During 2021, “cybercriminals continued to target people, rather than infrastructure, with social engineering efforts,” cybersecurity strategist Adenike Cosgrove told VentureBeat. But they weren’t just more active. They were also more successful in getting their targets on the hook.
Most notably, a cybercriminal hacking group called DarkSide managed to extort $4.4 million from Colonial Pipeline CEO Joseph Blount after deploying ransomware against the company’s IT network. The 5,500-mile pipeline transports gasoline, diesel, jet fuel, and other refined products from the Gulf Coast to Linden, NJ, providing roughly 45% of East Coast fuel, according to the Wall Street Journal. Meaning the choice was either to pay up or to see critical national infrastructure being shut down indefinitely.
But the damage had already been done. The attack, probably launched through an unprotected virtual private network account, led to widespread gasoline shortages across the East Coast, soaring gas prices at the pump and customers panic-buying gas in bulk, even in states that weren’t affected. All things considered, Blount estimated the attack would ultimately cost them tens of millions of dollars, with some systems requiring months of restoration work to be up and running again.
Is it possible that a single ill-gotten password wreaked this much havoc on a company, let alone the US energy infrastructure?
Absolutely, experts say in unison. Arun Vishwanath, a researcher of the “human problem” of cybersecurity, writes on CNN: “Ransomware attacks occur because of how easy it is for the attacker to come into a computing network. They do so using spear phishing that deceives users into clicking on a malicious hyperlink or attachment.” According to Verizon’s latest Data Breach Investigations Report, 61% of breaches involve credential data with some companies fending off 3.3 billion malicious login attempts per year.
In this article, we’ll take a closer look at spear phishing attacks, one of the most common – and most vicious – types of phishing attacks out there, and how to defend against them.
An introduction to phishing taxonomy
So what is phishing?
Phishing scams typically start with a spear phishing email that appears to be a run-off-the-mill blast from a legitimate business asking you to update or verify your personal information in a reply or on their website, FBI experts explain. At first glance, the web address might look familiar and the message genuine enough to convince you to oblige. But once you’ve clicked the link, you’ll land on a spoofed website whose sole purpose is to steal your sensitive information – think: passwords, credit card numbers, and so on.
If you’re looking for a precise phishing attack definition, the US National Institute of Standards and Technology has got your back: “Phishing is a technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a website, in which the perpetrator masquerades as a legitimate business or reputable person.” Or here goes a more concise one it tricks users into doing “the wrong thing”, like clicking a link that will download malware or take them to a dodgy website.
Taxonomy-wise, phishing falls into the category of social engineering attacks. These attacks use technology to exploit human weaknesses, such as vanity, fear, or greed, or on the other extreme, curiosity, generosity, or sympathy. No wonder that they often take advantage of current events, such as natural disasters, like Hurricane Katrina, epidemics and health scares, like the COVID-19 pandemic, economic concerns, like IRS scams, major political elections, or holidays, CISA warns.
What is spear phishing: definition, plus how it’s different from plain old phishing
Phishing attacks get their name from the notion that hackers fish for random victims by using spoofed email addresses, websites or even phone numbers as bait. Remove the word “random” from the equation, and you get spear phishing. In other words, spear phishing is when fraudsters choose a specific individual or organization as a target – and quality over quantity. Think of it as using a spear to catch a single, high-value fish instead of casting a net over a random school of fish in the hope of some of them falling prey to it.
What makes this type of phishing attack extremely effective is that spear phishers don’t skimp on time and effort when it comes to doing their homework. They’re known for creating message content that is highly relevant to the recipients and making them appear as legitimate requests from a trusted source, such as family, friends, employers, or companies they’ve done business with. This is usually achieved by pulling information about the target's personal and professional relationships from social networks, the news, and data leaks.
Depending on the type and size of the fish the attackers are looking to catch, spear phishing attacks can be further divided into whale phishing, or whaling, and business email compromise, or BEC. Whalers are going in for the big fish, like the CEO or a board member. By contrast, attackers who use business email compromise disguise themselves as big fish to defraud organizations by tricking individuals with access to sensitive information, such as members of the accounts payable team, to wire them money.
The waiting game, aka how does spear phishing work?
The ultimate goal of spear phishers is to access confidential or sensitive information for malicious purposes. Their motto? The bigger the target, the bigger the payday. In 2015, American toy maker Mattel learned this the hard way after a long-game whaling operation had left a dent in their coffers.
According to >InfoSec Institute, the cybercriminals behind this classic spear phishing attack example had been patiently hiding in the toy maker giant’s computer networks to study its internal procedures and protocols, corporate hierarchy, suppliers, and even employee personalities before making their move. Not only were they able to exploit highly sensitive information during this time but also chose just the right moment for the attack.
It came during a perfect storm following the appointment of a new CEO, Christopher Sinclair. With members of the C-suite all eager to please their new boss and plans for a massive expansion in China made public, Sinclair’s email request to a high-ranking executive for joint approval of payment to a local supplier didn’t raise any suspicion. In total, $3 million dollars was wired to the Bank of Wenzhou in China never to be recovered again.
No way for the hackers to get into your communications system?
“When people make a change to their LinkedIn and identify that they’ve joined Kaufman Rossin, in a matter of hours or even minutes they'll get an email from our CEO – not from his Kaufman Rossin email, but something at gmail.com – asking them to buy gift cards and things like that,” Jorge Rey, CISO at Kaufman Rossin told CSO Online. The sender, of course, isn’t the CEO but a hacker scheming to catch new employees off guard. Aided by bots that are constantly scouring LinkedIn for their next hit, probably.
How to defend against spear phishing attacks?
In order to answer this question, we must circle back to the definition of phishing. As we’ve established earlier, phishing attacks make use of technology to catch us at our most human. Consequently, what helps protect from spear phishing is covering both the technology and human aspects of cybersecurity.
In his op-ed, Vishwanath advises: “The only way to stop spear phishing, and with it ransomware, is to deal with what we have ignored – or merely paid lip service to – the user. We need more than just media awareness campaigns. Because by now, every user is aware of phishing. Besides, much of our present training teaches users about attacks that have occurred, not the attacks that are yet to come, because no one, not even people in IT, know what they will be.”
For this very reason, we at Tresorit look beyond equipping our customers with more and more advanced technology tools. Our goal is to build solutions that enable companies to create a company culture that makes things more difficult for hackers, phishers, and the like. For example, if company procedures and protocol dictate the use of secure sharing links in cooperation, employees can be nurtured to question email attachments automatically.
Warding off malicious emails: human and technology solutions
In our previous post on clone phishing and phishing links, we’ve shared some simple rules of thumb to avoid falling victim to phishing attacks. To reiterate the key points, always be on guard if you spot:
- A slightly off sender name or address: Hover your mouse over the message’s “from” field to see if the name or the address sender has been altered in any way.
- Mismatched URLs: Even if the sender and the email content look right, hover over each link you’re prompted to click to see if it leads you where it says it would lead you.
- Requests for sensitive information via email: Legitimate businesses won’t ask you to share sensitive data via a link, much less in reply to their message.
- Unfamiliar language: A sender’s identity is much easier to spoof than their personality. Look out for greetings, lingo or errors that are uncharacteristic of the alleged sender.
- A sense of urgency: Phishers often use subject lines such as “Request”, “Follow up”, “Urgent” or “Are you at your desk?” to pressure targets into acting without thinking.
- Attachments where no attachment should be: If you use collaboration tools like Tresorit or Microsoft Teams, attachments in internal emails should be handled with caution.
If you’ve still shared a document with someone you shouldn’t have, however, Tresorit secure links allow you to revoke access to files sent out in error. Plus, analytics can be used to gauge how much of the document the recipient has read. With traditional attachments, once the email is sent, your data is out of your control.
Besides, Tresorit’s secure workplace solutions now include an email encryption tool that brings end-to-end encryption to electronic messages and attachments. It only requires the sender to have a Tresorit account and ensures that emails and attachments sent and received as a reply are end-to-end protected by the same encryption technology used in Tresorit’s cloud storage and file-sharing app. Meaning that no one besides the sender and the recipient will be able to read them.