As we’ve covered a few times now, Phishing is the practice of tricking a communications recipient into performing an action. Cybesecurity really isn’t about using tools! Google’s own research in 2017 showed that phishing is a far more efficient way of breaking into a remote system than attempting to find backdoors or hack in via brute force.
Why? Well think of it like stealing a car. You could smash a window or open the door discretely using a coat hanger, and then you’ve to somehow hotwire a car. That requires a lot to go right, such as not being noticed by anyway and you need to have the right level of knowledge in order to pull off the whole thing.
Breaking into a car is relatively straight-forward…
However it would be a lot easier if you simply stole the keys to the car. You could then walk up to the car, unlock it (which wouldn’t raise any alarms from passers-by) and drive off with the vehicle.
The same applies with an attacker trying to gain access to your online system. If you unknowingly hand over your keys (in this case your username and password) then it’s a lot easier to gain access. And in the online world if you login as someone then you’ll appear in the system logs as that person.
Phishing vs Spear phishing
Phishing is typically done in a scatter-gun approach. Buy a database of 1M email address and start spamming them with emails ranging from the promise of riches or asking for you to reset your password to your banking or netflix account.
Generally phishing emails follow a similar pattern with poor spelling or grammar, and possibly multiple copies received. Why are these emails written so poorly? There’s actually a reason for it that you can read more about here.
Spear phishing, on the other hand, is completely different… you, specifically, are the actual and known target.
The end goals of an attacker might vary (you might be a midway person in a chain of attacks) but the approach will be the same.
Gone will be the generic emails and what you will see are emails that are designed to be very authentic and personal. Don’t forget that even if you’re super-cautious online, websites can still track you and if your password gets breached in one system, and you re-use your password, then your username and password will be used to gain access to other systems. Just ask Disney.
What are some of the telltale marks of a spearphishing email?
What is spear phishing?
Spear phishing aims to fool you into thinking that they’re responding to emails that are legitimate. This is done by the attackers adding personal elements designed to make them think that the email and sending are real.
You might think that it’d be obvious when you’re asked for credit card details, however by that point it might be too late. What does a bank or insurance company ask for when you call them up? Your full name (easy), date of birth (easy) and home address (easy). You give this stuff away every day when ordering things online or posting to social media.
“Please confirm that your details are correct” should raise a big red warning flag in your head. Don’t forget that the attacker might already have part of your details.
Apear phishing is targeted
How do you defend against spear phishing?
It’s difficult! The more online systems get breached, the more attackers will know about you.
Anyone can be a target of spear phishing however it’s more typical to see attacks aimed at executives where the score can be bigger for criminals. Most companies need to be up front and honest with the public about who their leaders are and scammers can easily take advantage of this.
Setup a fake email address and send an email from the CEO to a generic [email protected] email address and ask “What’s our limit on same day transfers?”. A busy financial controller might respond quickly and the attack is on. If an attacker has hijacked the CEO’s email account, then the attacker can craft personal emails to people – even copying their tone and format – to convince their subordinates to act. Even the most clued on financial controller would find it difficult to work out if the CEO or a hijacker has sent the email.
Spam filtering and active detection will only stop the random and generic types of attacks – spear phishing, however, may be too difficult for automation technology to detect at this point in time.
Training is a good place to start and developing better processes, such as calling suppliers/clients/employees if a bank account change occurs.
Then there’s the new movement towards Zero Trust, which flips security on its head by assuming everyone is a threat – both internal and external.
Where to start
- Start talking about Cybersecurity within your teams
- Implement Multi-Factor Authentication to reduce the impact of stolen credentials
- Encourage all Executives to have unique passwords per account
Be safe out there!
If you’re overwhelmed, try reaching out to a Managed IT Services Provider – we’re one located in Melbourne :)