A World Full of Spear Phishing: What it is, and What to Look Out For

Image from Pixabay

Attempted theft online has become an everyday occurrence. Whether spammers are trying to steal your personal data, your corporate data, or your money, spear phishing has become the “go-to” method. This wasn’t always the case, but the threat landscape continues to change on a daily basis. It’s important to understand how to identify spear phishing and other scams in order to avoid becoming a victim.

Spear phishing by definition is an attack on a specific entity rather than a “broadcast” spam. It may be an attempt to acquire sensitive information from the recipient, such as email passwords, bank information, credit card numbers and Social Security numbers. It could also be an attempt to persuade the recipient to transfer money to an account controlled by attacker.

According to SearchSecurity, spear phishing attempts are not typically initiated by “random hackers” but are more likely to be conducted by perpetrators out for financial gain, trade secrets, or military information. These criminals typically impersonate someone the recipient knows, or would expect to receive an email from.

Sadly, many people aren’t aware how much information is available to attackers from online sources such as LinkedIn, Facebook, and other popular and easy-to-access social websites. More information useful to attackers can often be found on company web sites.

Some attackers call a company’s public phone numbers, and attempt to persuade whoever answers the phone to give them information under various pretenses. This low tech but highly effective data gathering method is known as “social engineering.”

Once captured, any information discovered is used against the victim to convince them that there is nothing out of the ordinary happening.

When the data gathering and social engineering tasks are complete, the scammer will use that information in a customized email to the potential victim. This email includes specific details that are designed to convince the victim that the email is legit. The email could be pretending to be an email from the company’s IT department requesting you change your password at some web page owned by the scammer. It could be pretending to be from HR, asking you to “verify” information that could later be used for identity theft. Or it could be pretending to be from the CEO requesting a wire transfer to some bank account. The important thing here is that the email includes information that was gathered in the social engineering phase of the attack.

In a recent report by Brian Krebs of Krebs On Security, between October 2013 and August 2015, $1.2 billion have been lost in all 50 states and in 79 countries from email scams. These facts and figures confirm that this type of attack works and the price of a successful one can be huge.

Barracuda provides powerful technology solutions to help mitigate these threats, however, a pair of diligent eyes is the final defense. Below are a few tips:

  • Your IT department will never ask you for your password or any sensitive data, and your HR department already has your Social Security number. If you get a suspicious email from someone asking for your credentials, don’t be afraid to call your IT or HR department regarding anything that doesn’t seem right.
  • Would your boss really send an email requesting you to transfer money to a bank account somewhere, or introducing a “lawyer” who is going to be handling some high-dollar-value transaction? Use known, good contact addresses or phone numbers to verify and do not rely on anything in the email. Look at the actual email address the email came from, and, if you click “Reply”, before sending, carefully scrutinize the address the email is going to. Is it a domain not owned by your company? Is it Hotmail, Yahoo, or Gmail? There are many other “free email account” domains, and among them are CEO.com and President.com. Is the email address a look-alike domain impersonating your company’s domain? Look closely, because they picked that name carefully to look as much like your company’s real domain as possible.
  • How likely is it that the friend who “sent” you an urgent plea about being stranded in a foreign country would actually be traveling there without you knowing about it? Google the “stranded traveler scam”. Does the email go down the line hitting most of the items in the template these scammers use? Often, in these attacks, the friend’s email account has been hacked and they’re sending their plea to everyone in your friend’s address book. The email account is under their control, not your friend’s.
  • Your nephew’s lawyer will not be using email to contact you for bail money.
  • Never has Microsoft Office been configured to run macros automatically. Thankfully, in current versions of Office, macros are disabled by default. Never change this, as this is hugely important. People spreading malware, particularly the “Crypto-locker” type extortion malware, often use macros in Office documents to infect PCs. They send this malware disguised as resumes to people who have posted job offers, and also disguised as bills, invoices, etc. If you open a Microsoft Office document that is asking you anything along the lines of enabling macros, editing, or content, it is virtually certain to be malware.
  • Are they asking you to send money via MailGram or Western Union? This is a red flag.

The data gathering and social engineering phase is crucial to the success of a spear phishing attack. If you would like to learn more about how this works, you can visit the Social Engineer website for more information. In particular, you should read this report on the DefCon 2015 Capture the Flag event (pdf). This is an annual contest in which participants attempt to use social engineer tactics on a pre-determined list of companies. This report will explain how the contest worked and what methods allowed the participants to gather data on the companies. You can also access the five previous Capture the Flag reports here.

If you receive a spear phishing email at your place of business, you should report it to your email administrator. The administrator will use the information to improve company defenses against these attacks. Additionally, you can report the email as spam to your email service provider, or file a complaint with the Internet Crime Complaint Center (IC3).

Mike Van Pelt: Threat Analysis Engineer at Barracuda Networks

View Comments (0)

Related Post