Cyber-criminals have an extensive history of conducting attacks that cast a wide net hitting as many people as possible. Nearly everyone has received emails from a wealthy foreign banker or a Nigerian prince offering to pay you an exorbitant sum of money in return for sending them a couple of thousand.
For us security pros, it’s a no brainer and most consumers are hip to this scam now, but there is an even more devious form of trickery that is no joke at all.
Cyber-Criminals Get Personal
Most phishing efforts are easy for individuals to sniff out because they contain bold requests, misspelled words, or questionable attachments that raise red flags. However, we are seeing a rapid increase in personalised attacks that are exceedingly difficult to spot, especially for people who aren’t aware that cybercriminals are this sophisticated. If you take a look at the image below, the message itself doesn’t appear to be suspicious. It seems to be coming from Microsoft to alert you that they need to reactivate your Office 365 email account.
There is one red flag, but it’s very subtle:
- It mentions how the user’s account “has been suspended” – which is not a typical action of Office 365 accounts.
The truth is most untrained people would fall for this not thinking twice about following instructions just to get it over with. This level of personalized message attacks comes in all forms; impersonating your bank, airline, delivery service and even your employer.
Individuals and organizations alike have unwittingly wired money, sent tax information, and emailed credentials to criminals who were impersonating their boss, colleague, or trusted customer. For email, Office 365 especially is still a relatively new tool with a large and growing user base, and attackers are taking advantage of the accessibility.
What happens When You Take the Bait?
This particular spear phishing attack is aimed to steal your user name and password, and if you fall for it, it’s game on. We see a few menacing scenarios play out from this point:
- The attacker will set up forwarding rules on the account to observe the user’s behavior and communication patterns. This knowledge is leveraged for future attacks such as ransomware or other advanced threats.
- Attackers use the compromised account to send messages to other people or colleagues attempting to collect additional credentials and information. This can be a forwarded PDF to a colleague to view by providing email and password. In addition, attackers will send fake invoices for payment requesting ‘urgent’ action that needs attention.
The Costliest Form of Cyber-Attack: Spear Phishing
Due to the level of homework and patience it takes for a hacker to carry out these attacks, they target whales; the CEO, CFO, HR, legal teams and even assistants. Today’s chilling truth is that spear phishing attacks are the costliest, trickiest to detect and not going away anytime soon. The FBI estimates that organizations have lost five billion dollars so far in fraudulent wire transfers to spear phishing attacks. The average cost of a spear phishing attack for businesses is upwards of $1.6m.
Spear phishing attack vectors are also growing. Spoof messages are being delivered to mobile devices through text messages and other services including Skype and Slack. Artificial Intelligence is also being used by criminals to better target attacks to specific times of day or location using data from social media feeds.
Taking Action Immediately (For Your Sake)
There are three layers that organizations should be implementing now to combat spear phishing which include; user training and awareness, multi factor authentication, real-time analytics and AI.
Training
Employees should be regularly trained and tested to increase their security awareness of various targeted attacks including phishing, spear phishing, ransomware. This alongside with tactics attackers use including spoofing, social engineering, business email compromise and insider impersonation. Staging simulated attacks for training purposes is by far the most effective activity for prevention.
Authentication
Multi factor authentication is a must for user credentials now. In light of the recent discovery which found the largest collection of breached data in history, comprising more than 770 million email addresses and passwords posting to a popular hacking forum in mid-December, implementing an additional security layer on top of the normal username and password is critical. Multi factor can institute many different effective methods including, SMS codes or mobile calls, key fobs, biometric thumb print or retina scan, and personal information layers (e.g. your childhood nickname).
AI
Artificial Intelligence now offers some of the strongest hope of shutting down spear phishing. By learning and analyzing an organization’s unique communications patterns, an AI engine can sniff out inconsistencies and quarantine attacks in real-time. As the artificial intelligence matures within an organization it becomes more effective based on the metadata that it has analyzed. This is very promising, but not a silver bullet. It takes a multitude of efforts to thwart cybercriminals effectively. We must continue to innovate new methods and technologies as we know well cybercriminals are doing the same thing.
You can discuss your breach prevention needs in person with Barracuda on stand C150 at Infosecurity Europe in London from 4-6 June. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.