To carry out ethical spear phishing attacks in order to help organizations test their security awareness and attack preparedness levels, True begins by using the same techniques as cyber criminals, conducting online research to gather information about our targets that can be used to attempt to deceive individuals within an organization. Like malicious attackers, we search the web for publicly accessible documents on the target's website, employee names, email addresses, phone numbers, company policies, business plans, internal communications, and any other available information sources that may be useful to our scheme.
Armed with this information, an attacker can target a specific employee or group of employees based on their position(s) within the organization and their perceived level of access to systems or information, and make contact via email or phone, pretending to be a legitimate contact within or outside of the organization.
With email spear phishing, an attacker creates a "spoofed" (or imitation) email that is sent to targets. To help make the email appear legitimate, the attacker may register a domain name that is nearly identical to that of the target organization in order to instill a false sense of security at first glance.
The content of phishing emails differs from attack to attack. Some include links to malicious websites (that look real) in order to infect the target's computer or steal login credentials. Others articulate fake scenarios that sound plausible in an attempt to get the target to transfer funds to a "client," divulge confidential information, or assist the attacker with gathering other useful information for use in further attacks.
Attackers also use the phone systems, taking advantage of caller ID spoofing technology, which allows the attacker to call from anywhere but change the caller ID number to a number they choose, such as a number internal to the organization.
Attackers can pretend to be anyone in the organization and use name dropping (acquired from their web research) in an attempt to fool targets. They may set the stage by telling you they are a representative from your IT department and had issues updating your computer, or a special update is required that needs to be performed by you. They may spell out a link for you over the phone or email it to you on the spot. If you visit the link, a malware-loaded package automatically downloads, and a backdoor gets installed on your computer. Other infections could take place at the same time such as http redirects, key loggers, etc. Whichever method, once the malware has been downloaded the attacker has gained access to your machine.
Spear phishing attacks are one of the most successful types of attack and can also represent the highest risk because the attacker chooses the target specifically, approaches the attack with a strategy in mind, and has definite goals. They often believe the person they are targeting has the access they want. Furthermore, no amount of security software can completely mitigate this threat. The only way to reduce the level of risk is to regularly reinforce Information Security Training & Awareness for your organization and to develop (and practice) Incident Response procedures.
The spear phisher's entire attack hinges on the "sense of security" and users' lack of attention to every detail. In order to mitigate the risk of falling vulnerable to this type of attack, the following steps are recommended:
- Limit the number of corporate documents that are available on the Internet that could aid an attacker's strategy.
- Avoid providing employee names or email addresses on the corporate website unless absolutely necessary.
- Increase phishing awareness by ensuring employees understand the risks spear phishing poses to the organization and are regularly receiving the latest information about spear phishing and how to mitigate it by teaching them to:
- Pay close attention to any email that "needs" something from you whether it be information or to perform a task, the sending email address, and overall legitimacy.
- Contact the supposed sender of the email if there are inconsistencies or if you question whether the email is legitimate. Do not respond directly to the email or call a phone number contained in the email, but rather find this information from a legitimate source before attempting contact.
- Ensure that any links in the email are not misspelled.
- Ensure that once at a link that requires logging in, https:// precedes the website and not just http://.
- Ensure that if a link uses https://, there is a small lock to the left or right of the link in the address bar (to the left in Chrome and Firefox, and to the right in Internet Explorer).
- Instruct employees to never provide login credentials over the phone or in email, no matter how convincing the request.
- Perform Email and Phone Phishing Social Engineering Assessments to test employee knowledge about phishing and the internal processes in place to respond to these attacks, and use the actual testing and results to educate users on the techniques malicious actors use to attempt to gain access to the network.
- From a technology perspective, at a minimum, using a customizable, server-side spam filter is recommended.
Please feel free to share this article with your organization to assist with your Security Awareness Training efforts.