Best practices to close the door to spear-phishing attacks

Security firm Trend Micro has identified spear-phishing emails as a top vector for allowing advanced persistent threats (APTs) onto company networks. Attackers use personal information to gain a victim's confidence and then zap him or her with malware that can scout for and exfiltrate confidential data. Share these best practices with your colleagues to "avoid the spear."

In a recent report, Trend Micro summarized its findings from a detailed analysis of attack vectors for the dissemination of advanced persistent threats (APTs). The security vendor found that 91% of targeted attacks involve spear-phishing email. This confirms the school of thought that attackers often target a specific person in order to gain access to a specific network and coveted confidential information on that network.

Spear-phishing is the practice of using personal information to gain a person's confidence to make an attack more targeted. We commonly think of spear-phishing being done by email because the attacker can easily include an attachment or embed a Web link that will lead the recipient to download malware that sets up the ensuing system compromise.

CAUTION: Spear-phishers lie in wait at 'watering hole' websites

Although the practice of spear-phishing has been around for years, it's still a very effective method to get an attacker inside the firewall. Trend Micro points to two recent high-profile data breaches -- at email service provider Epsilon and at security firm RSA -- that can be traced to spear-phishing emails as the point of origin for allowing the attackers in the door. It goes to show that even people who should be aware of the scamming technique can still fall victim to its charms.

The personalized nature of the email message may use context that is specific to the recipient; for example, it might reference a project the recipient is working on or a conference she just attended. Unfortunately, this is information that can be garnered from numerous sources, including social networks and even company websites. Somehow this contextual information makes the email feel legitimate, which serves to prompt the victim to click on the malicious attachment or URL.

According to Trend Micro's research, 94% of spear-phishing emails use malicious file attachments. People often share work-related files via email, so the inclusion of an attachment isn't likely to raise suspicions. What's more, attackers tend to use attachments in the actual or spoofed file types that are most commonly sent via email: .XLS, .PDF, .DOCX and .DOC. Executable (.EXE) files are not commonly used as spear-phishing attachments because many security solutions block them. Attackers know this and hide their malicious executable file as a compressed file or some other file type.

Once a targeted victim takes the bait and opens the file or URL, a remote access Trojan (RAT) is typically installed on the person's computer. The RAT profiles the target network and looks for desirable data to steal. Because the RAT can often remain undetected and continue to exfiltrate data for a while, it is considered "persistent," thus the name "advanced persistent threat." This attack technique can result in considerable damage to the victim company.

Attackers often target "high value" people within an organization -- people whose login credentials or job role can provide access to highly desirable data. While company executives certainly fall into this category, so do employees in departments such as human resources, accounting, finance and information technology. Consider what would happen if an IT administrator's workstation were compromised; an attacker could change all sorts of network access permissions, making it even easier to steal data.

Wombat Security Technologies provided this list of best practices to help you and your co-workers avoid the spear:

• Use common email sense. Period. The main point is, you shouldn't automatically trust any email message. Don't let the presence of familiar personal information in a message, or the apparent source of the message, lull you into a false sense of security. Don't think that everything coming in through email -- even though it looks official -- actually is official.

• Don't assume that emails from friends or colleagues have safe links or attachments. Cybercriminals can easily collect your colleague's email address from social networking sites or the Internet and send email to you that looks like it's from a trusted sender. When you receive a link or attachment from a friend or colleague, the safest approach is to call your friend and verify that they actually sent you what you received -- especially if you weren't expecting the message.

• Be extra suspicious of emails that relate to current events. For example, emails with links to photos of Hurricane Sandy destruction, up-to-the-minute coverage of sporting events, or the celebrity scandal of the moment, are very likely to be links to malicious websites. If you feel the urge to look at photos like this, look for them on reputable sites like or other news sites.

• Do your research on emails that request immediate action. Google the company name and get a contact number to call and ensure you've received a valid request. Do not trust the contact information in emails because cybercriminals will include phone numbers that dial the criminal directly.

• If there is a Web link inside a message, parse the URL to understand its genuine origin. It's easy to spoof the text of a hyperlink. To see where that link is really going to take you, hover over the URL without clicking it to see the real address. If that address looks unfamiliar or suspicious, don't click it.

• Be careful about providing personal information on social networking sites. Information such as birthdays, anniversaries, and the names and ages of your kids can be used to gain your confidence. Rather than refer to family members by name, use their first initial or some other reference that would be obvious, but you wouldn't expect someone to use in an email to you. Limit the business details you provide on sites like LinkedIn.

• Be wary of unexpected text messages on your mobile phone. People are three times as likely to respond to SMS phishing ("smishing") on their smartphones as on email. Attackers use ploys like "Click here to claim your instant gift card" sent via text message. A compromised smartphone that connects to a company network is an easy attack vector.

Vigilance is the key to staying safe from a spear-phishing attack. It may seem like an inconvenience to do a little extra research get to a legitimate website, but in the end it's worth the time to know who you're dealing with. High-profile spear-phishing breaches are forcing companies to be savvier at identifying the weakest link in their security posture. Don't let it be you.

Linda Musthaler is a principal analyst with Essential Solutions Corporation. You can write to her at


About Essential Solutions Corp:

Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2012 IDG Communications, Inc.