Spear-phishing is the single biggest threat to cyber security today
Arguably, there is no security incident without end-user involvement; either by the user actively doing something he shouldn’t, or passively not doing something he should. The criminals’ usual route is to socially engineer the target into doing something he shouldn’t (see The art of social engineering); like click a dubious link or open a malicious attachment. This is basic phishing. The original mass phishing campaigns, sending the same email to hundreds of thousands of targets, have an increasingly lower return for the criminals: users have become adept at spotting them. So today criminals are choosing higher value targets and sending personalized emails to an individual or small group of individuals. This is spear-phishing.
Spear-phishing malicious attachments: source Trend Micro
Criminals – whether individuals, organized criminal gangs or state-sponsored groups – are all selecting spear-phishing as the attack method of choice. A recent study by Trend Micro has shown that 91% of all successful APT attacks start via a spear-phishing attack; and 94% of those are emails carrying a malicious attachment. To put this into perspective, many (not all) security experts believe that any organization targeted by an APT will fall to the APT. The corollary, and one that I accept, is that anybody targeted by a well-crafted and researched spear attack will succumb to that attack, or the next one, or the one after that.
This is because there is no guaranteed defence against spear-phishing. It is man versus man – technology won’t work. You can filter incoming emails, but you might miss one. You can filter the target URLs, provided you know about all of them, but that misses the disguised malicious attachments.
This all begs the question of why spear-phishing is so successful; and it’s because the criminals do their homework. They treat the internet as their own big data playground, and harvest little snippets of information from different places to combine into a remarkably detailed profile of potential targets. There are huge criminal databases of stolen data. Just this week it emerged that the Nationwide insurance group in the US had personal details of 1.1 million Americans stolen, including “Social Security number, driver’s license number and/or date of birth and possibly marital status, gender, and occupation, and the name and address of their employer.” A couple of months ago, 3.6 million South Carolina tax payers had details stolen (itself via a spear-phishing attack) from the Department of Revenue.
What they don’t already have they get from the social networks and indeed the target’s company website. Email, personal interests, friends, position in company, age and location can all be found. From this profile it becomes relatively easy to compile a compelling email that looks 100% genuine and irresistible.
Indeed, the very way in which we do computing makes phishing very effective. A fascinating PhD study thesis by Michele Daryanani (Desensitizing the User: A Study of the Efficacy of Warning Messages) made available this summer draws a connection between hyperactive operating system warnings and desensitizing the user – including to phishing attacks.
So what can we do? The main defence is user education. There are specialist training companies; and PhishMe in particular specialises in teaching how to avoid being phished.
now with social engineering
Yesterday, Metasploit announced it is joining the battle with a new release of Metasploit Pro 4.5, introducing ‘advanced capabilities to simulate social engineering attacks’. HD Moore, the originator of Metasploit and chief security officer at Rapid7, describes it thus: “Many organizations already conduct end-user trainings and implement technical security controls to protect their data, but it’s hard to know how effective these measures are, or even if you’re focusing on the right things. Metasploit assesses the effectiveness of these measures, and provides metrics and management for each step in the chain of compromise to help you reduce your risk.” In other words, it allows you to test your users and see which of them fall to phishing under what circumstances – spear-training against spear-phishing as it were.
But I’d like to add my own recommendation: that governments should understand that more often than not, education is better than legislation. If government would spend a fraction of its security budget, and a fraction of their energy, on educating users rather than legislating against choice, then we would all be a lot safer. And happier.
