I was conducting a spear phishing campaign some time ago for a client here at LIFARS, and as suspected, it was a success. For a quick catch up, spear phishing is when emails are targeted specifically to individuals and done with high quality messages and exploits. The victims are usually C-Level, directors, HR, accountants, IT admins, or anyone else with higher than average privilege. The reason these campaigns are so hard to notice before the target is exploited, is that the attackers put in research before they begin. It is not standard spam, where there are plenty of misspellings or sales of unwanted items. This is even more deadly than standard phishing, as these emails are low in volume and targeted to employees with higher permissions. This makes the emails less likely to be caught by filters or to be noticed by recipients that are aware.
How I created my attack was simple, once a contract was signed and a list of employees given, I began to craft the campaign. First I copied the style and syntax of the person I was impersonating. This tricks employees who would notice an overly formal letter from their to-the-point boss. This is the hardest part to prevent. When an attacker can impersonate a manager’s or supervisor’s language, it becomes almost impossible to prevent some level of compromise.
Next I chose the exploits I would be using to test each recipient’s gullibility. These included read-receipts, attachments, and a link where an employee could put in their email username and password. This way I could see who opened my message, who downloaded/previewed the attachment, who clicked on the link, and who gave me their log on credentials. These allowed me to help craft our follow-up educational material and gave me insight to how vulnerable the company was. Of course, all it takes is a smart attacker, a vulnerable system, and a single employee to click on that attachment and the company is compromised. This is exactly what happened to RSA.
Lastly I picked a great time to attack. This is also key, as an employee that is tired, in a rush, or behind in work (like coming back from a vacation with hundreds of unread emails) are especially vulnerable. The attack was then launched and succeeded within an hour. Most employees clicked on the attachment, because who wouldn’t? – It’s from the boss marked urgent and written as they write. Then some employees also clicked on the link as well when the document seemed odd, which would make them susceptible to drive-by downloads. Of course, a small percentage entered in log on credentials. With spear phishing, any non-zero statistic means the staff is vulnerable, and this campaign proved that.
So how does one prevent this? First the company needs a robust anti-malware and phishing filter for emails (see my other article here). Once this is in place it will reduce the number of campaigns significantly, and increase the level of sophistication required to compromise a system or user. Next employees should be trained often. This is necessary just to make sure everyone is always aware of the threats. Lastly, a service like ours should be used to test recently trained employees. We recommend this be done about half as much as training, just to keep employees on their toes and vigilant.