Phishing Attacks – Why Everyone is a Spear Phishing Target?

Posted by Geraldine Hunt on Tue, Apr 3rd, 2018

2017 was a rough year for cybersecurity with large phishing attacks impacting governments and companies around the world. Even organizations with the largest IT budgets such as Google, Yahoo and Equifax fell victim to large data breaches.

Every year, cybercriminals come up with new ways to trick users into giving up sensitive data or reveal credentials to their accounts. Phishing attacks are some of the most popular ways hackers are able to get access to data or infect an internal network with malware. At the beginning of 2018, cyber criminals were already coming up with innovative ideas to gain access to data. Here are some examples of spear-phishing attacks.

Using the Winter Olympics to Trick Users

In January 2018, cybercriminals already started using world events such as the Winter Olympics as a topic for phishing attacks. Mass phishing emails were sent from a spoofed South Korean Counter-Terrorism Center email address that had an attachment containing a malicious macro. The macro gave attackers access to servers if the right recipient opened the file and ran the macro.

This particular spear-phishing attack targeted a certain group of people who had access to large networks. These large networks have bigger payloads for attackers, and by giving them access to servers, the attackers can silently either infect other machines on the network or steal data in the background without detection. The lesson to learn from these attacks is that special events are popular themes for phishing attacks.

Business Email Compromises Expected to Exceed $9 Billion

A recent report indicates that phishing emails are expected to extract  $9 billion in lost revenue in 2018. Although there are several ways to trick users, the main goal is to steal credentials. Cybercriminals increased usage of spear phishing to target specific personnel.  Some personnel such as HR reps, financial staff or C-level executives have a higher level of access with increased permissions for sensitive data. For this reason, they are the main targets for attackers and should be educated the most on the red flags and signs of a phishing email.

Social Media is Still a Primary Reconnaissance Tool for Spear Phishing

For spear phishing, the attacker needs to research and find the right people to email. This preliminary step is called the reconnaissance phase. No special paid accounts are necessary. Attackers can just use social media. Facebook, LinkedIn, Twitter and even Instagram are useful tools for attackers.

You can handle most of the risk associated with social media by educating your users. They should be aware of social engineering and putting too much personal information on social media. When users are too open on social media, attackers can put together information on their target and use it to trick them during a spear phishing attack.

Attackers are Patient and Will Take Their Time for the "Long Term Phish"

Years ago, attackers would send hundreds of emails hoping to get any random number of victims. Now the goal is spear phishing for specific credentials and data, so attackers are willing to take their time for a big payout. Cybercriminals are creating databases on the Dark Web that aggregate profiles around specific individuals. What will this mean for phishing? When a phisher purchases these credentials they can be used elsewhere, without the person being aware of the threat.

Spear phishing can bank an attacker millions with a large data leak or even using ransomware. Your users should be educated in what to look for when receiving email, and never run macros or attachments. These phishing methods aren't slowing down at all, and inventive ways are making them much more effective

Because phishing can be so successful, hackers are turning to it as the primary means of injection.  Just last week Italian newspaper Il Tempo reported that accountants at Lazio were conned into sending €2 million (£1.75m) to a fraudsters bank account. This clearly demonstrates how important anti-phishing security, threat awareness, and training is within every organization. No organization is immune!