Spear phishing is a more selective and effective scheme than traditional phishing plots. This technique has raised e-scams to a new level and has lately become the go-to choice for many attacks threatening individuals and businesses. Spear phishing is a way of obtaining information through deceptive, more personalized e-mail messages and social engineering that is finely tailored to the target. No longer are the attacks conducted at random, but they are rather focused and persistent effectively to hit a specific victim or group of victims.
As much as 80% of all malware attacks come from phishing attempts using different variations of social engineering techniques, as per the Verizon Data Breach Investigations Report (DBIR) 2015. Phishers are now specifically targeting individuals or groups often succeeding in accessing personally identifiable information (PII); attacks result in identity theft, financial fraud, stealing intellectual property, or industrial espionage. Newer attacks have been tied to state-affiliated espionage for a cause, political or other. According to the latest Verizon DBIR, two-thirds of all cyber-espionage-style incidents used phishing as the vector.
The report also shares interesting findings on the number of users that still open phishing e-mails (23 percent) and attachments (11 percent) which help hackers compromise systems. The current statistics found in the DBIR 2015 report say we need to do much better in this area. Much is due, still, to lack of cyber-security training and knowledge of how to identify phishing attempts. Many technology users are still unaware of today’s spear phishing tactics and the evolving methodologies employed by e-scammers.
Some of the most significant U.S. incidents, related to spear phishing, show how malicious hackers can employ different tactics to gain access even to the most secure and high-level information; these real-life examples show how any organization or individual can be a target and, unfortunately, a victim.
Real-life spear phishing examples
The potential destructiveness of a spear phishing attack for a business is shown clearly in the case of Ubiquiti Networks Inc., an American network technology company for service providers and enterprises. In June of 2015, the company lost $46.7 Million because of a spear phishing e-mail. A report by the U.S. Securities and Exchange Commission shows that the attack was carried through “employee impersonation and fraudulent requests from an outside entity targeting the Company’s finance department. This fraud resulted in transfers of funds aggregating $46.7 million held by a company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties.” The transfers were performed directly by Ubiquiti employees that were tricked into thinking that they were getting legitimate requests from executives thanks to spoofed e-mail addresses and look-alike domains. Luckily the actual company systems were not compromised, but the incident shows the relative ease with which a spear phisher can trick victims into performing actions directly using impersonation and information widely available on the internet to produce realistic spoofed e-mails.
A spear phishing case that involved the RSA security unit of data-storage giant EMC Corp shows how even a company known for security in the cyber realm can be target and victim of an attack. In 2011, RSA was attacked using a Flash object embedded in an Excel (.XLS) file that was attached to an e-mail with the subject line “2011 Recruitment Plan”. Small groups of employees were targeted, and the e-mail was filtered and landed in the users’ junk mail folder. Unfortunately, all it takes is for one person to fall victim of the scam. As explained by the RSA FraudAction Research Labs, regardless of the state-of-the-art perimeter and end-point security controls, security procedures and high-end technology used by a company, attackers still can find a way in. In this particular attack, the spear phisher “sent two different phishing e-mails over a two-day period. The two e-mails were sent to two small groups of employees; you wouldn’t consider these users particularly high-profile or high-value targets. The e-mail subject line read ‘2011 Recruitment Plan.’ The e-mail was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder.” The message contained an Excel spreadsheet titled ‘2011 Recruitment plan.xls’ that hid a zero-day exploit. Once open, a backdoor was installed through a vulnerability in Adobe Flash, and the phishing activity successfully harvested credentials, as confirmed the RSA FraudAction Research Labs. Not only the attack caused concern for EMC Corp, but it also threatened the security of important defense contractors like Northrop Grumman, Lockheed Martin, and L-3. The importance of user training in reacting properly to phishing attempts is shown clearly.
Reasons for attacks can also vary. In January 2015, Charles Harvey Eccleston, a former Energy Department, and Nuclear Regulatory Commission employee, has been accused of sending spear phishing e-mails to his former colleagues at Energy to embed spyware and malware on government computers, as told Aaron Boyd, Senior Staff Writer from Federal Times. According to John Carlin, Assistant Attorney General for National Security, “Eccleston sought to compromise, exploit and damage U.S. government computer systems that contained sensitive nuclear weapon-related information with the intent to allow foreign nations to gain access to that material.” Using first-hand knowledge of the organization and personal relationship with other employees, the alleged malicious hacker could have easily crafted legitimate-looking e-mails that could have fooled somebody into opening the door to his attack.
Even one of largest e-mail providers for major companies like Best Buy, Citi, Hilton, LL Bean, Marriott, has been the target of a spear phishing attack that caused the stealing of customers’ data. Epsilon was the victim of a successful attack in a time when most major e-mail companies (like Google) were a prime target. Given that the company provides e-mail marketing services, this goes to show that any organization, even those that make the security of their communication system the center of their business, is at risk of such a threat. Having let down their guard in some way, Epsilon had not discovered that its systems had been breached for some months after the incident in 2011. By then, hackers had obtained some of their customers’ data that was exposed in the attack, told Mathew Schwartz, an InformationWeek information security reporter.
In the same years and as early as 2010, other spear phishing attacks that were traced to China involved going after source code on many victims’ machines using malware to access Google, Adobe, and other U.S. companies’ system. The attack aimed mainly at stealing intellectual property mentioned Kelly Jackson Higgins, an Executive Editor at DarkReading.com.
Economic reasons are also at the forefront of the possible motives for spear phishing attacks. As reported by the FBI and according to the Office of Public Affairs of the U.S. Department of Justice in 2014, Chinese Military Cyber Hackers that allegedly stole American trade secrets through cyber espionage were accused by the US Government. In 2008, a U.S. company Alcoa was targeted through spear phishing only a few weeks after having partnered with a Chinese state-owned company. Thousands of e-mail messages and attachments were stolen from employees’ computers, including information on the transaction. One of the attacks was carried against U.S. Steel in 2010 while participating in trade cases with Chinese steel companies. During litigations, a spear phishing e-mail was sent to a restricted group of the U.S. company employees involved in the litigation. Malware made it into the company’s computers causing hostnames to be stolen and vulnerabilities exploited.
Of course, other spear phishing incidents have taken place over the years; but the variety of targets shows how spear phishing is an effective method for targeting several industries and for aiding malicious hackers in a variety of aims. Tactics are also slightly changing as shown from recent spear phishing statistics. For example, if, in 2014, the most used spear phishing attachments used in e-mails were .exe files, cyber criminals are now using MS Word document files as they are aware that users, thanks to training, are recognizing certain extensions as more dangerous.
Symantec points out how the manufacturing sector has quickly become a primary target. Cyber attackers aim at the supply chain and its contractors and subcontractors that are in possession of valuable intellectual property; they are perceived as easier targets and are attributed to more attacks than most government agencies. Cybercriminals tend to go after smaller companies hoping to get info on larger companies that they have relationships with, as per Symantec key findings. SMBs are becoming prime targets for attacks as they are normally “less security aware and do not have the proper defenses in place,” says Ross Walker, Symantec’s director of small business. Service sectors (financial services, mainly) is still the most frequent target with the possibility of getting immediate economic rewards by cyber-criminals who are gaining access to networks to steal data and reap the financial benefits quickly.
Spear phishing attacks mitigation
An IT platform is only as secure as its users make it. In other words, you are only as secure as the weakest link; thus, employees need to be trained properly when it comes to network security. Security awareness shall be the first line of defense against any sort of phishing or more so spear phishing attacks.
Cyber-criminals are increasing their schemes to exploit any personal information discovered from social engineering. Anyone can become a target of a spear phisher, so combating this problem requires continuous awareness training for all users for them to be vigilant about the information they share and to avoid revealing too much about themselves online so as to be victims of identity theft.
To stop spear phishing attacks requires getting everyone to see that today’s integrated security posture is not enough to overcome this threat. Technical solutions can only aid in trying to identify malicious e-mails, and only proper training can help, although not prevent, users from falling preys of social engineering schemes or legitimate-looking e-mails. The fact that government agencies and security companies have been at the center of spear phishing attacks of great proportions is proof that, regardless of the magnitude of the technical security solutions employed, the actions of even just one unaware user can be potentially disruptive.
It is important for businesses of all sizes to defend their data; building “human firewalls” before employing any other technical and regulatory barriers can help strengthen their cyber security capabilities. At a minimum, through awareness training, users can learn to
- Check the landing page (URL) in any suspected e-mails.
- Avoid opening suspicious e-mail attachments and following links sent in e-mails, especially when the sender is unknown.
- Be mindful of e-mails that just don’t sound right. A strange request from a coworker or supervisor, a bank or merchant requesting PII, usernames and passwords via e-mail.
- Take measures to block, filter, and alert on spear phishing e-mails that will improve detection and response capabilities. Many of today’s browsers have a built-in phishing filter that should be enabled for additional protection, as mentioned by the FBI’s Internet Crime Complaint Center web page; Web browsers filters can help prevent the messages from being directly delivered to an inbox.
Those who may have fallen victim to a spear phishing attack or lured into phishing schemes can report them to the Internet Crime Complaint Center and file a report; suspicious e-mails can be forwarded there for verification. Alternatively, APWG’s Report Phishing site is another place to submit a suspected phishing e-mail. Filling out an Anti-Phishing Working Group (APWG) eCrime Report provides valuable data to the Phishing Activity Trends Report each year.
Spear phishing is one of the most common sources of data breaches today. Clearly, spear phishing poses as a real threat, as it can bypass normal technical anti-threat barriers and exploits users to infiltrate systems. Therefore, phishing prevention activities and training are the best steps to avoid proactively such threats. It is fundamental to train employees to recognize phishing messages to protect them against most attacks.
When it comes to spear phishing, the best line of defense are users themselves at any level of an organization who must step up their game as cyber defenders to effectively deter and recognize the subtlest e-scams. Unless users are helped to recognize various types of phishing techniques and learn what this threat consists of, they will be unable to reduce their risk of falling victim to this type of attacks, say experts at Phishing.org.
Though APWG reports have shown a slow downward trend in phishing in recent time, it is important not to let one’s guard down as spear phishing attacks are becoming more sophisticated and, therefore, potentially more dangerous. Several high-profile breaches resulting from spear phishing attacks show that attempts to compromise networks can hit different industries through employees at any levels in an organization. They also show that even the most secure infrastructures can potentially be taken down through the mistake of a single user. The motives can range from economic, quick-cash reasons to more sophisticated industrial espionage, political activism, and cyber-terrorism. Such pervasiveness, relative ease of execution and high ROI, make spear phishing one of the most dangerous cyber threats of the latest years. Time will tell if spear phishing will be an even bigger concern in 2016.
Ashford, W. (2013, July 4). FBI warns of increased spear phishing attacks. Retrieved from http://www.computerweekly.com/news/2240187487/FBI-warns-of-increased-spear-phishing-attacks
Boyd, A. (2015, May 13). Former Fed charged in spear-phishing attempt on colleagues. Retrieved from http://www.federaltimes.com/story/government/cybersecurity/2015/05/13/former-fed-spear-phishing/27237155/
FBI’s Internet Crime Complaint Center. (2013, June 25). Public Service Announcement: Cyber Criminals Continue to Use Spear-Phishing Attacks to Compromise Computer Networks. Retrieved from http://www.ic3.gov/media/2013/130625.aspx
Higgins, K. J. (2010, January 15). Spear-Phishing Attacks Out Of China Targeted Source Code, Intellectual Property. Retrieved from http://www.darkreading.com/attacks-and-breaches/spear-phishing-attacks-out-of-china-targeted-source-code-intellectual-property/d/d-id/1086190?page_number=1
Kaspersky Lab. (n.d.). Defending Against Mobile Malware. Retrieved from http://usa.kaspersky.com/about-us/press-center/in-the-news/defending-against-mobile-malware
Krebs, B. (2015, August 7). Tech Firm Ubiquiti Suffers $46M Cyberheist. Retrieved from http://krebsonsecurity.com/2015/08/tech-firm-ubiquiti-suffers-46m-cyberheist/
Muncaster, P. (2015, December 21). Phishing E-mails Hook Most Employees within a Day. Retrieved from http://www.infosecurity-magazine.com/news/phishing-e-mails-hook-most/
Posey, B. (2015, October 15). 10 tips for spotting a phishing e-mail. Retrieved from http://www.techrepublic.com/blog/10-things/10-tips-for-spotting-a-phishing-e-mail/
RSA FraudAction Research Labs. (2011, April 1). Anatomy of an Attack. Retrieved from http://blogs.rsa.com/anatomy-of-an-attack/
Seltzer, L. (2011, April 1). How the RSA SecurID Hack Worked. Retrieved from http://www.pcmag.com/article2/0,2817,2382970,00.asp
Schwartz, M. (2011, April 11). Epsilon Fell to Spear-Phishing Attack. Retrieved from http://www.darkreading.com/attacks-and-breaches/epsilon-fell-to-spear-phishing-attack/d/d-id/1097119?
Symantec. (n.d.). Phishing. Retrieved from http://us.norton.com/security_response/phishing.jsp
U.S. Department of Justice, Federal Bureau of Investigation. (2014, May 19). U.S. Charges Five Chinese Military Hackers with Cyber Espionage Against U.S. Corporations […]. Retrieved from https://www.fbi.gov/pittsburgh/press-releases/2014/u.s.-charges-five-chinese-military-hackers-with-cyber-espionage-against-u.s.-corporations-and-a-labor-organization-for-commercial-advantage
U.S. Securities and Exchange Commission. (2015, August 6). FORM 8-K: UBIQUITI NETWORKS, INC. Retrieved from https://www.sec.gov/Archives/edgar/data/1511737/000157104915006288/t1501817_8k.htm
Verizon Enterprise Solutions. (2015, April 17). Verizon 2015 Data Breach Investigations Report – Q&A. Retrieved from http://news.verizonenterprise.com/2015/04/2015-data-breach-report-info/