How to protect your business against spear phishing
Phishing attacks have evolved, so small businesses need to adapt their defences to stay safe, says Davey Winder
Most people are aware of “phishing” attacks: scams initiated via email or on social networks with the aim of getting you to hand over your personal details. However, the scattergun approach of phishing is becoming more miss than hit, as user education improves and the chances of finding a gullible “mark” among the mass mail out decreases. So these phishermen are now looking to more targeted attacks, known as spear phishing. If you run a small business, you and your employees are firmly within the cross-hairs, and your data is at risk.
Spear phishing defined
Tod Beardsley is the Metasploit engineering manager at Rapid7, and he defines spear phishing as "an attack characterised by phishing tactics, such as an email sent to the target with a ‘click here’ call to action that compromises the victim's computer – however, the email is specialised against that particular target”.
“Think of ‘phishing’ as casting a wide net of identical emails, where ‘spear phishing’ is an attack that might call out the victim by name and appear to come from some place the victim is familiar with," he explains.
Spear phishing is far more likely to implement zero-day vulnerabilities in client software than general phishing scams ever did, since the targets will be limited and the chances of them reporting the attack to a security vendor quite low. This means that the valuable zero-day exploit stands more chance of remaining undetected in the wild for longer.
Spear phishing by numbers
A survey of 603 UK small businesses in 2012 on behalf of AVG discovered that between January and April, when payments to tax and revenue agencies are at their highest, spear-phishing emails are especially prevalent.
The most common fraudulent messages were designed to appear as if they have come from banks or financial institutions, and only 30.5% of SMBs surveyed would think twice about clicking on a link directing them to the HMRC. 56.9% of the SMBs had received fraudulent emails asking for money, 36.8% had received fake tax rebate emails and 12.3% had been directed to a fake government web page.
The small business is a prime target simply because spear phishing, which devotes larger resources to smaller target groups, looks for high potential value to the attacker. Although larger enterprises are attacked, it’s a mistake for small businesses to think they’re not a target. This common misconception means they’re less likely to be looking for spear attacks, less likely to have the defences in place to protect against them, and less likely to have invested in staff education programmes.
The attacker will already have a profile of your business and specific staff members who have access to bank account information, customer information or other high-value data for corporate espionage purposes. As Tod Beardsley puts it: "if I'm a penetration tester and spear phishing is in scope, I’ll go after your lead developers and get access to your proprietary source code."
Bit9's CTO Harry Sverdlove points a finger towards the explosion of social media – both within the business sphere and, of course, with the staff making good use of the BYOD trend.
"Cybercriminals have taken notice that we live in an interconnected world, where information is too easily traded and shared by the terabytes on Facebook, LinkedIn, Twitter, Instagram and more,” he says. “This free and open access to personal data provides the perfect opportunity for a cyberhacker to infiltrate almost any organisation. Let’s say you want to target a small company. In minutes, you can view its key employees from the company’s website, find the names of their friends or co-workers from their Facebook and LinkedIn profiles, and find out their current interests or projects from their Twitter feed. That’s all a cybercriminal needs to launch a targeted attack, to construct a spear-phishing email."
The simple truth of the matter is that almost every major breach or cyber-espionage campaign against companies that makes the news has begun life as a simple spear-phishing email. "It takes only one poor trusting soul for the attacker to then leverage well-known techniques to establish back doors, steal passwords, and siphon data," says Sverdlove.