11/10/2015

Ask the Experts: What's a Spear Phishing Attack?


1

Alexandra from Delaware called in asking, "I heard something on the radio about new threats from online 'spearphishing' attacks, and I'm looking for antivirus software that protects against them.

"What software does that?"

It's no surprise that people are starting to hear stories like the one Alexandra heard because even the FBI has been writing about spear phishing for some time now.

Since there are a couple of questions here, let's take 'em one at a time.

What's a "phishing" attack?

Before we look at spear phishing, let's look at garden variety phishing attacks.

Phishing attacks come typically (though not always) as email. In some, though not all cases, they're flagged as spam.

Regardless of whether or not they're flagged as spam, the goal of the email is for the scammers to trick you.

They want you to reveal your bank, credit card, social security, or other personal info so they can steal your cash or your identity.

Now, what's a spear phishing attack?

Thus far spear phishing mainly happens to people at their workplace. A devious criminal gets ahold of YOUR specific information or your company's.

Often, they'll take their time carefully learning about your company, the employees, who's who in it and such so they can craft a perfect email.

Who's the CFO or comptroller? Who's the CEO? Who's the Chief Marketing Officer? And so on.

Then they forge an email from one person with authority to another. Usually there's nothing outwardly fishy about it.

Sometimes, if you're observant, one little thing will fail to pass muster.

For instance, Joe in accounts payable gets a forged spear-phished email that's supposedly from the CFO saying,

'Hi Joe,

'Please send a wire immediately to XYZ Bank, account 1234-5678-90 for $74,092.23 for the initial payment on our contract with the new consultants we're working with.

'They won't start work until they receive the deposit, so please make sure it goes out immediately.

'I'm heading out early today, so please contact: Joe Jones at ABC Consulting (555) 555-5555 if you have questions.

'Mary'



What the spear-phisher does is a couple of things:

  1. They give urgency. "They won't start work until..."
  2. Mary probably isn't even leaving early, but by telling Jane she is leaving early, it makes it so Joe isn't supposed to contact Mary with questions.



Instead, Joe is instructed BY the spear phisher to contact the spear phisher(!) with questions.

In some cases, Internet security software can help prevent these attacks. These are rare and only happen if the phisher has sent Joe a link to a bogus bank or other website.

So, in most cases, your antivirus software can't protect you.

What can? Knowledge.

In most cases, the only way to prevent these attacks is *thinking* about things and questioning the validity of the content of emails.

Here's a (very) quick how-to:

STEP 1:

Does everything look legit in the email? Sometimes a spear phisher will fail because of tiny, tiny details like how Mary signs her name. Maybe she usually signs emails as --M. Maybe she always includes a certain signature file.

If one comes in now signed "Mary," or with no sig file, you need to start questioning more deeply.

STEP 2:

Check the email "from" and "reply-to" addresses. Are they legit?

STEP 3:

Even if Mary *is* leaving early, surely anyone sane wouldn't mind getting a call from Joe to confirm an outgoing wire for $74K. If Mary gets upset, she has no business being CFO.

BONUS STEP 1:

Put in place an set-in-stone absolutely iron-clad system for outgoing expenditures.

In one firm where I was CTO, requests for wires HAD to be done IN person ON paper and had to be signed by two people, the requestor and a C-level executive, typically that person's boss. Wires were sent twice weekly, no exceptions.

Yes, this created (rare) problems, but they were far smaller than the problems created having money stolen.

Doing it this way meant: we had a process. We had a clear chain of responsibility. And, we were never, ever victims.

BONUS STEP 2:

Setup and enforce the use of digital signatures, like those from OpenPGP or GnuPG. It will take work to setup an email signature system like one of these. It will. Aside from the work involved in initial setup, they're not a silver bullet. Incredibly helpful, yes. A silver bullet no.

Even still, they help, and no matter what it's still less work—and less expensive—than trying to recover lost funds, which seldom works.