Modern businesses rely heavily on e-mail. Nowadays we have other popular forms of communication yet e-mail use is still habitual in an organisation.
There are risks of data leakage without any controls in place for users (Data Loss Prevention is covered in another post) and it’s vitally important that all e-mail users understand they are at risk from targeted attacks to leak company data. If targeted they may well fall victim involuntarily and not know until it’s too late, if at all. These attacks typically come from criminals sending cleverly crafted and fraudulent messages to employee inboxes.
The hackers know that humans are vulnerable to social engineering and inboxes are open for business 24 hours a day.
There are many methods that criminals use to steal sensitive information. We should all benefit from being aware of these methods and I hope you get lots of insight throughout this blog. In this post we focus on an increasingly popular method used by cyber attackers known as ‘Spear Phishing’. There are other forms of Phishing, more basic (easily caught by spam filter) and much more targetted (sent to VIPs or board and executive level people in an organisation) but Spear Phishing seems to be one of the most common and successful today affecting everybody.
What is Phishing or Spear Phishing and How Does it Work?
Spear phishing is a form of email attack that is targeted directly at a user or group mailbox (such as firstname.lastname@example.org) . It’s usually an attempt to steal information that is sensitive or extort money. This is done through impersonation and enticement. Impersonation via pretending to be another business you may deal with or enticement via sending an email with a sense or urgency or ‘act now’.
In its most common format a broad and untargeted phishing attack will involve receiving a random email, usually sent to many people, which attempts to convince them to open an attachment (PDF or similar). This carries embedded malware or a website link that either executes a virus, pretends to be another website (clone of paypal, your bank or webmail). It may also silently install a trojan bot so your machine can be used to stage other attacks later. This is known as the payload.
Spear Phishing differs from the common and more sweeping Phishing methods as the email will have a specific target (a chosen recipient within the organisation). The salutation and the body of the email will relate in some way to the organisation and the victim. In addition to the presence of fake links and malicious code via attachments, it will also often use socially engineered content to attempt to trick the user into sharing information such as a password, financial details or other sensitive information.
If the hacker succeeds in stealing a user’s credentials (their username and password) then it’s a win for them and near total lose for the victim, especially if they have administrator rights on the computer or domain.
What’s more concerning is the level of effort to target individual companies by these criminals. Emails are now being followed up by phone calls, to heighten the sense of urgency for the ‘outstanding invoice’ to be paid (for example).
What can we do to prevent this?
We cannot rely on technology alone. There are no Antivirus providers, no firewalls and no email filters to stop 100% of these emails being received. All companies should turn on as much security protections on their email gateway/exchange as possible. ACITConsultancy can help audit any current configurations.
Subscribing to Office365 Exchange and adding other Spam Protection services in the cloud to filter messages before they arrive in the business will catch most. However there is a cost associated with the best providers but at least with Office365 there are different pricing tiers avaliable. Even with capital spent on these services, some email of this kind is still going to filter through. Some in depth research can be read here.
However due to the popularity and trust in large companies like Microsoft, hackers are hosting their email within these providers. They also hijack genuine business email servers to relay email and thwart spam block lists. ACITC has seen phishing emails coming from within the Office 365 ‘onmicrosoft.com’ domain to some clients.
This is a game of cat and mouse. Phishing emails reflect current news trends or calendar events such as Christmas. It’s noted that whilst Microsoft Office 365 seems to be the most impersonated large brand this actually changes leading up to Christmas to be Amazon.
So we must educate ourselves and our users as we are the last line of defense. Learning how to be alert and always being vigilant is the best possible form of protection.
In order to identify an email of this nature it is important to understand how the Spear Phishing process works. The Scammer will first collect information about the target to help construct a cover and disguise to attempt to deceive the intended victim.
It will usually come through what appears to be a legitimate email address. In some cases the attacks can be so sophisticated that the attacker can also spoof a known email address that the recipient recognises the sender. As above, we can help turn on spoofing protection so your business does not suffer from impersonation attacks on other orgsanisations or your partners.
The attacker may also consider timing in terms of when best to make the attack via email, often at a time of day when the recipient might receive contact from the source that is being impersonated.
Spear phishing attacks can be very effective for cyber criminals. So we’ve put together the 5 step guide below to help our clients and readers identify them.
If there is one important thing to remember, it’s that you can always ignore the email if in any doubt. Genuine parties will find other and more recordable ways of contacting you in urgent situations (such as chasing an urgent debt!).
#1 Check the email address against the displayed name of the sender.
Most email applications only show the name of the sender which a Scammer can very easily spoof. It’s just a display name.
If you hover the mouse over the display name it should reveal the senders real address. If hovering over the info doesn’t work then usually right clicking to the properties menu will show you more information.
You need to be sure the exposed address looks familiar to the real sender’s address. The domain name (after the @) is the first thing to look at.
#2 Do an email format check.
As part of an advanced spear phishing attack both the display name and email address will be successfully spoofed as someone you know or an organisation you regularly deal with. They’re not looking for a reply, just for the victim to click or open the payload and let the attack onto the computer/steal the information.
Always check the format of the email address as it may hint towards the sender not being legitimate. One character or slight change in the spelling of the domain name may fool users easily. Compare it to previous emails received from the trusted source and if it does not match further measures to verify the sender integrity of the email must be taken.
#3 Make a Phone Call
On some occasions the spear phishing attack may not be identifiable through any of these steps and the user is at genuine risk of sharing sensitive information and incurring a cyber breach for the company.
If any doubt exists, then falling back to normal methods of communication by calling the company in question seems logical.
Only do so via a phone number you have previously recorded or know independently of any number in the potential phishing email. It’s easy enough to check if the email was indeed sent by the trusted party in the first place.
#4 Verify Shared Links, don’t click!
Often an attacker will attempt to trick you into clicking on a link via shared email. The goal here will be to direct you to a fake website (such as a banking or Office365 URL) in order to steal your login credentials.
In the case that you are confident of the name and address of the sender, you should still ensure that the link embedded in the hypertext is not attempting to send you to a website that does not look familiar. If in any doubt and the temptation remains to login to any online service, you should perhaps navigate to the named site through opening a browser and using google search rather than click on these links in an email.
By hovering over the link before clicking you can view the complete web address that it will redirect you too. Differences in the path may appear suspicious and indicate an attack. For example if the blue hyper link said www.paypal.com it could be pointing to something rogue like www.ppaypal.nl, the latter displaying a cloned version of the real site and you may not know any other way.
This is an essential step to take since the victim only needs to click once for the attacker to have control of their browser, install malware or steal information. It may well be the case that on clicking the link the web address presents a website that seems correct, however it’s always better to be safe than sorry. Since attackers can spoof entire web pages of financial institutions or similar trusted sources it’s essential to be most vigilant always. This is especially true if users are not educated in spotting SSL check failures and understanding Certificate Errors (see this blog post, coming soon).
#5 Always Scan Attachments
It’s best practice to always scan attachments for viruses, especially in this case or whenever something unusual or suspect is apparent.
Attachments may contain embedded malware disguised as a normal file, such as an Invoice in PDF or DOCX format. Once opened you may not even notice the bogus application as it may hide itself and remain embedded inside your computer.
It’s usually easy enough to right click on the attachment and find a “scan for viruses” option.
Another really easy way to scan email attachments very quickly is to forward the email to email@example.com where you will receive a reply with the results of a check against over 70 virus engines (just about all you can think of)*.
The above steps are some of the training measures that can be employed to help you and your organisation identify spear phishing emails. Although they are a dangerous and effective weapon of the modern day cyber attacker, by taking these steps as a precaution you can safeguard your business from Phishing attacks in a methodical way.