Phishing for Whales with Spears

Spear-phishing and whaling are more nuanced versions of this attack involving background research, preparation and a defined target. As opposed to a blanket phishing email campaign, spear-phishing is a more directed attack with the focus on one person or organization. Through a bit of due diligence the phisher tailors the attack to the intended recipient(s) in order to increase the likelihood of hooking someone. Often the email attack vector is supplemented with dummy webpages, email addresses and voicemail accounts. Whaling is the same concept, but the attacks are directed at CEOs or other C-suite members (or their support staff) with the intention of a bigger windfall.

It's tempting for small and midsize firms to believe that they're not big or important enough to be the victims of cyber attacks. In reality though, smaller firms are at no less risk than their larger counterparts. Phishing is a numbers game — attackers want to reach as many people as possible to improve their odds. It takes little effort on their part to send countless emails. Small and midsize firms can even be better targets because they often lack the budgets, infrastructure and training that the big firms have in place to defend against these attacks. In addition, smaller firms may be pursued if they service the actual intended targets of the cyber attack. It is important to keep in mind that attackers are looking for the weakest link; law firms and third-party vendors, without proper protective measures, are often just that.

What to Look For

Phishing scams are not always easy to spot, and cyber attackers work diligently to fool us. One well-worn technique is to represent the message as from a legitimate known sender. Historically this meant that attackers forged the sender's address (not materially different from using a false return address on a snail mail envelope). This ruse was easily revealed with a simple reply to the sender and only allowed for a single, one-way, communication — either the recipient clicked the infected email attachment or link or they didn't.

This has evolved into phishers using domain names that look like the impersonated party. For instance, in using www.BANKOFAMER1CA.com they are betting that most people are too busy to notice that the “I” in the address is actually a “1.” This concept has further evolved with spoofed addresses now almost impossible to distinguish from the real ones.

By taking advantage of Unicode, attackers can use homographs — words that look correct but are in fact comprised of characters from foreign alphabets — to create addresses that look identical to the English address. For example, using a combination of Cyrillic and other alphabets, hackers can create an address that appears to read as www.chase.com, but isn't. When fake links become imperceptible, context and security measures are even more important.

While it will never be possible to spot every advanced phishing scam that shows up in your inbox, there are certain signs or red flags that should set off alarms. Even little things like tone, spelling and grammar can tip you off to an email that isn't actually from the person claiming to be sending it. Attachments can also be a huge red flag — if this person never or only rarely sends you attachments and you're not expecting anything, ask some questions before clicking on anything. If an email seems out of context or has an unexpected sense of urgency, that's another good sign that something might be wrong. Phishers will often review the mailbox of a compromised account before crafting their next attack, and we have seen them hijack conversations mid-thread as they pivot onto their next target.

While your conversation may have been legitimate when it started, a sudden shift can indicate that it's been taken over by someone with nefarious intentions. Another sign is if the sender is suddenly traveling or too busy to communicate and directs you to deal with a third party.

How to Avoid a Breach

Even though hackers are constantly trying to figure out new ways around your system, that system needs to be as secure and up-to-date as possible at all times. Every firm needs good perimeter defenses — all email traffic should be scanned and approved before entering the network to reduce the likelihood that phishing emails get to their recipients. Many modern email filters now replace links and attachments with placeholders that allow for advanced scanning and the ability for the system to refuse access should it later determine that the link/attachment is a threat.

In addition to this basic security requirement, firms should:

• Ensure that malware and anti-virus programs are a standard part of their infrastructure.
• Require complex passwords and regular password changes to keep email accounts more secure.
• Use two-factor or multifactor identification to go a step further toward preventing hijacked email accounts due to compromised credentials.
• Implement mobile device management (MDM) to tighten control on devices and access.
• Implement browser controls to ensure that Internet browsers call out addresses and links that are leveraging foreign languages to spoof legitimate organizations.
• Implement Advanced Threat Protection tools from Microsoft or Cisco.
• Consider implementing SIEM (security information and event management) and IDS/IPS (intrusion detection and prevention system) tools to help detect and prevent system intrusions by outsiders.
• Teach your employees what to look for and how to handle potentially suspicious emails.

Educated users make up the greatest tool you have in your arsenal for fending off phishing attacks. It is crucial to have annual training with frequent reminders of the seriousness of the threat and to update everyone on the newest scams being perpetrated. Teach your employees not to open attachments or click on links if they aren't part of an ongoing business endeavor. Teach them to be on the lookout for subtle signs that an email seems off and to thoroughly examine any email that requests something important.

Conclusion

Diligence is crucial to stopping cyber attacks before they start. Built-in tools can go a long way toward detecting spam, but tomorrow there will be a new trick and your employees are your first line of defense. For users to have a hope of spotting an attack, they need to understand the types of attacks, how they work and what the bad guys are trying to get at.

Cyber attackers are relentless with ever-changing strategies and attack methods. You may not be able to always stay ahead of the game, but that doesn't mean that you can't take significant steps to prevent attacks from succeeding. With the right combination of understanding, regular training and security countermeasures in your arsenal, you'll be prepared when an attack comes. Taking action today can prevent you from being the next cybersecurity victim tomorrow.

*****

Eli Nussbaum is a managing director at Keno Kozie Associates. He joined the firm in 1998 as part of its Y2K audit team. Nussbaum then became a full-time engineer, holding every position within the department before taking on an account management role. During his tenure with Keno Kozie, Nussbaum has focused on physical, virtual and cloud infrastructure design and implementation for both infrastructure and client environments.