You receive an email that appears to be from your bank. It states that there’s a problem with your account, and that you should log in to fix it. You click the link, and your bank’s web page appears. You attempt to log in, but you get an error.
Meanwhile, a criminal halfway around the world has just drained your bank account.
Congratulations! You’ve just fallen victim to a phishing attack.
Phishing vs. Spear Phishing
The typical phishing attack arrives via email, and either attempts to steal your login credentials or trick you into downloading malware to your computer.
Phishing attacks are so prevalent because they are dead simple – and cheap – for criminals to mount, as they are essentially a type of spam. Buy yourself a list of email addresses, set up your outgoing email on a no-questions-asked mail server somewhere, and you’re in business.
As with most confidence tricks, however, people eventually get wise to the con, which means the criminal must up their game. When phishing loses its punch, it’s time to move on to spear phishing.
Spear phishing is a more sophisticated phishing attack where the malicious email contains some information specific to the recipient, thus reducing the target’s suspicion. The spear phishing attack in the news recently: the boss email.
You’re in your company’s accounts payable department, and you get an email from your boss, or perhaps your boss’s boss. The “from” address looks legit, and the email is addressed directly to you. In it your boss explains that an important supplier is upset and that you should wire them a specific amount right away. It also includes the appropriate wiring information.
Your boss also asks you to email them if you have any questions, so you hit reply and ask your question. You shortly get a response that assuages your suspicions, so you wire the money.
The money, of course, goes to a criminal – often millions of dollars in a single attack. But you’re certain the email came from your boss! So, how did the con work?
The simplest technique: the attacker used the “reply-to” address in their original email, so that the “from” address was valid, but your response went to the attacker instead – to a different email address, perhaps one like bossname@gmail.com or the like – a benign address, so that if you notice it, the con artist might still be able to talk you into complying.
To mount a spear phishing attack, the attacker has to do their research. They need to find the names and email addresses of suitably senior executives, as well as addresses of people who are likely to have access to corporate bank accounts. If they can get hold of the boss’s actual email signature to make the email look authentic, even better.
Protecting Your Company from Spear Phishing
Anti-phishing products on the market work much like anti-virus apps do – by looking for suspicious patterns in incoming email. Such tools can identify the “reply-to” trick, as well as identifying when URLs aren’t as they appear.
In addition, newer machine learning technologies are getting better at recognizing phishing patterns, beyond simple text-based pattern recognition. However, none of these technologies will catch all attacks, and attackers continue to vary their approaches to avoid them.
The bottom line is training. Ensure everyone in your organization is familiar with likely attack scenarios and how to deal with suspicious emails, as well as empowering them to take action, should they become suspicious.
It is important to keep in mind that these kinds of attacks are confidence tricks – 21st-century versions of the old con, where the criminal gains the confidence of the victim. Tactics continue to change, but the strategy remains the same – use the human nature of the victim against them.
The Intellyx Take
I may be calling this series of posts a Cyber House of Horrors, but the Cyber part of the phishing story is superficial. Even as an example of social engineering, the technology elements of phishing and spear phishing are more a matter of convenience for the attacker than any critical distinguishing feature of the con itself.
After all, spear phishing could easily use the phone instead of email – and in fact, such cons have been going on for over a century. We just didn’t give them catchy names like spear phishing back in the day.
Some examples of phone-based social engineering cons that resemble phishing: the attacker posts an official-looking sign in the office lunchroom announcing a new help desk number. People who call that number are greeted by a helpful individual who takes their login credentials.
Another oldie but goodie: the attacker calls office extensions at random, pretending to be a tech support person following up on their problem. Most people will think it’s a mistake – but a few will be waiting for just such a call, and be only too willing to cough up their password.
The moral of this story: don’t let the fact that phishing and spear phishing attacks use email lead you to the mistaken belief that email is central to such cons. If it weren’t for email, the attackers would simply look for a different mechanism.
The same general principle applies to the boss email scam. Once people become familiar with this attack, criminals will come up with a different one, until that one becomes too well-known, and so on.
The bottom line: don’t expect such cons to be familiar, follow recognizable patterns, or use expected modes of technology. The attackers are only too willing to mix things up. Don’t let them get one step ahead of the people in your organization or expect to pay the price.
This BrainBlog post is sponsored by Certes Networks. Certes networks enables you to dynamically control your data traffic security without dependence on firewalls or the network infrastructure via the power of CryptoFlows: automatic, zero-touch secure application overlays that are user aware and application aware, enabling you to extend any application to any user over any network. For more information, go to www.certesnetworks.com.
Copyright © Intellyx LLC. Certes Networks is an Intellyx client. Intellyx retains full editorial control over the content of this paper. Image source: Joint Task Force Guantanamo.
