A typical phishing attack is launched at thousands, even millions of users in a blanket approach. We all know whether it’s targeting potential customers for a sales campaign or looking for a date next Saturday night, it’s always tempting to target the low hanging fruit. That’s because it’s easy and doesn’t require a great deal of effort. However, low hanging fruit doesn’t always bring great fortune either. The best tasting fruit is rarely in easy reach.
Criminals launch phishing attacks hoping to snag a few users here and there and capture
- PayPal account details,
- obtain personal financial
- health information
- or deliver ransomware for a quick bitcoin payoff.
The emails that are deployed in these massive cyber assaults typically try to heighten the innate urgencies of people, enticing them to click a URL or attachment that will then deliver the damaging package.
Sometimes these attacks are centered around current news events such as storms and tragedies which target both victims and charitable donors but not always. A prime example of such a timed attack was the recent cyber assault by a Russian hacker group, infamous for successfully breaching the Democratic National Committee earlier this year. The large scale attack was launched just hours after the election results showed Donald Trump as the prevailing winner in the U.S. election. The attack targeted various political organizations offering insight and analysis concerning the election from the Clinton Foundation. One of the attacks featured a link to a PDF download on “Why American Elections Are Flawed.” The window for such an attack is brief, but the ratio of success is greater than normal.
Targeted Phishing Attacks
Just like other types of crime, robbing the big city bank requires a lot more planning than the local convenience store, but the payoff is far greater. Many cybercriminals are narrowing their attacks toward specific individuals high up the food chain within the organization. By doing so, cybercriminals are targeting businesses rather than regular home users. In order for spear phishing to be successful, hackers must research their targets by gathering information about their business partners, vendor relationships, financial service providers and even their hobbies. The more information they have to use the more realistic the phishing email will be. This requires a significant time investment. The results though show that it’s worth it.
How successful are phishing attacks:
- According to a survey of 300 U.S. and U.K companies done in January of 2016, the average spear phishing attack on a large business was 1.6 million dollars
- The FBI reports that highly targeted phishing attacks have cost U.S. businesses a total of 2.6 billion dollars over the past three years
- Nearly two thirds of IT decision makers interviewed say spear phishing ranks as either their organization’s top security concern (20 percent) or among their organization’s top three (42 percent) security concerns
- 84% of companies admitted that at least one phishing attack had successfully penetrated their network defenses
How Are Phishing Attacks Implemented?
Email is the primary delivery method of spear phishing, but smart phones and social network sites are rapidly becoming highly common as well. Email spoofing is commonly utilized in these attacks in order to convince the targeted victim that they are communicating with a close partner or trusted party which in turn lowers their defenses. Spear phishing attacks are many times combined with typo squatting as well, a method in which cyber criminals purchase many alternative URLs that are different from their targeted domain names by one or two letter combinations. It is for this reason that spear phishing websites have increased by 250% since this time a year ago. Spear phishing attacks are also known to take advantage of zero-day vulnerabilities. This was demonstrated just weeks ago in a spear phishing attack by another well-known Russian hacker group that exploited two both Windows kernel zero-day vulnerability along with an Adobe Flash zero-day.
Don’t Make It Easy for CyberCriminals
Spear phishing culprits use a variety of social engineering mechanisms to implement their attacks. While it is natural for key executives of a company to want to post personal information about themselves on the company website as a way for customers and associates to get to know the leaders (or as a simple ego booster), companies should practice brevity in doing so.
Business executives should also be extremely disciplined in their social networking practices. Personal facets of their lives that can be easily found on the Internet is a valuable morsel of information that can be used by the criminal to garner trust from the target. All documents handled by and pertaining to key executives should be shredded and properly disposed of.
Gatekeepers should be trained to not give out unsolicited information over the phone, email or text. And of course, a foundation of effective spam filtering along with constant training of personnel in the practice of email security awareness and diligence are the chief components in a properly designed security plan to deny attackers the opportunity to catch the big one in your pond.