The reported attack on the White House Military Office has demonstrated how vulnerable companies are to spear phishing.
As reported yesterday by SC Magazine, Chinese hackers have been able to access the White House Military Office. An Obama administration national security official said that this "was a spear phishing attack against an unclassified network" and confirmed that the type of attack was ‘"not infrequent" and there were unspecified mitigation measures in place.
US officials familiar with reports of the White House hacking incident told the Washington Free Beacon said that the attack took place earlier this month and that unidentified hackers used computer servers in China to access the network, although there was no indication that any exfiltration of data took place.
Rob Rachwald, Imperva's director of security strategy, said: “This incident reminds us how easy it is as an organisation, even as secure and well funded as the White House, to get infected since anti-virus is so porous. Lucky for the White House, their team of security specialists were able to find the compromised entity, but it is not trivial and usually happens very late, if ever.
“While phishing is a technique which by hackers mimic sites such as IRS, or your bank in order to lure you to submit your credentials, ‘spear phishing' is the targeted technique of identifying an individual in an organisation that the hacker wishes to compromise, and uses different techniques in order to lure that individual to activate malware on his/her computer. Effectively, creating the compromised insider.
“Finding an individual to target is fairly easy in today's social networking world. All a hacker has to do is look for ‘White House' as the current position and select which is pertinent.”
He said that the three most common infection methods include: an email attachment of either an executable in an EXE form (less common now) or a PDF with malicious code in it; link distribution of an infected site that can come via email or any form; or a gift, something as simple as a USB given at a convention that contains malware.
Terry Greer-King, UK managing director of Check Point, said: “This incident shows how critical employees are to an organisation's overall security process. As networks become better protected, hackers are increasingly targeting staff, but this growing risk isn't being recognised.
“In a recent survey we found that 42 per cent of UK businesses had been hit by social engineering attacks in 2010 and 2011, but only 26 per cent offered regular employee training to prevent such attacks and 44 per cent had no employee training in place. The best protection against these attacks is education, because staff are increasingly on the security front line as the easiest route onto the network.”