure the recipient into clicking on a link or disclosing confidential information. This brief looks at spear phishing from the perspective of enterprise security risk and business impact. It offers a practical definition of spear phishing, examines corporate vulnerability and exposure while suggesting some approaches to mitigating the risk.
3 vadesecure.com Spear Phishing: Understanding an Evolving Security Threat
Introduction
There might be one in your inbox right now: An email from someone you know asking you to check on the status of a package or open a Word document. The only problem is that your colleague didn’t send you that email. There is no package. The Word document will download spyware onto your device if you open it. The email was sent by someone with malicious intent—a criminal who wants to steal and sell your customer list or an industrial spy from a foreign power. This is known as “spear phishing,” a hacking technique that succeeds by personalizing the attack to lure the recipient into clicking on a malware link or disclosing confidential information.
Most of us are savvy enough now to avoid the kind of clearly bogus phishing emails that feature financially strapped royalty and start with “Dear Sir or Madam.” Plus most corporate spam filters will catch the majority of these kinds of brazen, mass- produced scams anyway. These types of emails mainly catch unwary consumers. However, there is an evolving and highly dangerous variation of the standard mass email that is actively targeting your organization’s most vulnerable security threat— your employees.
Spear phishing is far more sophisticated than your standard mass phishing email. It targets employees at specific companies in order to gain access to data and systems. Standard corporate spam filters won’t stop them. It’s extremely frequent and widespread, with a surprisingly high 23% open rate and 11% click-through rate.1 It’s possible that you or a colleague has already clicked on a spear phishing link without realizing it. The damage caused might be completely invisible. But damage was done. Someone unauthorized might have gained access to your corporate networks by pretending to be an employee or trusted partner.
A successful spear phishing attack can have a devastating impact on an enterprise. The research and care inherent in such an attack is itself evidence of specific intent as well as the sophistication of the criminal network behind the attack. A network that is fully capable of maximizing damage with exposed critical information. The damage might be to your brand, intellectual property and/or have direct financial impact.
This brief is intended to familiarize you with the threat of spear phishing, how the hack works and what it means to your business. Its goal is to provide you with a sense of the level and type of risk exposure you have and what you can do to mitigate the risk.
4 1 Verizon 2015 Data Breach Investigations Report, page 13 vadesecure.com Spear Phishing: Understanding an Evolving Security Threat
Spear Phishing Overview
Spear phishing is a specific type of email hacking known as phishing, which is itself a subset of the broader category of spam email. However, while spam is a nuisance, it’s generally harmless. Phishing is different. The term is a corruption of the term “fishing,” with a “ph” added as a hacker tribute to the notorious “Phone Phreaks” of the 1960s and 70s. Like those early phone phreaks who used homemade electronics to steal free phone service, phishers treat the world of Internet users as an ocean in which they can “fish” for scam victims. Unlike the phone phreaks, though, who were colorful characters working mostly alone in a more innocent time, today’s spear phishers are typically part of large criminal organizations or foreign entities. Phishing involves tricking the email recipient to divulge confidential information, download malware or both. In many cases, the goal is simply to establish a stealth presence on the target’s device, for example to log keystrokes or collect passwords. Let’s take the following example of a real spear phishing attack:
This screen shot shows a very advanced spear phishing attack. In this case, the malicious actor studied the victim’s network of people and current projects. Having established that the victim is in the legal field, the attacker uses the name of an actual attorney in the content to make the message seem legitimate.
5 vadesecure.com Spear Phishing: Understanding an Evolving Security Threat
Like most advanced spear phishing attacks, this example shows that the goal is not to get credentials or personal information in the first step. The objective is to get in contact with the victim through another email address outside of all sender verification security layers, such as SPF or DKIM. Unlike a simple phishing attack that seeks to steal credentials instantly from a few victims out of hundreds of thousands of recipients, spear phishing creates a safe environment before attempting to collect personal information. After exchanging a few emails using the custom address, [email protected], the victim feels safe and confident enough to give private information to the malicious actor.
Most phishing attacks can be blocked by a combination of standard spam and web filters within about 10-12 hours. Unfortunately, on average, about 50% of those who are going to click on a phishing message do so within the first hour.2
Spear phishing, like its marine sport equivalent, adds a dangerously precise level of targeting to the phishing process. Spear phishing uses personal information about the target to increase the likelihood that he or she will fall victim to the scam. A spear phisher would user social media, public information or illegally obtained data to establish a credible reference point for the phishing email. If the target’s name is John, who works with Sally Jones from Logistics, the spear phishing email might contain a subject line and internal reference to, “Sally Jones wants you to track this FedEx package.” John, in receipt of this message from his colleague, is likely to be less vigilant about clicking a link in an email.
6 2 Verizon 2015 Data Breach Investigations Report, page 13 vadesecure.com Spear Phishing: Understanding an Evolving Security Threat
The Enterprise Spear Phishing Risk
The enterprise is the target, but employees are the point of entry. It’s quite easy to obtain email addresses of employees of major corporations legally. Then, with a little research on Facebook and LinkedIn, supplemented by some selective raiding of email address books, a spear phisher can create emails that draw on existing social connections inside a company. Alternatively, the phisher can aim the spear using plausible commercial relationships as the pretext for an email or malicious URL. For instance, if the target works at a car company, then an email purporting to be from an auto parts supplier is likely at least to get read, if not acted upon.
Even well-informed employees are vulnerable because the attacks are convincing. If John receives an Excel document titled “Q4 budget” from Sally, his close colleague, along with a message that says, “I am confused about line 4. Can you look at it and get back to me asap – Sally,” he is probably going to open it. The worst part is that John may have no idea that he or Sally has done anything wrong. It’s not like the movies, where John’s screen turns red and starts flashing “Warning! Warning!” The anti-malware software on John’s computer might catch whatever he downloaded off of the Excel document but it may not. His PC has been silently taken over.
Why a Single Breach Can Be So Damaging
While restricting employee access to sensitive data and network segments can be a partially effective countermeasure to spear phishing, it is far from a panacea. There is still a significant exposure to risk when even a low-level employee’s device or access information is compromised. While the spear phisher may only gain control over a device with limited access privileges, the phisher is now inside the firewall. Using the hijacked device, the phisher is now privy to the enterprise’s network topography and applications from the inside. From there, the phisher can use an array of hacking tools to penetrate further into the enterprise.
7 vadesecure.com Spear Phishing: Understanding an Evolving Security Threat
What’s more, if a user/password combo has been cracked, the chances are that much more damage can be done. Most users have an easily cracked combination of “simple” and “secure” passwords that they use for pretty much everything. What’s worse, most departments use the same or very similar passwords for “group” accounts across many different applications and databases. Even if corporate security has double authentication and requires strong passwords, chances are good that a determined hacker can use these stolen credentials to hack into confidential company information via a “side door” like a SaaS-based CRM, storage, document or analytics tool.
A Breach Involving Users
Current security solutions embed protocols such as SPF, DKIM and DMARC that have been designed to prevent against spoofing. These protocols are very effective against the attacks that spoof an exact domain name. For instance, if you activate SPF on your Email Security Gateway, you can secure your environment against phishing emails that use gmail.com as a Sender email address but which don’t actually originate from Gmail. This works because Gmail has declared the SPF records in its DNS information, as shown here:
8 vadesecure.com Spear Phishing: Understanding an Evolving Security Threat
There are three main ways to spoof a sender email address:
Exact-Domain Spoofing: The phisher will use the exact domain to send his or her email. This practice may not work if the domain name is secured with SPF and DKIM and if the recipient’s Secure Email Gateway verifies the records.
Alias-Part Spoofing: If the phisher cannot spoof the exact domain name or exact email address, he or she may focus the spoofing attempt on the part of the sender address that is visible to the user. But this is not the email address that actually sends the email! Let’s take the following example of ‘From’ headers:
From: John Doe
The recipient, using Outlook, Thunderbird or Mail will, at first sight, only see the words “John Doe” in the “From” header. Alternatively, the attacker could use a fake email address in that same section of the “From” header, like this:
From: [email protected]
Outlook, Thunderbird or Mail will display “[email protected],” which is not checked by the security layers because it is not the sending email address. It is simply a piece of displayed text.
Similar but different email address: Some phishers customize their attacks even more. Thanks to the social networks and the Internet, our personal information is very easy to find. A malicious actor can usually easily find the personal email address of the boss of the company that he or she is targeting. In order not to be caught by any security layers, he or she will create a personal email address on the same free webmail provider using a similar-looking email.
For instance, the personal email address is: [email protected]
The attacker will create and use this one: [email protected]
9 vadesecure.com Spear Phishing: Understanding an Evolving Security Threat
Here the “From” header will be set as follows:
From: John Doe
The email will legitimately come from the Gmail servers using the Gmail webmail. Outlook, Thunderbird or Mail will only show “John Doe.” If the user puts his or her mouse over the address, he or she will see ‘[email protected]’. Do you think the victim will notice the difference? The boss sometimes uses his or her personal email address by mistake for business topics. It frequently happens, especially with the Bring Your Own Device (BYOD) trend that makes us carry our personal and business email addresses on the same device.
Your employees are the weakest link in your company for purposes of breaching security. Malicious actors know this and use it as much as possible. They know exactly what the common security layers will check. They understand common security layers and security protocols and how to get around them. Remember: Phishers have very smart sophisticated experts with advanced technical backgrounds, and they sometimes have significant experience that was gained at Internet security companies. They are constantly improving their techniques.
10 vadesecure.com Spear Phishing: Understanding an Evolving Security Threat
Potential Business Impacts of Successful Spear Phishing
Alarming as the idea of successful spear phishing attacks may be, the question should always be, “What is the actual business impact of such an incident?” The impact can vary but will generally increase with the sophistication of both the attacker and the target. Consider the financial repercussions of a spear phisher gaining access to your critical data. What can he or she do with it?
In the case of Sony Pictures in 2014, it was significant. The company experienced a high level of reputation damage, with private email exchanges between executives revealing embarrassing comments about famous people. The studio lost control of complete, unreleased movies, which were put at risk of falling into the hands of digital pirates and had to be rushed into the marketplace. Millions in potential revenue were lost. Sony’s brand suffered, which affected their valuation and ability to do business in Hollywood. Competitors gained insider knowledge of the goings- on at the studio. Finally, the company then had direct costs such as $8 million to settle lawsuits with employees who were forced to protect their identities from theft after the incident.3
A big concern is that the spear phishing attack is often just part of a much larger hacking campaign. The spear phishing opens the door. Indeed, 20% of security breaches in 2014 were the result of successful phishing attempts.4 Once inside, with keystroke logging software invisibly installed on internal devices, the hackers can find Figure 3 – Attacks by industry, 2nd half of 2014. their way into patent-pending intellectual (Source: APWG Global Phishing Report 2H 2014) property, financial systems, customer records and so forth. Only months after being fully executed will the true business impact of a hacking attack typically be revealed.
Companies that fall prey to hacking enabled by spear phishing face risks of reputation damage, loss of market value, competitive disadvantage, legal liability and compliance problems. And, of course, as the Sony Pictures hack also showed, individual executive careers can suffer in the wake of such events.
3 Brandom, Russell, “Sony Pictures will pay up to $8 million to settle hack lawsuit with employees” The Verge, October 20, 2015 11 4 Verizon 2015 Data Breach Investigations Report vadesecure.com Spear Phishing: Understanding an Evolving Security Threat
Figure 3 shows a breakdown of attacks by industry in the second-half of 2014. Ecommerce suffered the most attacks, followed by money transfer. Each industry is exposed to different types and levels of business impact from spear phishing:
• Financial Services – Financial firms must manage spear phishing risks that can result in theft of inside trading information, personally identifiable information, credit card numbers, bank account information and more. The impacts include financial loss, legal liability and regulatory penalties.
• Retail – As several large-scale retail hacks have shown recently, retailers are vulnerable to attacks that leak customer data—including credit cardholder information. This puts them at odds with PCI regulations, which carry fines and costly compliance remediation penalties. They also risk loss of consumer trust and brand value, both of which have been built over many years and at great financial cost. Retailers also face an indirect risk from spear phishing, which is liability for fraudulent sales made with stolen credit card numbers. This may sound trivial but it is not. Investigations are now revealing the existence of quite large-scale theft operations that steal merchandise from ecommerce sites and ship it abroad in bulk.5
• Intellectual Property-Based Businesses – For businesses such as pharmaceuticals and technology, where digital information may represent massive investments, spear phishing can have an especially costly impact. Competitors can gain access to confidential intellectual property that took years and cost billions of dollars to develop.
• Manufacturing and Defense – Strategic manufacturing industries and defense contractors are vulnerable to corporate espionage, both private and sovereign. Defense companies are frequent targets of sovereign attackers, such as the cyber warfare units of foreign powers. These companies are part of an actual war—an undeclared cyber war that is raging despite its quiet, largely invisible profile. These companies especially tend to keep these types of breaches as quiet as possible, so there are likely many more successful attacks in this sector than are publically known. The impact of sovereign cyber espionage may be hard to quantify, but a serious incident could endanger national security and affect a company’s ability to secure further defense contracts.
• Healthcare – HIPAA-regulated entities are bound by extensive, rigid compliance guidelines. They face stiff financial and legal penalties for data breaches. There are reputation risks given the sensitive nature of leaked personal health information. As several large health insurers have discovered recently, there can also be significant costs associated with providing identity theft protection to tens of millions of policy holders who have had their names, addresses and social security numbers compromised.
12 5 APWG Global Phishing Report 2H 2014 vadesecure.com Spear Phishing: Understanding an Evolving Security Threat
Mitigating the Phishing and Spear Phishing Risk
Not surprisingly, most enterprises want to do a better job of fighting against phishing and spear phishing. According to Gartner, 96% of users want better protection against phishing attacks.6 The key word here is “better.” There are already many controls and countermeasures in place. But, as the data about the increase in successful attacks shows, there is room for improvement.
Some security experts note that basic employee awareness building is an important defense against spear phishing. The problem is that, to be effective, most experts recommend training 3X a year for every employee. This is very expensive and time intensive. What’s more, while training is helpful in preventing attacks, companies cannot rely upon training alone to prevent successful spear phishing attacks. Figure 4 is an example of how realistic a phishing email can be. Figure 4 – This fake email purporting to The key to preventing an employee from falling be from E-Z Pass is very realistic looking. victim to sophisticated phishing attempts is to Someone in your organization is going to click on this. prevent the employee for ever getting the email in the first place. Like many information security practices, the fight against spear phishing takes the form of “defense in depth.” Attacks need to be blocked before they start. Email gets filtered on its way into the enterprise, with most mass spam and suspicious emails quarantined by standard spam filters.
The problem is that standard email-filtering systems will NOT catch your typical spear phishing email. They focus on mass emails, using a profiling technique to block suspicious emails. A one-off, well-written email has a good chance of getting past most corporate spam filters. The enterprise needs a purpose-built anti-phishing defense layer.
13 6 Magic Quadrant for Secure Email Gateways – June 2015 vadesecure.com Spear Phishing: Understanding an Evolving Security Threat
Anti-Phishing and Anti-Spear Phishing Solution
Vade Secure’s anti-phishing solution is focused on the specific problem of phishing including specific features such as looking at credential requests and Identity MatchTM that are tailored to fighting spear phishing attacks. It can be layered on top of existing anti-spam solutions to provide better overall email protection to employees.
Content Email Filtering. This artificial intelligence has been trained by monitoring “hundreds of millions” of email boxes for ten years looking for phishing threats. It heuristically evaluates email content, requests for credentials, phone numbers, DNS reputation, any linked website content and much more. Unlike other pattern- recognition technologies, our filter looks at the characteristic of each email andis therefore much more reliable for low-volume email scams and spear phishing attempts. It can catch the first phishing email that comes into your organization…even if there is only one.
Attachment Management. All attachments are thoroughly investigated in a remote sandboxed environment to eliminate possible malware. The attachments are analyzed, taking into account the environment where they originate. Vade Secure’s unique attachment analysis algorithm examines the proprieties of both emails and attach- ments. This gives Vade Secure the ability to predict the advent of a “0-day” attack from previously unknown vectors.
Dynamic Webpage Exploration. Every URL that is included in any email is safely explored in a remote sandboxed environment to see if it contains any malware, honeypots or any other bad guys. What makes our solution unique and superior to other tools is that this exploration is done at the time an employee clicks on it. Competing solutions that examine URLs typically do so at the time the email is received by the network. This is important because sophisticated hackers will now send emails that include URLs to innocent web sites...and then hijack or redirect those URLs an hour or two later...thus bypassing most filtering systems...but not ours.
Identity MatchTM – Vade Secure analyzes an extensive proprietary set of processes that are reviewed to match both the style and technical indicators of the claimed sender of any given email with known information about the actual sender. If the two do not match up, the email is given additional scrutiny to ensure its authenticity. This unique feature helps to identify and isolate even highly sophisticated one-off spear phishing attempts.
Education & Remediation—Vade Secure provides educational information to users who receive phishing emails informing them of the threat posed and how they can avoid it. We also alert administrators if users ignore phishing warnings on either email links or web URLs and have thereby potentially created a breach of security.
14 vadesecure.com Spear Phishing: Understanding an Evolving Security Threat
Conclusion
Defending against phishing, especially the spear phishing variant, is a never-ending process. Each day brings fresh versions of the threat to employee inboxes at every large organization. Countermeasures must be strong but also adaptable. Specialized attacks such as spear phishing require a specialized best-of-breed anti-phishing defense because the fight is asymmetrical. The technology has to be flexible and not dependent on the origin of the email, its appearance or technical properties. If the bad guys get even one email through, the results can be devastating.
15 vadesecure.com About Vade Secure
Vade Secure is the global leader in anti-phishing software, offering a full set of security features against phishing, malware and spam. The company is entrusted to protect hundreds of millions mailboxes worldwide. This breadth of deployment has given Vade Secure unique insights into the nature of malicious emails. The resulting proprietary knowledge enables Vade Secure to provide comprehensive solutions against all email threats, ensuring a zero- day protection even on small waves of email. Vade Secure is also a leader in more general email filtering providing a comprehensive set of productivity-enhancing tools to manage commercial emails known as grey-mail. The company’s solutions are tailored for ISPs, OEMs, hosting companies and the enterprise.
For more information about Vade Secure’s anti-phishing solutions, please visit www.vadesecure.com.