/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsEmail is how business gets done in the modern world. Despite its widespread use and security measures designed to thwart threats, email remains highly vulnerable to foul play. Organisations task IT professionals with weeding out spam, Trojan horses and virus-laden correspondence, but most security measures are more than a decade old. A fresh look needs to be taken at enterprise email security as the old mass email attacks fade into the shadows and new, more highly targeted attacks become all the rage with hackers who want access to precious data.
The Way We Were: Phishing
It used to be that a traditional mass email attack followed a tried-and-true model that relied on a shotgun approach called phishing. A high volume of email containing malware as an attachment or in the body of the email itself, were sent to untargeted recipients. Hackers would only get a small percentage of recipients to act on the email with this approach but, just like its namesake - the more lines you have in the water, the more likely you are to get a nibble. Perhaps this approach would have remained the preferred method for hackers, except for one problem: the fish wised up and stopped biting.
Users are now keen on recognising these attacks. It would be ridiculous now for someone to expect that randomly, royalty from a faraway land chose them to protect their family's fortune. But this used to work on an embarrassingly high volume of people.
Along with smarter users, traditional email security solutions became very proficient at sniffing out these schemes by employing technologies such as:
- Sender email reputation to identify addresses that are known to spew out spam
- Lexical analysis to analyse email content that contains word combinations and patterns commonly found in spam
- Antivirus to help defend against known viruses that reside in email attachments
These defense techniques have become so reliable and effective that many leading email security solutions now guarantee detection levels of 99 percent for all spam and 100 percent of all known viruses. However, this increased knowledge and security did not stop hackers from wanting access to your computer, your data, your network and quite possibly, the world. Like any unsavory virus, hackers evolved and their new methods take a completely different approach.
The Next Evolution of Attack: Spear-phishing
They call it spear-phishing. Most likely because if you knew what it really entailed, we would all be too scared to read our emails and get any work done. Spear-phishing is a low volume, highly targeted attack. No longer do emails make wild claims promising wealth, but instead they seem totally legitimate and the malware is delivered via an embedded URL within the email.
To craft these spear-phishing emails, hackers target specific recipients and gather information on them from social networking and public record websites. Then the hacker compromises a legitimate domain or server so their emails have a reputable address. Using the information they have learned about their target through research, hackers create a phishing email sent from that reputable address, which contains a message socially engineered to increase the likelihood of the target to click. When the target clicks on the embedded URL (which can also be linked to a legitimate, but compromised website) their computer downloads the malware. The malware does what malware is designed to do and looks for network vulnerabilities. It's a new approach but the end result is the same; confidential data is stolen and the target is changed to the victim.
Here is an example of what a spear-phishing attack actually looks like: John loves cat videos (and who doesn't!). He has "liked" the LOL Cats page on Facebook. He has posted pictures of his favorite cats on Pintrest. He even has a blog where he rates and analyses the latest feline funnies on YouTube. So when John's favorite cat site sends him an email offering early access to the latest hilarious videos if he just clicks the embedded link, how can he refuse? John's computer is now infected and sending all his personal and professional information off to parts unknown.
It can also be more pernicious. Successful spear-phishing attacks prey on an innate curiosity of the target. Some of the most effective attacks against businesses have used attachments with subject lines such as "2013 Salary Guidelines," "Q1 Hiring Plans," and "Updated Conference Schedule." Other successful attacks play on fear, appearing as court summons or subpoena documents."
Spear-phishing is devilishly effective because it comes from trusted sources not usually associated with malware, so it slips through the usual security. It also doesn't always contain word combinations commonly associated with spam and there is no malware in the actual message.
In April 2012 the Oak Ridge National Laboratory (an organisation known for its research into cyber security topics) was the target of a spearphishing attack that successfully compromised 57 users clicked on a malicious link, exposing their network to compromise from external sources. However, it cannot be confirmed if these spear-phishing targets fell victim to the LOL Cat attack.
What Your Organisation Can Do
If you're responsible for the information security at your company, spear-phishing is something that is no doubt on your radar and you'd appreciate some helpful tips to combat it. Here are a few recommendations to help stop spear-phishing attacks within your organisation.
Get real-time web analytics to determine the current threat level of websites, including social networking sites.
Almost all phishing attacks (92 percent) now contain a web component to elude traditional email gateway and antivirus defences. URLs that are embedded in these emails often link to websites that are hosting hidden malware.
Isolate and sandbox suspicious emails that contain URLs for real-time analysis at point-of-click.
An email at midnight may contain a link to a web page that was harmless on the initial security scan at the gateway. However, the same web page may include injected malicious code when the recipient clicks on the link the following morning.
Every week, an average of more than 700 pieces of malware is delivered using this attack model - undetected by the leading antivirus engines.
Analyze all outbound data to automatically block, quarantine, or encrypt sensitive data, and monitor for patterns that may indicate a leak of important information.
Organisations need an extra line of defense in their email infrastructure, and in the data-accessing devices, such as tablets and smartphones, to oversee the flow of information and prevent data loss.
User Education: Immerse employees with examples of real-world phishing attacks.
Installing the latest security solutions means nothing if users don't practice cyber safety. Most employees don't see an issue with checking a personal email account on a company computer or laptop so user awareness is key to protecting your information from theft.
Email security is an ever-evolving beast for organisations and the only certainty is that once spear-phishing becomes less effective; there will be some new form of attack that steps up to take its place. But the good news is that as long as there are hackers out there looking to steal information, there will also be people out there working to protect it. Keep your wits about you and your IT will be safe.