Bait, hook and catch – targeted spearphishing on the rise
Article by Barracuda Networks senior sales engineer Mark Lukie
Cybercriminals have a history of conducting attacks that cast a wide net hitting as many people as possible.
Most people have received emails from Nigerian princes offering to pay them an exorbitant sum of money, or drug companies offering a new drug to revolutionise their love life.
Cybercriminals now have their sights on enterprises using highly personalised attacks, going after fewer targets to extract a greater payload.
Spearphishing attacks, where a threat actor impersonates employees or popular web services, are on the rise.
At the end of 2018, the FBI warned that there was a 60% increase in 2018 in fake email schemes that aim at stealing money or tax data.
The latest social engineering iteration involves multiple steps.
Cybercriminals don’t randomly try to target executives with fake wire fraud.
Instead, they first infiltrate the organisation; then use reconnaissance and wait for the opportune time to trick targets by attacking from a compromised mailbox.
Step 1: Infiltration
Most attacks are easy for individuals to sniff out, containing weird addresses, bold requests or misspelled words.
Organisations are now seeing a rapid increase in personalised attacks that are difficult to spot, especially for people lacking security awareness.
A common example is an email apparently from Microsoft claiming they need to reactivate their Office 365 account.
It won’t appear suspicious, but if they hover over the link it’ll lead to a different website.
People with high security awareness would spot this, but the average employee wouldn’t.
The aim is to steal usernames and passwords.
Once the attacker gains control of these details, they can log into an account if multifactor authentication isn’t enabled.
Step 2: Reconnaissance
The attacker will typically monitor the account and read email traffic to learn about their organisation: who decision makers are, who can influence financial transactions or who has access to HR information.
They can also spy on interactions with partners, customers or vendors.
Step 3: Extract value
Attackers then launch a targeted attack.
They could send customers fake bank account information when they’re about to make a payment. Or trick employees to send HR information, wire money or click on links to collect additional information.
Since the email’s coming from a genuine (albeit compromised) account, it appears legitimate. Reconnaissance allows the attacker to perfectly mimic the sender’s signature and text style.
The best defence against phishing and spearphishing is to make users aware of the threats and techniques used by criminals.
1) User training
The best approach is to implement a simulation and training program to improve security awareness for an organisation’s users, to help them recognise subtle clues to identify phishing attempts. Regularly train and test all employees to increase security awareness. Staging simulated attacks for training purposes is by far the most effective method.
Multifactor authentication is essential to stop attackers gaining access to accounts – whether an organisation uses SMS codes, mobile calls, key fobs, biometric thumbprints or retina scans.
3) AI protection
AI now offers some of the strongest hope of shutting down spearphishing.
By learning and analysing an organisation’s unique communications patterns, an AI engine can sniff out inconsistencies and quarantine attacks in real-time.