James Forbes-May, VP, Asia-Pacific, Barracuda Networks
Spear phishing¬–targeted and highly zpersonalized e-mail attacks–are fast becoming the weapon of choice among cybercriminals. It requires more work on their part–detailed research on targets and meticulously crafted messages–but the payoffs can be huge. And the costs to victims and their z'organizations are even more severe. Industry estimates have the average cost to an zorganization hit by a spear phishing attack hovering toward US$2 million. Then there are high-profile cases such as: US healthcare insurer Anthem, which had to settle a US$115 million class action suit due to spear phishing attack that gave hackers access to more than 78 million healthcare records; Austrian aerospace parts maker FACC, which lost US$47million; Belgian bank Crelan, US$75 million; and Facebook and Google, US$100 million.
Spear phishing needs to be comprehensively addressed as part of any organization’s information security strategy. To aid in that effort, our researchers here at Barracuda evaluated more than 360,000 spear phishing emails in three months, identifying and analyzing three major types of spearphishing attacks today–Brand Impersonation, Blackmail (Sextortion) and Business Email Compromise– and prescribed some steps for organizations to take to counter them.
Brand Impersonation, which accounts for more than 80 percent of spearphishing attacks, typically involves scammers using email to impersonate a trusted entity (such as a well-known company) and try to get recipients to provide account details or click on malicious links. Traditional email security is especially vulnerable to Brand-impersonation attacks. Brand-impersonation attacks look like they come from high-reputation senders and can often bypass traditional email security, which relies on blacklists and reputation analysis to evaluate emails coming in. They often include “zero-day” links, so they are not likely to be blocked by URL-protection technologies. They are launched from legitimate (albeit compromised) accounts, and so are considered safe by gateways.
Blackmail (Sextortion) makes up more than 10 percent of spearphishing attacks. In most sextortion scams, the attackers work on stolen usernames and passwords to send threatening emails to victims to extort money from them. They will claim to have compromising video, images or other content from the victim’s computer and threaten to share it with all his/her email contacts unless he/she pays a ransom in Bitcoin. These attacks can also get through traditional email security easily because they don’t usually contain malicious links or attachments and are sent from high-reputation senders and IPs (e.g. from already-compromised Office 365 or Gmail accounts).
Also, scammers have become increasingly more sophisticated in their approach and techniques— they now use advanced social engineering tactics, and, vary and personalize the content of their emails so well they easily slip through spam filters.
Business Email Compromise (also referred to as CEO fraud, whaling, and wire-transfer fraud) represents only 6 percent of spearphishing attacks but has incurred US$12.5 billion in losses since 2013, according to the FBI. In most business email compromise attacks, scammers impersonate an employee within the victim’s z organization, and use spoofing, social-engineering tactics, and compromised accounts to get what they want, which range from sensitive financial and personal information to having a wire transfer made. Business email compromise scammers are among the most sophisticated cybercriminals today. Their attacks are carefully designed, targeted, and few, so they will not be zrecognized as spam. They are launched from email services with high-reputation scores so that they can go through security gateways easily. They contain no malicious links or attachments, so they are very difficult to detect and block with traditional email security. They come from legitimate (but compromised) accounts, and use domain and display-name spoofing, so they look more authentic to the victim. And to top it all off, scammers in this class use advanced social-engineering tactics to appear even more convincing to the victim.
WHAT YOU MUST DO: 8 WAYS TO COUNTER SPEAR PHISHING
According to our experts at Barracuda, every business should consider employing the following best practices to protect itself against attacks by the most sophisticated and resourceful cyber criminals today.
• Do not rely solely on traditional email security that uses blacklists for spearphishing and brand-impersonation detection. They do not sufficiently protect against attacks that use “zero-day” links, which are often hosted on domains that have either been inserted into legitimate websites or never been used in previous malicious attacks.
• Take advantage of artificial intelligence (AI) to counter spearphishing attacks of the business email compromise, brand impersonation, and sextortion varieties. Use purpose-built technology that does not solely rely on looking for malicious links or attachments in an email but leverages machine learning to zanalyze normal communication patterns within the zorganization and spots anomalies that indicate a possible attack.
• Deploy account-takeover protection. Use technology that leverages AI to recognize when accounts have been compromised and remediates in real time by alerting users and removing malicious emails sent from compromised accounts.
• Implement DMARC (Domain Message Authentication Reporting & Conformance) authentication and enforcement to help stop brand hijacking and domain spoofing (which is often used in impersonation attacks), and DMARC reporting and analysis to set enforcement.
• Use multi-factor authentication–such as an authentication code, thumbprint or retinal scan–to add layer of security to the username and password.
• Educate users about spearphishing attacks so they can zrecognize fraudulent emails and know how to report them, and have procedures in place to confirm requests that come in by email, including those that involve making wire transfers and buying gift cards.
• Conduct regular searches to detect emails with content known to be popular with cybercriminals, including subject lines related to password changes and security alerts.
• Ensure emails containing confidential, personally-identifiable and other sensitive information never leaves the company, with the right combination of business policies and technologies.
Check out: Top Managed Security Service Companies in APAC