{"id":17592,"date":"2020-01-29T12:10:02","date_gmt":"2020-01-29T20:10:02","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2020\/01\/29\/news-11327\/"},"modified":"2020-01-29T12:10:02","modified_gmt":"2020-01-29T20:10:02","slug":"news-11327","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2020\/01\/29\/news-11327\/","title":{"rendered":"Spear phishing 101: what you need to know"},"content":{"rendered":"<p><strong>Credit to Author: Malwarebytes Labs| Date: Wed, 29 Jan 2020 18:50:01 +0000<\/strong><\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/101\/2017\/06\/somethings-phishy-how-to-detect-phishing-attempts\/\" target=\"_blank\" rel=\"noopener noreferrer\">Phishing<\/a>, a cyberattack method as old as viruses and Nigerian Princes, continues to be one of the most popular means of initiating a breach against individuals and organizations, even in 2020. The tactic is so effective, it has spawned a multitude of sub-methods, including <a href=\"https:\/\/blog.malwarebytes.com\/101\/2018\/12\/something-else-phishy-detect-phishing-attempts-mobile\/\" target=\"_blank\" rel=\"noopener noreferrer\">smishing<\/a> (phishing via SMS), pharming, and the technique du jour for this blog: spear phishing.<\/p>\n<p>But first, a quick parable.<\/p>\n<p>A friend of mine received a blitz of emails over the course of a few days, all geared toward their Netflix account.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/fakenetflixspam.png\" data-rel=\"lightbox-0\" title=\"\"><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"42244\" data-permalink=\"https:\/\/blog.malwarebytes.com\/social-engineering\/2020\/01\/spear-phishing-101-what-you-need-to-know\/attachment\/fakenetflixspam\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/fakenetflixspam.png\" data-orig-size=\"789,801\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Fake Netflix mail\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/fakenetflixspam-296x300.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/fakenetflixspam-591x600.png\" class=\"aligncenter size-medium wp-image-42244\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/fakenetflixspam-296x300.png\" alt=\"\" width=\"296\" height=\"300\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/fakenetflixspam-296x300.png 296w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/fakenetflixspam-591x600.png 591w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/fakenetflixspam.png 789w\" sizes=\"auto, (max-width: 296px) 100vw, 296px\" \/><\/a><\/p>\n<p style=\"text-align: center;\">Click to enlarge<\/p>\n<p>The clues indicating something wasn\u2019t quite right were numerous:<\/p>\n<ul>\n<li>There were half a dozen emails instead of just one.<\/li>\n<li>All of them required payment information, but each mail gave a different reason as to why.<\/li>\n<li>There were spelling mistakes galore.<\/li>\n<li>The emails were not personalised in any way.<\/li>\n<\/ul>\n<p>Even without spotting the utterly bogus, non HTTPS URL linked from the email body, this friend would never have fallen for it. Granted, they have a decent knowledge of security basics. However, consider if the attacker had done this:<\/p>\n<ul>\n<li>Grabbed some personal details from a data dump<\/li>\n<li>Hunted online for accounts belonging to this person, perhaps on social media<\/li>\n<li>Checked to see if they had an account with Netflix<\/li>\n<li>Crafted an imitation Netflix email address<\/li>\n<li>Addressed the potential victim directly by name<\/li>\n<li>Included some or all of their home address<\/li>\n<li>Made use of spell check<\/li>\n<li>Set up a free HTTPS website<\/li>\n<li>Used the most current version of Netflix&#8217;s logo<\/li>\n<\/ul>\n<p>See the difference? While the first set of emails wouldn&#8217;t pass muster with a marginally knowledgeable user, the second would be much more difficult to screen as fake.<\/p>\n<p>And that is what&#8217;s known in the business as <a href=\"https:\/\/blog.malwarebytes.com\/glossary\/spear_phishing\/\" target=\"_blank\" rel=\"noopener noreferrer\">spear phishing<\/a>.<\/p>\n<h3>What is spear phishing?<\/h3>\n<p>Spear phishing&#8217;s sole purpose is to get inside the recipient\u2019s head and make them think the messages they&#8217;re responding to are 100 percent legitimate\u2014achieved due to personal touches designed to make them think what they&#8217;re dealing with is the real deal.<\/p>\n<p>While you could argue alarm bells should ring when being asked for credit card details, in all honesty, once the scammer has thrown a few personal details into the mix like name and address, it may well be too late.<\/p>\n<p>Imagine if the scammer monitored social media feeds to see which shows their target liked, then said something like, \u201cPlease ensure your details are correct to continue enjoying The Witcher.\u201d Now add a picture of Henry Cavill looking cool.<\/p>\n<p>Game. Over.<\/p>\n<p>As you might expect, this kind of attack is rather difficult to combat. It doesn\u2019t help when utterly random nonsense such as the poorly-made Netflix phishing attempt regularly inflict huge losses on organisations across the globe, despite being pretty terrible.<\/p>\n<p>How many times have we seen healthcare facilities and even local municipal governments fall foul to ransomware via pretend spreadsheet attachments in fake HR tax emails? Make no mistake, this is a <a href=\"https:\/\/www.newnettechnologies.com\/city-of-naples-suffers-losses-from-spear-phishing-attack.html\" target=\"_blank\" rel=\"noopener noreferrer\">very real and immediate problem<\/a> for those caught out.<\/p>\n<p>With generic phishing already causing huge headaches for businesses and consumers alike, cybercriminals using data dumps expertly combined with professional social engineering techniques have an ever higher likelihood of success. And that\u2019s before you consider other forms of spear phishing, such as conversation hijacking (more on this later), or attacks that use the spear phish as a launching pad for infecting networks with malware and other digital nasties.<\/p>\n<p>Shall we take a look at some numbers?<\/p>\n<h3>Watch those verticals<\/h3>\n<p>A few years ago, <a href=\"https:\/\/www.csoonline.com\/article\/3022164\/this-is-how-much-spear-phishing-costs-companies.html\" target=\"_blank\" rel=\"noopener noreferrer\">the average cost of spear phish prevention over 12 months was $319,327<\/a> versus the significantly higher cost of any successful attack, which <a href=\"https:\/\/www.csoonline.com\/article\/3022164\/this-is-how-much-spear-phishing-costs-companies.html\" target=\"_blank\" rel=\"noopener noreferrer\">weighed in at $1.6 million<\/a>. In 2019, the stats <a href=\"https:\/\/hostingtribunal.com\/blog\/phishing-statistics\" target=\"_blank\" rel=\"noopener noreferrer\">leaning heavily towards spear phishing<\/a> speak for themselves, and huge payouts for scammers are the order of the day.<\/p>\n<p>Payouts of $40 million, $50 million, and even $70 million and beyond are <a href=\"https:\/\/www.helpnetsecurity.com\/2019\/03\/11\/spear-phishing-impact\/\" target=\"_blank\" rel=\"noopener noreferrer\">common<\/a>, and that\u2019s before you get to the cost of the cleanup and <a href=\"https:\/\/www.spamtitan.com\/blog\/anthem-data-breach-settlement\/\" target=\"_blank\" rel=\"noopener noreferrer\">class action lawsuits<\/a>. Throw in a little <a href=\"https:\/\/blog.malwarebytes.com\/101\/2019\/03\/reputation-management-age-cyberattacks-businesses\/\" target=\"_blank\" rel=\"noopener noreferrer\">reputation damage<\/a> and a PR firestorm, and you have all the ingredients for a successful breach. For the victims, not so much.<\/p>\n<p>With spear phishing, the slightest piece of information can bring about an organisation\u2019s downfall as it slices through all its otherwise fully functional security defences.<\/p>\n<h3>Evolution of the spear phish<\/h3>\n<p>Spear phishing isn\u2019t only left to the realm of emails. Highly-targeted attacks also branch out into other areas, especially ones full of self volunteered information. Hijacking customer support conversations on Twitter is a <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2016\/08\/scammers-sneak-into-customer-support-conversations-on-twitter\/\" target=\"_blank\" rel=\"noopener noreferrer\">great example of this<\/a>: scammers set up imitation support accounts then barge into the conversation, leading the victim to phishing central. It&#8217;s a slick move.<\/p>\n<p>It\u2019s debatable how much of these scams are targeted, considering they\u2019re making their attack up on the fly, instead of wading in with pre-gained knowledge. The difference here is the recon is aimed at the person the potential victim is being <em>helped<\/em> by, as opposed the victim themselves. Making note of when the customer support account is active, looking at initial Tweets so they can pretend to be the same person who helped before, and adopting some of their speech mannerisms\/corporate speak all help to create a convincing illusion.<\/p>\n<p>At that point, all we\u2019re really dealing with is a perfectly-crafted imitation email but in human form, and with the ability to interact with the victim. Has spear phishing ever seen such a potent way to go on the offensive? When people are happy to weaponise customer support to use them against you, it\u2019s really something to sit down and consider.<\/p>\n<h3>Fighting the rising tide of spear phishing<\/h3>\n<p>Anybody can be a target, but executives, especially at the CEO level, is where it\u2019s at in terms of big scores for criminals (a form of targeting sometimes called whaling). By necessity, most organisations&#8217; executives are set up to be publicly visible, and scammers take advantage of this. As has been mentioned, this is one of the toughest forms of attack to defend against.<\/p>\n<p>If the social engineering component is designed to open the network to <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/social-engineering-cybercrime\/2017\/03\/new-targeted-attack-saudi-arabia-government\/\" target=\"_blank\" rel=\"noopener noreferrer\">malware abuse<\/a>, then we also need to consider the overall security infrastructure. <a href=\"http:\/\/www.malwarebytes.com\/business\" target=\"_blank\" rel=\"noopener noreferrer\">Security software<\/a>, updates, firewalls, and more all become important tools in the war against spear phishing\u2014especially given <a href=\"https:\/\/blog.malwarebytes.com\/ransomware\/2020\/01\/tampa-bay-times-hit-with-ryuk-ransomware-attack\/\" target=\"_blank\" rel=\"noopener noreferrer\">what can come after<\/a> the initial foot in the door attack.<\/p>\n<p>Tools such as spam filtering and detection are great for random, casual attacks, but given the direct nature of spear phishing, it may well be a bridge too far for automation to flag as suspicious. Dedicated, ongoing training is important at all levels of the business, alongside not getting into the habit of blaming employees and third parties when things go wrong (and they will, eventually). You don\u2019t want people less likely to report incidents out of fear of getting into trouble\u2014it\u2019s not productive and won\u2019t help anybody.<\/p>\n<p>Tools to aid in reporting spear phishing attacks, either dedicated apps or something web-based inside the network, are always useful. It\u2019s also good to ensure departments have at least some idea how important business processes work in other departments. Securing the organization is a little easier when unrelated department A is an additional layer of defence for unrelated department B. Pay attention to HR, accounting, and top line exec interaction.<\/p>\n<p>If your organisation hasn\u2019t considered <a href=\"https:\/\/blog.malwarebytes.com\/business-2\/2019\/10\/why-all-organizations-must-better-protect-sensitive-data\/\" target=\"_blank\" rel=\"noopener noreferrer\">what to lock down<\/a> yet, there\u2019s never been a better time. Europol\u2019s EC3 report on spear phishing was <a href=\"https:\/\/www.europol.europa.eu\/newsroom\/news\/europol-publishes-law-enforcement-and-industry-report-spear-phishing\" target=\"_blank\" rel=\"noopener noreferrer\">released late last year<\/a> and contains a wealth of information on the subject for those wanting to dive deeper.<\/p>\n<p>Ponder <a href=\"https:\/\/blog.malwarebytes.com\/101\/2017\/06\/somethings-phishy-how-to-detect-phishing-attempts\/\" target=\"_blank\" rel=\"noopener noreferrer\">all forms of phishing<\/a>, see which one(s) may be the biggest danger to your organisation and your employees, and start figuring out how best to approach the issue. You won\u2019t regret it\u2014but the scammers certainly will.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/social-engineering\/2020\/01\/spear-phishing-101-what-you-need-to-know\/\">Spear phishing 101: what you need to know<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/social-engineering\/2020\/01\/spear-phishing-101-what-you-need-to-know\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Malwarebytes Labs| Date: Wed, 29 Jan 2020 18:50:01 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/social-engineering\/2020\/01\/spear-phishing-101-what-you-need-to-know\/' title='Spear phishing 101: what you need to know'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2020\/01\/shutterstock_86775340.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>We look at the threat of spear phishing, why it&#8217;s such a problem, and what organizations can do to lessen the chance of a successful attack.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/social-engineering\/\" rel=\"category tag\">Social engineering<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/101\/\" rel=\"tag\">101<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/business\/\" rel=\"tag\">business<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/malspam\/\" rel=\"tag\">malspam<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/organisation\/\" rel=\"tag\">organisation<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/organization\/\" rel=\"tag\">organization<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/organizations\/\" rel=\"tag\">organizations<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/phish\/\" rel=\"tag\">phish<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/phishing\/\" rel=\"tag\">phishing<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/scam\/\" rel=\"tag\">scam<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/smishing\/\" rel=\"tag\">smishing<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/social-engineering\/\" rel=\"tag\">Social Engineering<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/spam\/\" rel=\"tag\">spam<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/spear-phish\/\" rel=\"tag\">spear phish<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/spear-phishing\/\" rel=\"tag\">spear phishing<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/whaling\/\" rel=\"tag\">whaling<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/social-engineering\/2020\/01\/spear-phishing-101-what-you-need-to-know\/' title='Spear phishing 101: what you need to know'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/social-engineering\/2020\/01\/spear-phishing-101-what-you-need-to-know\/\">Spear phishing 101: what you need to know<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[10519,1001,11928,20909,24076,24077,10511,3924,3985,12795,10510,10518,24078,11727,10188],"class_list":["post-17592","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-10519","tag-business","tag-malspam","tag-organisation","tag-organization","tag-organizations","tag-phish","tag-phishing","tag-scam","tag-smishing","tag-social-engineering","tag-spam","tag-spear-phish","tag-spear-phishing","tag-whaling"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17592","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=17592"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17592\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=17592"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=17592"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=17592"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}