10 reasons why phishing attacks are nastier than ever

Forget Nigerian princes -- today’s spearphishing is sophisticated business, fooling even the most seasoned security pros

1 2 Page 2
Page 2 of 2

The very respected Verizon Data Breach Investigations Report frequently reports that most internal breaches are noticed by external parties. In most cases that’s because the external party was also compromised for years, and during its forensics investigation it noticed that its data or attackers were coming or going to another company as a staging point.

I’ve consulted at a few customers where the bad guy has been in the company for so long that the malware they were placing was part of the company’s gold image -- that is, every new computer included malicious software. I’ve seen Trojans and malware programs that were allowed to spread for years because the IT staff assumed it was a necessary software component placed by some other group within the same organization. Hackers love these sorts of assumptions.

Your attacker is not afraid of getting caught

It used to be that a phisher would get into your company, steal money or information, and be gone as soon as possible. Getting in and out as quickly as possible meant minimizing the chances of being caught, identified, and prosecuted.

Today’s attacker is likely based in a foreign country where your legal jurisdiction and warrants don’t work. You can even identify (using legal evidence) the hacking firm, its hackers, and its physical address to their local authorities, and nothing is likely to happen.

In most of the attacks I’ve been called in to remediate in the past 10 years, the hackers don’t run once they are found. To be sure, they don’t want to be found, but once they are, they hack even more freely and blatantly, as if the restraints have been pulled off.

Remediation ends up being a cat-and-mouse game where the mouse has all the advantages. At first you don’t know what they’ve compromised and how many ways they can get back in. And it all likely started because someone opened up a spearphishing email.

What you can do

Remediation begins with educating all employees about the new reality of spearphishing attacks. Everyone should know that the old-style phishing emails, full of typos and promises of unearned millions, are no longer your main worry. Explain how the new spearphishing emails are handcrafted by professional criminal gangs that know exactly how to tailor their work to seem like a legitimate email coming from someone your colleagues trust.

Employees should be told to always ask for independent confirmation (such as a phone call or IM) before clicking and running any executable or opening any unexpected document. A quick confirmation is simply due diligence today. Tell employees to report anything suspicious. If they accidentally executed anything that they later became suspicious about, they should report it as well. It is important to remove the stigma and embarrassment of being fooled. Let them know that anyone, even security experts, can be tricked today, given the sophistication of the attacks.

Many companies aggressively test their employees with fake phishing attempts. These attempts should use phishing email templates that are more sophisticated and less like the phishing attempts of the past. Keep testing individual employees until you get a very low percentage of easily compromised employees. If you do it right, you’ll have your employees questioning any unexpected emails asking for credentials or to execute programs. Having employees question your legitimate emails is a welcome symptom of a good education program.

Lastly, if a spearphishing attempt is successful in your company, use the actual phish email and the compromised employee’s testimony (if they are well liked and trusted) to help teach others about today’s spearphishing environment. Anything that brings the new lessons front and center is welcome.

The key to prevention is getting everyone to see that today’s spearphishing email is not what they were used to in the past.

Related articles

This story, "10 reasons why phishing attacks are nastier than ever" was originally published by InfoWorld.


Copyright © 2015 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
The 10 most powerful companies in enterprise networking 2022