Despite spam filters generally being pretty good these days, phishing remains a serious problem for corporate IT administrators the world over. A survey conducted last year revealed that over half of respondants believed that their corporate networks had been the target of a spear phishing attack.
Spear phishing differs from the more traditional phishing attacks in that they target specific networks. They use information about employees and the organisations they work for to gain employee trust, and therefore get them to fall foul of the phish.
For example hackers can send email that resembles the staff newsletter and ask the recipient to visit a website to confirm an action. Or an email can claim to have an important work related document for you to download.
Of course none of these emails are what they claim, and clicking on the hyperlink or the attachment will open up the employee to infection.
“Spear phishing is the most popular way to get into a corporate network these days,” says Andrew Howard, a research scientist who heads up the malware unit at Georgia Institute of Technology Research Institute (GTRI).
“Because the malware authors now have some information about the people they are sending these to, they are more likely to get a response. When they know something about you, they can dramatically increase their odds.”
As with most hacking attempts, they typically target the weakest link in the chain, which is often the unsuspecting user.
“Organizations can spend millions and millions of dollars to protect their networks, but all it takes is one carefully-crafted email to let someone into it,” Howard says. “It’s very difficult to put technical controls into place to prevent humans from making a mistake. To keep these attacks out, email users have to do the right thing every single time.”
Georgia Tech are hoping to use the same public information the hackers are using to alert employees of potential phishing attempts. This information includes the information we voluntarily submit to social sites, both as individuals and collectively as companies.
“There are lots of open sources of information that will increase the chances of eliciting a response in spear phishing,” Howard says. “We are looking at a way to warn users based on this information. We’d like to see email systems smart enough to let users know that information contained in a suspect message is from an open source and suggest they be cautious.”
Having access to an organisations email systems would allow security systems the chance to determine what normal email behaviour looks like and warn accordingly.
“We are looking at building behavioral patterns for users so we’d know what kinds of email they usually receive. When something comes in that’s suspicious, we could warn the user,” Howard says. “We think the real answer is to keep malicious email from ever getting into a user’s in-box, but that is a much more difficult problem.”
Of course, when speed of communication is of the essence, it isn’t desirable to meddle with that too much. It will require a combination of protecting the user whilst maintaining strong service levels.
These and other strategies will be part of Phalanx, a new product being developed by GTRI researchers to protect corporate networks from spear phishing. It will be part of Titan, a dynamic framework for malicious software analysis that they launched last spring.
I can really see how this could be a problem. I certainly trust emails I get at work much more than those I get to my personal email account, especially if the email is an internal newsletter or something.
Interesting piece on The Comment Group here at the BBC
http://www.bbc.co.uk/news/business-21371608
"They find the weakest link in the company," explains Jaime Blasco, from security specialists Alienvault.
"What they do is collect intelligence about the companies,"
"They try to find information from the internet, from other employees, from intranets, from Google… whatever."
Spear phishing is a terrible new threat to security. And most people don't think twice about responding to an email that is just slightly off. Think twice people!
The cost to businesses protecting against these and other types of attacks is huge. I run a number of e-commerce websites and security and protecting our data is my number one concern and causes me endless sleepless nights. It also takes up lots of my time which could be put to much better use elsewhere. However, obviously, awareness of such attacks is still somewhat limited as the perpetrators continue to profit and cause widespread nuisance.
Phishing and spam attacks are a major issue for my very small blog that has a small readership and absolutely no benefit to attackers so I can only image how big a deal it is to large corporations operating in billion dollar industries.
Finding your post was beneficial for me, thanks a lot.