Why would a burglar break through a wall when all he needs to do is look under the front doormat for the key? These days, few hackers attempt to attack well-fortified corporate systems head-on. It’s much easier to steal a user’s credentials, or attach malware to an innocent looking email, enabling the hacker to gain access to the system through the front door.
Phishing is the number one vector of attack for modern-day hackers. It exploits the weakest link in the security chain: the human being. If the hacker can con the end-user into opening the front door, all the other security safeguards can be bypassed. This includes our firewalls, encryption technologies, and intrusion detection systems.
We are all familiar with phishing attacks; those blanket emails from Ethiopian princes or friendly reminders from our banks to update our credit card information online. In the common phishing attack, the hacker spreads a wide net, sending out thousands of bogus emails, hoping to catch one or more gullible end-users who will willingly surrender their credentials or click on a virus-infected attachment.
More insidious is the spear phishing attack; a highly-targeted attack focusing on specific individuals in an organization. In 2014, hackers stole 110 million records from Target department stores in the US when an employee of an outside vendor with access to Target’s network, clicked on a malicious email. Once hackers gained access to the employee’s computer, they could enter Target’s system and steal the retailer’s payment card data.
Spear phishing is big business. In 2014/2015, US health insurance giant Anthem, fell victim to hackers who stole 80 million records after obtaining the credentials of five tech workers through spear phishing attacks. On the black market, those records were worth more than $50 apiece bringing a total value of the haul to more than $4 billion.
As I write this article in May 2017, we are in the midst of the WannaCry ransomware attack, perhaps the biggest cyber-attack in history. In the United Kingdom, 61 National Health Service organizations, including a number of acute care hospitals, were disrupted. It is widely believed by security experts that spear phishing emails containing malicious code were a primary source of attack.
So how does spear phishing work?
There’re many variations on spear phishing strategies. A common approach is for a hacker to gain access to a company’s employee directory that would include names, titles, locations, telephone numbers, and email addresses. Directories are often organized such that the hacker can figure out the business relationships between employees and where they sit in the pecking order.
The hacker can identify promising victims and amass meaningful individual profiles through Google searches, Facebook, LinkedIn, and other social media sites. The hacker then crafts a customized harmless looking email tailored to the individual.
What would you do if you got an email from your boss asking you to review and comment on an attached document or spreadsheet? Maybe the attachment is a work schedule or project plan; something that would be reasonable for your boss to send and for you to receive. Would you open the document?
Most of us would. But if this was a spear phishing attack, the email would be bogus and the attachment might contain a Trojan Horse such as a key logger that would install itself on your computer. It would start capturing every keystroke you type, including user credentials, for transmission back to the hacker. It could also inject other malicious code, such as ransomware or spyware, into your system.
Once inside, the hacker establishes a persistent presence. Spear phishers are patient. They gradually work their way through corporate systems and networks exploiting every vulnerability they can find. They try to infiltrate the networked systems of customers and suppliers, expanding the scope of the attack.
How do you protect your systems from phishing and spearfishing attacks? Most anti-phishing programs have two components: security awareness training and simulated phishing attacks. We must train all users to recognize phishing and spear phishing attacks. Then we must test them with random phishing tests to see if they take the bait.
If you allow access to customers or suppliers, they must have the necessary security safeguards in place to protect against phishing and other forms of attack.
Other standard security measures can help mitigate the risks of phishing. Ensuring that software patches are installed, virus scanning and keeping anti-virus software up to date, backing up data, having a disaster recovery plan and other security best practices are needed to protect sensitive information and other mission critical assets.
Perhaps the day will come when artificial intelligence will eliminate the human factor in information processing and management. As long as human beings are involved, the risk of unauthorized access to our information systems through social engineering is a fact with which we must live. In the meantime, we must work with our human colleagues to recognize the con and strengthen the weakest link.