Best practices to close the door to spear-phishing attacks

malwareIn a recent report, Trend Micro summarized its findings from a detailed analysis of attack vectors for the dissemination of advanced persistent threats (APTs). The security vendor found that 91% of targeted attacks involve spear-phishing email. This confirms the school of thought that attackers often target a specific person in order to gain access to a specific network and coveted confidential information on that network.

Spear-phishing is the practice of using personal information to gain a person’s confidence to make an attack more targeted. We commonly think of spear-phishing being done by email because the attacker can easily include an attachment or embed a Web link that will lead the recipient to download malware that sets up the ensuing system compromise.

CAUTION: Spear-phishers lie in wait at ‘watering hole’ websites

Although the practice of spear-phishing has been around for years, it’s still a very effective method to get an attacker inside the firewall. Trend Micro points to two recent high-profile data breaches — at email service provider Epsilon and at security firm RSA — that can be traced to spear-phishing emails as the point of origin for allowing the attackers in the door. It goes to show that even people who should be aware of the scamming technique can still fall victim to its charms.

The personalized nature of the email message may use context that is specific to the recipient; for example, it might reference a project the recipient is working on or a conference she just attended. Unfortunately, this is information that can be garnered from numerous sources, including social networks and even company websites. Somehow this contextual information makes the email feel legitimate, which serves to prompt the victim to click on the malicious attachment or URL.

According to Trend Micro’s research, 94% of spear-phishing emails use malicious file attachments. People often share work-related files via email, so the inclusion of an attachment isn’t likely to raise suspicions. What’s more, attackers tend to use attachments in the actual or spoofed file types that are most commonly sent via email: .XLS, .PDF, .DOCX and .DOC. Executable (.EXE) files are not commonly used as spear-phishing attachments because many security solutions block them. Attackers know this and hide their malicious executable file as a compressed file or some other file type.

Once a targeted victim takes the bait and opens the file or URL, a remote access Trojan (RAT) is typically installed on the person’s computer. The RAT profiles the target network and looks for desirable data to steal. Because the RAT can often remain undetected and continue to exfiltrate data for a while, it is considered “persistent,” thus the name “advanced persistent threat.” This attack technique can result in considerable damage to the victim company. For example, the email company Epsilon lost an estimated $2 billion as the result of its attack.

Attackers often target “high value” people within an organization — people whose login credentials or job role can provide access to highly desirable data. While company executives certainly fall into this category, so do employees in departments such as human resources, accounting, finance and information technology. Consider what would happen if an IT administrator’s workstation were compromised; an attacker could change all sorts of network access permissions, making it even easier to steal data.

via Best practices to close the door to spear-phishing attacks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of the author. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided "as-is". The author shall not be liable for any damages whatsoever arising out of the content or use of this blog.
%d bloggers like this: