Story image

Bait, hook and catch – targeted spearphishing on the rise

03 May 2019

Article by Barracuda Networks senior sales engineer Mark Lukie

Cybercriminals have a history of conducting attacks that cast a wide net hitting as many people as possible.

Most people have received emails from Nigerian princes offering to pay them an exorbitant sum of money, or drug companies offering a new drug to revolutionise their love life.

Cybercriminals now have their sights on enterprises using highly personalised attacks, going after fewer targets to extract a greater payload.

Spearphishing attacks, where a threat actor impersonates employees or popular web services, are on the rise.

At the end of 2018, the FBI warned that there was a 60% increase in 2018 in fake email schemes that aim at stealing money or tax data.

The latest social engineering iteration involves multiple steps.

Cybercriminals don’t randomly try to target executives with fake wire fraud.

Instead, they first infiltrate the organisation; then use reconnaissance and wait for the opportune time to trick targets by attacking from a compromised mailbox.

Step 1: Infiltration

Most attacks are easy for individuals to sniff out, containing weird addresses, bold requests or misspelled words.

Organisations are now seeing a rapid increase in personalised attacks that are difficult to spot, especially for people lacking security awareness.

A common example is an email apparently from Microsoft claiming they need to reactivate their Office 365 account.

It won’t appear suspicious, but if they hover over the link it’ll lead to a different website.

People with high security awareness would spot this, but the average employee wouldn’t.

The aim is to steal usernames and passwords.

Once the attacker gains control of these details, they can log into an account if multifactor authentication isn’t enabled.

Step 2: Reconnaissance

The attacker will typically monitor the account and read email traffic to learn about their organisation: who decision makers are, who can influence financial transactions or who has access to HR information.

They can also spy on interactions with partners, customers or vendors.

Step 3: Extract value

Attackers then launch a targeted attack.

They could send customers fake bank account information when they’re about to make a payment. Or trick employees to send HR information, wire money or click on links to collect additional information.

Since the email’s coming from a genuine (albeit compromised) account, it appears legitimate. Reconnaissance allows the attacker to perfectly mimic the sender’s signature and text style.

Take action

The best defence against phishing and spearphishing is to make users aware of the threats and techniques used by criminals.

1) User training

The best approach is to implement a simulation and training program to improve security awareness for an organisation’s users, to help them recognise subtle clues to identify phishing attempts. Regularly train and test all employees to increase security awareness. Staging simulated attacks for training purposes is by far the most effective method.

2) Authentication

Multifactor authentication is essential to stop attackers gaining access to accounts – whether an organisation uses SMS codes, mobile calls, key fobs, biometric thumbprints or retina scans.

3) AI protection

AI now offers some of the strongest hope of shutting down spearphishing.

By learning and analysing an organisation’s unique communications patterns, an AI engine can sniff out inconsistencies and quarantine attacks in real-time.

Forescout strengthens investment in OT security
Forescout’s latest features will provide enterprises with improved productivity, lower risk profiles and faster mitigation of threats.
Hybrid cloud security big concern for business leaders
A new study highlights that IT and security professionals have significant concerns around security for hybrid cloud and multi-cloud environments.
GitHub launches fund to sponsor open source developers
In addition to GitHub Sponsors, GitHub is launching the GitHub Sponsors, GitHub will match all contributions up to $5,000 during a developer’s first year in GitHub Sponsors.
Check Point announces integration with Microsoft Azure
The integration of Check Point’s advanced policy enforcement capabilities with Microsoft AIP’s file classification and protection features enables enterprises to keep their business data and IP secure, irrespective of how it is shared. 
ESET researchers break down latest arsenal of the infamous Sednit group
At the end of August 2018, the Sednit group launched a spear-phishing email campaign, in which it distributed shortened URLs that delivered first-stage Zebrocy components.
Container survey shows adoption accelerating while security concerns remain top of mind
The report features insights from over 500 IT professionals.
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Fake apps on Google Play scamming users out of cryptocurrency
Fake cryptocurrency apps on Google Play have been discovered to be phishing and scamming users out of cryptocurrency, according to a new report from ESET.