Spear Phishers Can Wreak Havoc on Any Business at Any Time – Survival is All About Awareness and Response

Share Article

With McAfee releasing its report on Operation Troy and the Dark Seoul cyber attacks last week, the spotlight once again falls on the spear phishing threats businesses face every day. Global Digital Forensics founder and CEO/CTO, Joe Caruso, talks about the mechanics of a spear phishing campaign and some steps that can be taken to combat the threat.

News Image

Don't give spear phishers the combination to your treasures

get the entire organization on the same page, from what to look for and how to spot these types of threats, to what to do if a malicious threat is found

McAfee released a report last week called Dissecting Operation Troy: Cyberespionage in South Korea, and it reads like a new-age Bond movie script. It’s filled with sneaky espionage, strategic diversions, tantalizing tidbits of clues, and of course, destruction and mayhem. But in this story there are no explosions, blood or missing limbs, at least not directly. It’s a story about digital information being compromised, but in a setting which includes military information, the aforementioned chaos is certainly not completely off the table of possible consequences. The method of entry to get the whole snowball rolling was a tactic that threatens businesses everywhere on a daily basis, spear phishing. What is spear phishing? What to look for? What can be done? Global Digital Forensics founder and CEO/CTO, Joe Caruso, shares some answers.

So what’s the difference between phishing and spear phishing?

“We’ve all seen those emails made to look like they are from reputable, well-known companies like Paypal or eBay, with links to follow, or an attachment to open in order to receive a special service, or to rectify a problematic issue with your account. These are sent in blast spam campaigns to millions of email addresses. They are the normally the easiest ones to spot because they often use poor English or contain odd mistakes, and on closer inspection the name of the sender is normally just a bit off, like @paypal.e.com instead of @paypal.com. Another thing to watch for is the links contained in the message. By rolling the mouse pointer over the link, without clicking it, the address the link would be sending you to can be displayed. If the text says one thing and the destination link says another or is unfamiliar, do not follow it. This kind of scheme is based on pure numbers and massive volume. Getting just a few users out of the millions receiving the email to bite on the bait is all the phishers need to make it a successful phishing trip.”

“But spear phishing is a very different beast. Spear phishing emails can be extremely personalized, and depending on the skill level, resources and diligence employed by the attacker, they can be both very convincing and quite difficult to identify as a malicious threat. Spear phishers will make their bait emails look like they come from someone familiar and trusted, like friends, family, or even from someone within your own organization. Spear phishers will do research, they will glean personal information from social networking sites, company websites, online user profiles, or even personal information they may have gathered from other systems and networks they have compromised in the past, and use it against you. They will also apply advanced tactics like spoofed headers, basically changing the From address to match up to the identity of the person or organization they are pretending to be. So when Sally from your own human resources department, conveniently obtained from the business’s online directory with her valid email address and other details, sends you a letter with a note about something you need to review regarding your insurance benefits, you may very well open the attachment, and bang… your “hooked.” Or you get an email from the Sapphire Waters Beach Hotel, where you just vacationed and have been raving about on a social networking site, telling you an item was left at the hotel, please see the attached description and form to fill out to have the item returned. Well, you were just there, of course this may be true. Say hello to a malicious payload that can lead to the compromise of your entire network. From the CEO to the fresh new intern, everyone is vulnerable and could be all the foothold attackers need to see whatever agenda they have through to fruition. So don’t be afraid to pick up an actual telephone and confirm an unexpected email, and if it turns out to be a hoax, report it immediately to whoever is tasked with the organization’s cyber security.”

Combating the threat revolves around testing, awareness and response.

“The social engineering aspect of cyber intrusions, which is where spear phishing would fall, is something we focus on heavily when we are called in to do cyber threat assessments and comprehensive penetration testing for clients, which range from very small businesses to well-known financial institutions. The scale and scope of the tradecraft we will employ is discussed and agreed upon in advance and then we go to work. Nothing we do will be destructive, but it will definitely be enlightening. We’ll do the same things real-world attackers would do. We’ll use publicly available information and anything else we can get our hands on, online, by telephone, or even in person, and craft a spear phishing campaign. We’ll do everything from creating full blown dummy websites, to spoofing an individual or department within the organization itself. And so far, we’ve never failed to get a foot in the door. When we divulge our findings in our detailed report, it’s got a shock and awe factor that really sinks in deep. It has the powerful, double-barrel effect of exposing weak links in the organization’s cyber security posture, as well as serving as an excellent springboard to raise internal cyber-threat awareness significantly. From there we’ll tailor a remediation plan with the client. If the client chooses, we can even hold awareness seminars to get the entire organization on the same page, from what to look for and how to spot these types of threats, to what to do if a malicious threat is found. And of course we can also satisfy any cyber emergency incident response needs a client may have with our team of experienced cyber responders, strategically positioned across the country and the worldwide and available any time of the day or night, just in case Aunt Betty’s secret family recipe proved just to irresistible not to open.”

Don’t wait.

Every organization’s needs, desires and digital infrastructure are unique. But having veteran cyber security experts like the experienced team at Global Digital Forensics come in to professionally tailor a testing and response plan specifically geared to the individual client, can go a long way to not only preventing the initial gateway intruders can use to wreak havoc, but also substantially lessen the aftermath should an attack or intrusion still manage to occur. There is no such thing as absolutely perfect protection, but the odds and/or aftermath can be greatly affected with the right plan in place.

*Global Digital Forensics is a recognized industry leader in the fields of computer forensics, electronic discovery (eDiscovery), cyber security and emergency incident response, with years of experience assisting clients in the government, banking, healthcare, education and corporate arenas. For a free consultation with a Global Digital Forensics specialist, call 1-800-868-8189 about tailoring a plan which will meet your unique needs. Emergency responders are also standing by 24/7 to handle intrusion and data breach emergencies whenever and wherever they arise. Time is critical if a cyber incident has occurred, so don’t hesitate to get help. For more information, visit http://www.evestigate.com.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Aris Demos
Visit website