A new survey has shown spear-phishing to be keeping IT professionals up at night. Carried out by Cloudmark, the project surveyed 300 IT professionals on their experiences with the targeted form of credential grabbing and found that spear-phishing is larger threat than one might expect. The findings are stark.
Nearly three-quarters of those interviewed feel that spear-phishing poses a significant threat to their organisation and more feel that threat is going to grow. Nearly half, 42 percent, put spear phishing within their top three security concerns.
SCMagazineUK.com spoke to CloudMark VP Matt Grant who told us that they're right to worry: “If you look at some of the largest breaches over the past 18 months whether it's Target, whether it's JP Morgan Chase, whether it's Sony... all of those started with spear-phishing emails.”
It's fairly understandable too: email is still the most common form of communication for business and email addresses are extremely easy to spoof, taking only a couple of tries to successfully fake.
Phishing is the act of electronically pretending to be a trusted entity in order to elicit valuable personal details, like credit card numbers and passwords. It's one of the most common scams around and most internet users have probably found themselves confronted with a phishing scam at some point. While regular phishing scammers might deploy a million emails or pop up ads to try and ensnare their dull, slothful pretty, spear-phishers represent the far more specialised, targeted form of the scam.
An email might be sent to you from your boss, encouraging you to deposit money into a certain account or, if you work in the IT department, to give someone elevated privileges to certain important files.
Phishing scams might be easy to spot, but spear-phishing is harder. They tend to rely on deep research of the target company's structure, as well as emails tailored for maximum authenticity and sent to a precise member of staff.
Businesses do put security measures in place, given how many are scared of spear-phishing they'd be stupid not to, but they aren't always successful. Seventy-one percent have put in solutions to prevent spear-phishing attacks, most of which involve using secure email gateways (80 percent) and anti spam or anti-virus software.
Despite the countermeasures, the majority, 84 percent, have still suffered spear-phishing attacks.
The most heavily targeted are the guys in IT who, according to Angela Knox, head of engineering at CloudMark, “have the most powerful passwords and they can get into places you want to get into and resources you want to get into in the company. IT staff really are the holy grail.”
Finance and sales staff are a second and third respectively for the obvious reasons. These tend to be easier nuts to crack, says Knox: “When they use sales and finance and marketing, they use softer campaigns than when they target IT staff because they know that the IT staff tend to be more wary of these things.”
In nearly equal measure, those behind the spear-phishing attacks are looking for credentials, corporate information and malware deployment opportunities.
But sometimes spear-phishing scams just straight up steal money. According to the Federal Bureau of Investigation, scammers made off with £520 million from 7000 companies in the US between summer 2013 and 2015. Grant told SC, “These are one of the main attacks that are getting through because they don't have a malicious file, they don't have a malicious link, they don't have anything that your traditional security vendors can put into a sandbox.”
Often, the scammer will assume the identity of an executive member of the company, giving the scam message the authority of the company's upper echelons. That kind of authority lends credibility to a spear-phishing email that it might not otherwise have.
Knox told SC that the scammers “use words like urgent and create some priority around it to make it seem like this has to happen right now or there's going to be some financial loss, using social engineering tactics to prey on people's goodness”.
Another version of spear-phishing is called whaling, as in trying to catch ‘the whales' of the targeted organisation. Once such case last year targeted a Bitcoin Brokerage. The criminals sent a series of emails under the guise of the brokerage's Chief Financial Officer to the CEO, request 5000 bitcoins, then valued at around £150 each, to be transferred into an account. It was only after those 5000 bitcoin had been transferred, and a million pounds had been lost, that the brokerage's boss smelt something fishy.
Scenarios like this are set to become more common too. A study carried out last year by cyber-security company Mimecast showed that whaling had taken a sharp upturn in the 2015, one which was likely to continue in 2016.