Wednesday’s Word(s) of The Week: Spear Phishing
Last week I talked about email security and steps that ISPs and enterprises were taking to help secure the email channel. This week, I’d like to dive into another security topic that everyone needs to be aware of, one that most people have been a target of, and that no one wants to be a victim of, namely spear phishing. Spear phishing is a highly targeted attack towards an individual that uses things like personalization and often uses a spoofed From: address that is recognizable to the recipient, like an email from your husband or wife asking for your social security number for benefits enrollment, when it’s actually not your husband or wife, but a fraudster.
If, like me, you’re probably thinking that’s a lot of work to go through just to steal a few dollars, but it’s all about the ROI. I always recommend that marketers use tactics like personalization as well as segmentation and targeting for higher ROI. Apparently the fraudsters have found that the same holds true for phishing campaigns. A typical mass phishing attack sees a 99% block rate, and has a paltry 3% open rate and a 5% click through rate. They average $2,000 per victim and profit $14,000 per mass phishing campaign. Now compare that to a highly targeted spear phishing campaign that has the same block rate, but a 70% open rate and a 50% click through rate. The total value per victim jumps to $80,000 which translates to $150,000 profit per campaign – and that’s with only 2 victims! To add insult to injury, the cost for an organization to deal with a targeted attack like that is staggering with $327 in monetary loss per employee, $558 per employee for remediation costs, and even more frightening, up to $2,346 per employee in brand reputation costs. You can read more about the high costs of targeted phishing with the latest report from Cisco.
ComputerWorld reports on the Department of Energy being a victim of spear phishing attack for a second time that exploited a flaw in Internet Explorer allowing the attackers to gain access to restricted data. The DOE responded by voluntarily taking down its email and network services until they could fully secure themselves from further attacks. The biggest risk is still yet to come with phishers having access to names and emails to use for more highly targeted spear phishing attacks. Even with education and security measures in place, 70% of all spear phishing victims still open the email.
Defense contractor Booz Allen Hamilton fell victim to a security breach by the hacker group Anonymous where over 90,000 military email addresses and passwords were taken and published. It’s no doubt that these email addresses will be used against the military in spear phishing attacks further putting the government at risk for more breaches.
Not only is the government more susceptible to spear phishing attacks, but so are the unemployed and job seekers. The Washington Post was also hacked where 1.27 million email addresses were stolen from their job seeker site. Josh Saul, CTO for Application Security, also agrees that these people will no doubt be the victim of spear phishing attacks or even blackmail. If you happen to be the user of one of those email addresses, pay special attention to any emails which includes URLs in emails that don’t match the underlying re-direct URL, ask for any personal identifiable information, or anything else that your intuition feels is out of place.
When in doubt, contact the person to find out if they asked for the information in the email.
I also noted in last week’s column that enterprises were handling these threats through things like employee education and whitelisting approved IP addresses. A recent article in the NYTimes discusses how companies like Symantec are taking a page from the email industry and using reputation-based filtering of software to determine if the application can pass through a firewall. Therefore, if a person clicks on a malicious link in a phishing message, the firewall can ascertain the reputation of the malware and presumably block from ever getting inside, or outside, a firewall. Reputation based filtering is available in their consumer products now and will be available to enterprise customers later this year. The article also discusses the idea of whitelisting in further detail. Bit9 is a company that specializes in whitelisting known good applications. They give an example of a spear phishing attack on a national defense lab where a user opened an attachment that supposedly came from their Human Resources department, but was actually malware. The application was stopped from any unauthorized activity because it wasn’t a whitelisted application. Palo Alto Networks also recommends stronger firewalls and better monitoring for suspicious behavior. Mark Hatton of Core Security Technology reminds that us humans will always be the primary weakness in any network. “You tell the guy not to click on the link to the free iPad, and he still always clicks on the link to the free iPad.”
I’d also mention again that spear phishing attacks that come from a spoofed domain, maybe even a spoofed domain from your own organization, can be stopped and prevented. By implementing email authentication, like SPF and DKIM, and then blocking all domains that fail authentication can be useful. Further implementing an approved list of known authenticated domains, like Domain Assurance, as part of your email filtering can prevent spear phishing attacks, as well as preventing false positives.
Have any tips to share to stop or prevent spear phishing? Share them in the comments below.
About Tom Sather
Email data and deliverability expert Tom Sather has worked with top-tier brands to diagnose and solve inbox placement and sender reputation issues as a strategic consultant with Return Path. As the company’s senior director of research, Tom is a frequent speaker and writer on email marketing trends and technology. His most recent analysis of new inbox applications’ effects on consumer behavior was widely cited across leading business media outlets including the Financial Times, Ad Age, and Media Post.