To the average user, phishing emails often appear like harmless requests for information, and seem to come from trusted suppliers, and reputable sources. However, for cyber criminals, phishing is more often than not, the easiest way to get a foot in the door of their targets.
“Everyone knows what phishing is,” says Sarel Lamprecht, MD of Phishield, a company specialising in cyber fraud insurance. “They understand it is a means for attackers to get their hands on login credentials, financial information and similar, by sending an email purporting to be from a recognised institution.
“What they don’t realise is how cunning these attackers are – phishing pages are so cleverly designed as to fool all but the very closest scrutiny. Nor do they realise that the stolen information is often sold on the dark markets, used to empty out bank accounts, or even to blackmail the victims.”
Spear phishing, he says, is slightly different, in that it is more highly targeted, going after an individual in the organisation with a hope of gaining access to the organisation itself.
“It makes use of clever social engineering tactics to profile and get to know the potential victim, to have a better chance of success. Because of this, the attacker seems to be more trustworthy as a genuine business entity, and users become less suspicious. This is why spear phishing is a far greater threat, than the ‘mud against the wall let’s hope something sticks’ approach of regular phishing scams.”
According to Lamprecht, an alarming number of breaches over the past few years have originated from spear phishing attacks. “We have seen several high profile and hugely damaging data breaches which have begun with cyber criminals gaining a foothold onto networks via targeted spear phishing emails. Moreover, we have seen this tactic employed in nation state attacks as well as financially motivated ones.”
He cites a few examples of targeted security breaches that have utilised spear phishing techniques to achieve their malicious ends.
“In 2015, Kaspersky Lab in conjunction with Interpol and other authorities, uncovered a gang called Carbanak, which had stolen approximately one billion USD over the course of two years from banks around the world. They estimate over 100 banks were targeted across 30 countries. Money was stolen by hacking into banks and stealing up to ten million dollars in each incident, with each ‘robbery’ taking between two and four months, from infection to theft.”
Interestingly enough, the attackers gained entry onto an employee’s computer through spear phishing techniques, infecting the victim with the Carbanak malware.
He cites another example as the JPMorgan Chase breach of 2014, which saw data from some 76 million customers and six million businesses being exposed when a staff member’s credentials were stolen and used to access an older server that didn’t have any two-factor authentication in place. “The attack happened via a spear-phishing campaign that targeted several employees who had access to data systems and services that housed sensitive client data.”
The employee was tricked into giving out their password to a vulnerable machine residing on the network. “From there, the attackers accessed information and compromised records. In the aftermath of the breach, the company announced it is boosting its security spend by $250 million and allocating 1 000 personnel to security efforts.
“I could name several other incidents – eBay, Target and suchlike, but the point is that businesses, particularly the ones that handle sensitive customer data, need to put tools and measure in place to prevent the scourge of spear phishing from being successful.”
He adds that there is one defence available in the event of a breach that many companies neglect to take, in the form of insurance. “Phishield is a cyber insurance policy that will ensure you’re covered in the worst case scenario. It will help ensure a company can weather any damages as the result of the breach,” he concludes.