No matter how secure you think your data and your network are, it can all come crumbling down from just one phishing email or spear phishing campaign. Most employees aren’t trying to hand hackers their information or the company data, yet, it happens. Most employees will click on or respond to a well-crafted phishing or spear phishing email if it lands in their email box. Despite education efforts, 20-30% of recipients open standard phishing messages that arrive in their inbox and 12-20% of those click on any enclosed phishing links. These rates are already high, but they double when looking at spear phishing emails.
Phishing is a hacking technique that “fishes” for victims by sending them deceptive emails. Virtually anyone on the internet has seen a phishing attack. Phishing attacks are mass emails that request confidential information or credentials under false pretenses, link to malicious websites or include malware as an attachment.
Many phishing sites look just like the sites that they are impersonating. Often, the only difference in many spoofed sites is a slight, and easily missed, difference in the URL’s. Visitors can easily be manipulated into disclosing confidential information or credentials to the hacker if they can be induced to click the link. Even blacklisted phishing sites can often get by standard filters through the technique of time-bombing the URL’s. Then the URL will lead to an innocent URL initially to get past the filters but then redirect to a malicious site.
Although malware is harder to get past filters, recently discovered and zero-day malware stands an excellent chance of getting through standard filters, and being clicked on, especially if the malware is hidden in a non-executable file such as a PDF or Office document. This is how many of the recent ransomware attacks were pulled off. If an employee isn’t looking close enough, they could be clicking a link that unleashes the hacker into your system.
Spear phishing is an enhanced version of phishing that takes aim at specific employees of the targeted organization. The goal is usually to gain unauthorized access to networks, data and applications. Often the initial email will contain no URL or attachment. Instead, it will simply try to invoke the recipient into thinking that the sender is legitimately whomever they say they are. Only later on will the hacker request confidential credentials or information, or send a booby-trapped URL or attachment.
“But my staff is careful,” you might say. “They know what to look for,” you argue. But do they? Some phishing attacks are often just the first part of a much larger hacking campaign. Once they are inside your system, hackers can do devastating damage by rifling through confidential customer lists, intellectual property, and emails; even deleting critical data or encrypting it with ransomware.
Let’s look at a possible spear phishing scenario and how it plays out:
After cataloguing the executives in the “Our Team” section of the Widget Co. website, the attackers create a cross-reference of social graphs, using Facebook and LinkedIn accounts to build lists of who knows whom inside Widget Co. Then, by piecing together the social information, the attackers are ready to go spear phishing.
The attackers find an HR employee at Widget Co. named John Smith. Posing as Mr. Smith, the hackers target Smith’s Facebook friend and colleague, Jeff Jones, an HR manager at Widget Co. To build trust in the faked email address, the hacker posing as Mr. Smith sends his “friend,” Mr. Jones, a note asking about the family vacation he is currently on (according to pictures posted to Facebook). If Mr. Jones responds, the hacker is off to a good start. He’s successfully impersonating another Widget Co. employee and is starting to build trust in the faked email with his target. Mr. Jones replies and says he is enjoying his time away with his family. The two continue to banter about Mr. Jones’ family vacation as well as things going on in the office, including the names people that have been researched and associated with the social circle.
How can the attacker get away with this? Doesn’t Mr. Smith have a unique, domain- specific email through Widget Co.? Yes, he does. However, due to Widget Co.’s “Bring Your Own Device” (BYOD) policy, employees are able to use personal mobile devices to send messages to one another. In this case, the attacker knows from LinkedIn that Mr. Smith’s personal email address is email@example.com. The attacker creates a Gmail account for firstname.lastname@example.org. Mr. Jones doesn’t notice the difference, and the stage is set for the real attack.
The hackers know from LinkedIn that Jane Doe is a new employee working with Mr. Jones. The hacker posing as Mr. Smith sends to Mr. Jones a PDF file of “new employee paperwork” that actually contains key logging malware. If Mr. Jones opens the file, his device is instantly infected, his credentials sucked up, and the network is breached.
Alternatively, the fake Mr. Smith could send a note that says, “Hey, Jeff — I’m on the golf course, but I need to call the bank and make sure Jane Doe’s retirement plan is all set up. I can’t remember the login for the employee database system — can you help me out?” If Mr. Jones shares his login for the database, the hacker is inside. Either way, the phisher can collect Mr. Smith’s login credentials — a free pass to invade the Widget Co.’s private networks. Any confidential employee data is at risk of being improperly accessed.
It could just as easily have been in corporate finance, marketing and sales, IT, or any other department. Most employees have more than enough personal information about them in the public realm to allow their identity to be utilized to swindle another employee and compromise your network.