Just as the name suggest, spear phishing is a more targeted form of phishing, where hackers leverage a more personal touch for highly increased effectiveness. On May 5, 2015, the InfoSec Institute published an article titled, Spearphishing: A New Weapon in Cyber Terrorism, in which they breakdown the perils of spear phishing and how terrorist groups can use this threat vector for everything from access and espionage, to cyber scams which can see real money funneled directly to financing terrorist activities.
For Joe Caruso, founder and CEO/CTO of Global Digital Forensics (GDF), a premier national provider of cyber security solutions headquartered in New York City, spear phishing has always been at the top of the charts when it comes to the myriad of dangerous threat vectors business are confronted with every day. But he hopes, “stories like this that put the word “terrorist” into the same sentence as spear phishing will help bring some much needed focus to the serious threat targeted social engineering campaigns like spear phishing can pose to any business, because next to having already been victimized by a cyber attack, fear is the next best motivator when it comes to businesses taking concrete steps to protect their valuable digital assets, and terrorist is certainly a buzzword that conjures fear.”
The personal connection attackers covet
“In this digital world, it’s easier than ever for an attacker to gather the details that make spear phishing so effective,” warns Caruso. “A WHOIS lookup for instance can give an attacker precious contact information, like names, phone numbers and email addresses of administrative personnel responsible for the organization’s Web presence. Online company profiles can give attackers an overall view of a business’s hierarchy, and again, often with names, pictures and contact information right there for the taking. Press releases can give easy insight into current events within an organization which can then be used to devise an email that makes perfect sense to the target, exponentially increasing the chance it will be opened, read, and interacted with. And that’s all it takes for malware to be introduced, which depending on the payload, can lead to any kind of cyber attack imaginable. Add social media to the mix, and the personal touch can become even harder to spot. When John posts on his Facebook account that he will be vacationing in the islands for two weeks and an email comes to his boss while he’s gone that has a spoofed header to look like it is coming from John’s email address that says, “The islands are great, check out this view,” chances are good John’s boss will open it, open the attachment, or follow the link, or do whatever “John” asks him or her to do. And that’s it – game, set, match - nothing fancy, nothing technical, just brutally effective. So of course cyber terrorists are interested, just like every other cyber criminal prowling in the dark corners of the digital landscape.”
Without urgency, count on an emergency
“What really shocks me is how many companies I see that have absolutely no training or awareness programs in place that talk about social engineering threats - at least one in three. Others, that at least talk about it, often miss key elements and don’t really drive the point home with any real enthusiasm. So awhile back we started crafting simple phishing emails as part of our penetration testing program and found that when you have the evidence in black and white, managers, directors and executives suddenly feel a little real fear. And ever since we started doing that, we kept evolving the process to incorporate different types of social engineering methods as well, like pretexting (assuming a fake identity), baiting (leaving manipulated digital media behind hoping for a “curiosity insertion” into a network system), phone calls, and full scale spear phishing expeditions with all the bells and whistles, like an accompanying phony corporate website. To date, no client has ever walked away from a GDF social engineering exercise without access credentials landing in our hands,” says Caruso.
Getting everyone on the same page
“We can also put together follow-up training classes tailored to a client’s unique weaknesses, which we expose during our penetration testing,” Caruso adds, “and when you have a group in front of you with list in hand of how they were just essentially compromised, let’s just say the focus and attention is very different than a yawn-fest morning meeting. We can also review policies and procedures to make sound recommendations on how to strengthen them and help clients leverage many more little tricks of the trade that bolster awareness and operational security. And yes, social networking and all the new vulnerabilities it can introduce are also covered. So like I said, maybe the specter of real enemy-of-the-state type terrorists being in the game will help spark action in some of those who just haven’t gotten on board with the realities of today’s cyber threat landscape yet.”
*Global Digital Forensics is a recognized industry leader in the fields of computer forensics, cyber security and emergency incident response, with years of experience assisting clients in the government, banking, healthcare, education and corporate arenas. For a free consultation with a Global Digital Forensics specialist, call 1-800-868-8189 about tailoring a cost-effective plan which will meet your unique needs, without wasting resources on solutions you simply don’t need. Emergency responders are also standing by 24/7 to handle intrusion and data breach emergencies whenever and wherever they arise. Time is critical if a cyber incident has occurred, so don’t hesitate to get help. For more information, visit our cyber security page.