The Problem: Your organization is 3 months away from completing a massive 5 year project- the results of which will catapult the organization into the public consciousness and make huge sweeping changes to the way the organization functions for the better.
Over the past several days though, there has been talk of a large number of people being phoned repeatedly by persons claiming to be from a legal organization that has pressing need to speak with a very specific set of individuals in upper management within the organization. Unusual, but not unheard of. The calls get routed up, and nothing else is heard from for several days. Then over the next week, word starts to trickle down about major legal problems coming down the pipe, and it’s reported that there are black cars out front with people in suits and sunglasses watching the building. As a result, the general feel of the building is anxious and causing a lot of people to be on edge and jump to conclusions.
Finally, after a month of dealing with high-stress situations an announcement is emailed out to the organization that the issues that some people may have heard about has been taken care of and there is nothing to worry about.
36 hours later, news crews are in front of one of your organizations rivals with announcements of their project which just happens to have exactly the same results that your organization was going to announce, and more than a few members of the upper management in your organization are being escorted out of the building.
“Spear-Phishing” is a form of phishing that specifically targets certain individuals. As a result, the attempts to get their attention more often are much more polished than the “We need your cardit card numbers” emails and are more likely to have very official looking seals and corroborating information to get them past the organization’s first level defenses. As a result, spear-phishing can cost the targeted individual and organization much more than the average blind phishing attempt.
The Solution: Spear-Phishing requires user education to be able to pick up on specific tells that something isn’t quite right, but there are also some automated and manual solutions that can be of great benefit.
Solution the First: Web of Trust
Browser add-ons can be helpful or harmful depending on which ones you’re using, but the Web of Trust add-on is exceptionally good for picking up on changes to the address you’re visiting. For example: if you receive an email asking you to go to fbi.gov, but when you click on the link it actually takes you to fbi.gov.hahaha.gotyou, that would be a bad thing. Web of Trust can pick up on this, and if the site has a bad reputation will stop you from progressing further into the site. Various Anti-virus vendors also have a version of this in their own browser add-ons, so make sure to use the one that works best for your environment.
Solution the Second: Spam Filtering
While not as effective in spear-phishing, standard phishing attempts can be blocked in many cases through the use of spam filtering. Larger organizations more often than not use some form of subscription service to have it managed automatically, or to find out what addresses to load into their own software. One of the largest in this arena is Spamhaus, who’s only purpose is to track spammers and malware distributors.
Solution the Third: Independent Verification
The recommended method every time you receive an email that seems unusual, such as ‘you owe us xxx dollars, please login here’ or ‘your account has been compromised, please login here’, or any such prompt is to close out the email open up your browser and login through the standard method. The reason for doing it this way, is because by clicking on the link it is possible to catch your credentials through the use of any number of tricks. So if your account wasn’t compromised before clicking- it would be afterwards. This goes for many different attack vectors as well- you receive a call from the “FBI”, look up the local branches number on fbi.gov and give them a call to find out if there’s an active case and if there isn’t- let them know what you’re running into and one will be opened on your behalf. The same for utility vendors, lawyers, internet providers, and the list goes on and on.
Spear-Phishing can be an incredibly dangerous attack on an organization, especially on those that have upper-level management exempt from typical security measures. Being able to verify if someone on the other end of a phone call or email is actually who they say they are is absolutely essential, especially since it could have very large ripple effects.
Kurt Ellzey has been involved in Information Security and Technology for the better part of the past 15 years. During that time, he has been published as part of the compilation Security 3.0, the writer for the Ramp with 5 Levels, and a contributor at LIFARS with the Weird Security Term of the Week series. More information about Kurt can be found on LinkedIn or on Twitter.