spear phishingDespite spam filters generally being pretty good these days, phishing remains a serious problem for corporate IT administrators the world over.  A survey conducted last year revealed that over half of respondants believed that their corporate networks had been the target of a spear phishing attack.

Spear phishing differs from the more traditional phishing attacks in that they target specific networks.  They use information about employees and the organisations they work for to gain employee trust, and therefore get them to fall foul of the phish.

For example hackers can send email that resembles the staff newsletter and ask the recipient to visit a website to confirm an action.  Or an email can claim to have an important work related document for you to download.

Of course none of these emails are what they claim, and clicking on the hyperlink or the attachment will open up the employee to infection.

“Spear phishing is the most popular way to get into a corporate network these days,” says Andrew Howard, a research scientist who heads up the malware unit at Georgia Institute of Technology Research Institute (GTRI).

“Because the malware authors now have some information about the people they are sending these to, they are more likely to get a response. When they know something about you, they can dramatically increase their odds.”

As with most hacking attempts, they typically target the weakest link in the chain, which is often the unsuspecting user.

“Organizations can spend millions and millions of dollars to protect their networks, but all it takes is one carefully-crafted email to let someone into it,” Howard says. “It’s very difficult to put technical controls into place to prevent humans from making a mistake. To keep these attacks out, email users have to do the right thing every single time.”

Georgia Tech are hoping to use the same public information the hackers are using to alert employees of potential phishing attempts.  This information includes the information we voluntarily submit to social sites, both as individuals and collectively as companies.

“There are lots of open sources of information that will increase the chances of eliciting a response in spear phishing,” Howard says. “We are looking at a way to warn users based on this information. We’d like to see email systems smart enough to let users know that information contained in a suspect message is from an open source and suggest they be cautious.”

Having access to an organisations email systems would allow security systems the chance to determine what normal email behaviour looks like and warn accordingly.

“We are looking at building behavioral patterns for users so we’d know what kinds of email they usually receive. When something comes in that’s suspicious, we could warn the user,” Howard says. “We think the real answer is to keep malicious email from ever getting into a user’s in-box, but that is a much more difficult problem.”

Of course, when speed of communication is of the essence, it isn’t desirable to meddle with that too much.  It will require a combination of protecting the user whilst maintaining strong service levels.

These and other strategies will be part of Phalanx, a new product being developed by GTRI researchers to protect corporate networks from spear phishing. It will be part of Titan, a dynamic framework for malicious software analysis that they launched last spring.