Published on January 18th, 2016 | by Tony Thompson
Cybercrime: A Phisherman’s Tale
A colleague of mine, who works for a different company, was recently spear phished. That means she was especially chosen by a cybercriminal who wanted to extort something or other, out of her – in this case it was personal details, but often in a spear phishing attack it is administration credentials for a company network.
Now, this case of spear phishing was a particularly interesting one and I believe shows how much effort is being put into cybercrime in general. Gone are the days of the hacker making a quick buck. Cybercriminals are now playing the long game and are very sneaky
This particular phish happened though a professional network specifically for company directors. It was a well-established and respected network. My colleague was a member of this network, which helped to build the reputations of directors and create contacts. The email attempted to phish my colleague’s personal details by building a relationship. This type of relationship building exercise is a known tactic used by cybercriminals and we should all be aware of this.
The spear phishing email was a great example of social engineering; it used a multi-pronged approach:
Social tactic 1: The email came in through the network’s trusted internal messaging system, i.e. not directly into my colleagues email address, although it did turn up in her inbox too.
Social tactic 2: The email was written from a ‘concerned observer’ who said they had noticed that my colleague’s name was being smeared via a fake Facebook account using my colleagues profile pictures and other images.
Social tactic 3: The writer of the email tried to make an emotional connection with my colleague by saying that they too had been a victim of identity theft and could help if needed (with an email address for contact).
Social tactic 4: The cybercriminal had gone to the trouble of creating a Facebook page using my colleague’s images. The Facebook page was being used to defile my colleague’s reputation in an attempt to hook her into the scam.
This phishing email was dangerous because it used the human instinct of trust, by using a network that was known and established. It also used trust by trying to establish a shared problem – the writer saying they had also suffered the same security issue. It also used the human emotions of embarrassment and shame to illicit a knee jerk reaction to the fake Facebook page and so initiate a response to the phisher.
This example shows how sophisticated spear phishing attacks can be. How much trouble the sender goes to, to build the trust needed to execute the plan behind the email.
Spear phishing is becoming a very difficult security issue to handle. It is used against companies of literally all shapes and sizes. In the Symantec Intelligence Report January 2015, 31.5% of small companies (1-250 employees) experienced a spear phishing attacks and 37.6% of large enterprises (2500+ employees) experienced an attack. One of the reasons why the spear phishers are indiscriminate about the size of a company is because they can use spear phished login credentials, obtained from smaller organizations, to access the resources of larger ones if they are part of a supply chain.
Spear phishing is rapidly becoming the favorite entry point for a hacker into a company because spear phishing is a successful tactic. Research by FireEye has shown that the rate of opening of a spear phishing email is 70%, with 50% of those then going on to click on the links in the email.
As mentioned earlier, often, a spear phishing exercise is about getting administration credentials. There are many examples of hacked enterprises where the attack originated in a spear phishing email. For example, The Internet Corporation for Assigned Names and Numbers (ICANN) was a victim of a successful spear phishing attempt late last year. In the attack, senior members of staff had their passwords stolen using this method and the hackers were able to access a number of ICANN systems. The reason for their success was again trust. The cybercriminals made the emails look like they had come in from an ICANN official domain.
In fact, one of the biggest hacks in history, the Target breach, which exposed around 110 million customer records, started with a spear phishing attack on an HVAC company in their supply chain.
And what is worrying, is that once a breach has occurred and Personally Identifying Information (PII) has been stolen, it can then be used to perpetuate the crime and spear phish more and more people, just like a domino effect. This is one of the worries that employees of the Office of Personnel Management have after the OPM breach earlier this year, which saw 22 million records containing PII stolen.
It looks like spear phishing, as a carrier for illicit links to spoof websites and even malware attachments, is here to stay. So how do we deal with this problem? Of course education does help. Giving employees an understanding of the tactics used to phish them will go some way to reducing the click through rate. However, it won’t stop all of them and it just takes one, persistent and clever cybercriminal to get the keys to your kingdom – an administrator’s password. Being aware that we cannot totally prevent this exploit mechanism means we can take steps to minimize its impact. Such steps include behavioral monitoring, that allows us to spot unusual actions and unexpected movement of data. Having rapid remediation measures in place also gives us an insurance policy to handle the impact of what can end up, as a major breach of our trust and data.