Analysts estimate that companies will spend more than $76 billion this year on cybersecurity; however, the greatest security risk may be posed by their own unsuspecting employees. A danger called “spear phishing” is causing more and more sleepless nights for information technology departments trying to prevent their colleagues from inadvertently compromising their companies’ confidential information.
Spear phishing is an e-mail fraud attempt that targets specific individuals within an organization, seeking unauthorized access to confidential data or trade secrets. Spear phishing attempts are not typically initiated by hackers but by perpetrators specifically seeking financial gain, trade secrets or military information. In order to succeed, spear phishing really requires three things: (1) The supposed source must appear to be a known and trusted individual, (2) it must contain information within the email that validates that the source is who he/she claims to be, and (3) the request being made seems to make sense to the recipient.
To pull this off, many fraudsters troll for publicly available information on the Internet to build digital dossiers on the employees they target. This process has become known as “social engineering” and in the age of LinkedIn, the details of a potential target’s career and responsibilities may be on the web for all to see, and for some to misuse in an email that may sound more credible.
Experts say it is not “technically difficult” to search for websites hosted by a specific provider and obtain e-mail addresses of the registered owners and administrators. With the information in hand, the employees receive a phishing e-mail requesting them to log in to confirm or update some information. The fraudsters are then able to intercept the username and passwords used to manage the sites.
How serious is the problem? Well, Symantec recently reported that at least 50 companies, many of them in the defense and chemical industries, have been attacked through spear phishing efforts aimed at stealing research and development data. The “Nitro” attacks, as Symantec called them, started in late July 2011, and lasted through September. Two months ago, more than 400 Websites hosted with domain registrar GoDaddy were compromised, redirecting unsuspecting visitors to a malicious site, in an apparent spear phishing attack. GoDaddy admitted that “many” sites hosted on its servers had their Apache configuration files modified to include rules to redirect visitors to another domain. GoDaddy’s security team identified approximately 445 hosting accounts that had been compromised and ahd cleaned up the affected accounts within the next day.
Junior or inexperienced employees are not the only ones being duped. In 2008, nearly 1,800 senior executives took the bait of messages masquerading as an official subpoena requiring the executive to appear before a federal grand jury. The emails correctly addressed CEOs and other high-ranking executives by their full name and included their phone number and company name. Recipients who clicked on a link that offered a more detailed copy of the subpoena were taken to a website that informed them they had to install a browser add-on in order to read the document. When they clicked “yes,” a back door and key logging software was installed that stole log-in credentials used on websites for banks and other sensitive organizations. This practice of targeting high profile recipients is better known as “harpooning” or “whaling.”
How can companies protect themselves? A recent Wall Sreet Journal article noted that corporate IT “needs a new defense doctrine,” quoting RSA’s head of identity protection, Uri Rivner. “You need to have security cover inside your organization, rather than your perimeter. You need to understand what your users are doing, and then spot any type of suspicious activity inside.” RSA was the subject of a well-publicized spear phishing attack earlier this year; after that attack, RSA purchased a firm called Netwitness that monitors network traffic for suspicious patterns.
Other companies have invested in technology that moves employee-generated network activity (such as that from a personal iPad or iPhone) into a separate network, so that the risk of employees inadvertently introducing viruses into the company’s systems are minimized.
Another approach some companies are using to prevent the unsuspecting disclosure of log-in and passwords is through the use of key codes. This technology, also known as two-factor authentication, provides employees with an algorithmically generated number that can only be used for a limited number of log-ins. Employees typically enter the key code after their username and password. This safeguard may be particularly useful in protecting information on employees’ iPhones, Droids or other similar devices.
Other companies have even gone so far as to stage spear phishing attacks against their own employees to make sure they are alert to these dangers. According to the Wall Street Journal, former hacker Kevin Mitnick has built a new career out of offering training on social engineering and hacking techniques, and running test attacks on companies to help executives and employees understand how vulnerable they are. “There is always a way to manipulate somebody by changing their perception of what is reality,” says Mitnick.
At the end of the day, none of these safeguards can replace employee vigilance against the fraudsters trying to dupe them. Companies should consistently remind employees about good practices, such as never emailing a company username and password, even if they think the request is from their supervisor or from their IT department. In short, it comes down to training and reinforcing a culture of security and vigilance.