Skip Links

Best practices to close the door to spear-phishing attacks

IT Best Practices Alert By Linda Musthaler, Network World
December 06, 2012 10:10 AM ET
Linda Musthaler
Sign up for this newsletter now!

The CIO-level business angle on the latest tech

Network World - In a recent report, Trend Micro summarized its findings from a detailed analysis of attack vectors for the dissemination of advanced persistent threats (APTs). The security vendor found that 91% of targeted attacks involve spear-phishing email. This confirms the school of thought that attackers often target a specific person in order to gain access to a specific network and coveted confidential information on that network.

Spear-phishing is the practice of using personal information to gain a person's confidence to make an attack more targeted. We commonly think of spear-phishing being done by email because the attacker can easily include an attachment or embed a Web link that will lead the recipient to download malware that sets up the ensuing system compromise.

CAUTION: Spear-phishers lie in wait at 'watering hole' websites

Although the practice of spear-phishing has been around for years, it's still a very effective method to get an attacker inside the firewall. Trend Micro points to two recent high-profile data breaches -- at email service provider Epsilon and at security firm RSA -- that can be traced to spear-phishing emails as the point of origin for allowing the attackers in the door. It goes to show that even people who should be aware of the scamming technique can still fall victim to its charms.

The personalized nature of the email message may use context that is specific to the recipient; for example, it might reference a project the recipient is working on or a conference she just attended. Unfortunately, this is information that can be garnered from numerous sources, including social networks and even company websites. Somehow this contextual information makes the email feel legitimate, which serves to prompt the victim to click on the malicious attachment or URL.

According to Trend Micro's research, 94% of spear-phishing emails use malicious file attachments. People often share work-related files via email, so the inclusion of an attachment isn't likely to raise suspicions. What's more, attackers tend to use attachments in the actual or spoofed file types that are most commonly sent via email: .XLS, .PDF, .DOCX and .DOC. Executable (.EXE) files are not commonly used as spear-phishing attachments because many security solutions block them. Attackers know this and hide their malicious executable file as a compressed file or some other file type.

Once a targeted victim takes the bait and opens the file or URL, a remote access Trojan (RAT) is typically installed on the person's computer. The RAT profiles the target network and looks for desirable data to steal. Because the RAT can often remain undetected and continue to exfiltrate data for a while, it is considered "persistent," thus the name "advanced persistent threat." This attack technique can result in considerable damage to the victim company.

Attackers often target "high value" people within an organization -- people whose login credentials or job role can provide access to highly desirable data. While company executives certainly fall into this category, so do employees in departments such as human resources, accounting, finance and information technology. Consider what would happen if an IT administrator's workstation were compromised; an attacker could change all sorts of network access permissions, making it even easier to steal data.

Linda Musthaler is a principal analyst with Essential Solutions Corporation.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News