Guest blog by Greg Atkins, InfoGuardian
Views expressed in this post are original thoughts posted by Greg Atkins. These views are his own and in no way do they represent the views of the company.
Over the past 3 to 4 years, there has been a shift in focus by cybercriminals away from reasonably basic, generic phishing attacks designed to get individuals to part with a relatively small amount of money to today’s more targeted attacks aimed at specific individuals or groups of individuals within specific organisations, designed to earn the cybercriminal much more money.
In its report “The evolution of phishing attacks 2011-2013“, Kasperksy identified an 87% increase between 2012 and 2013 in the number of attacks, with over 37 million individuals targeted.
These types of attack, which some call spear-phishing and others call targeted attacks, have seen a number of high profile victims, including Microsoft, Google and RSA. However, please do not be misled; this could happen to any organisation as the following story demonstrates.
At the end of last year members of the finance department of a small manufacturing company, with fewer than 200 staff, in the North West of England, received what they believed to be a legitimate email from a respectable authority. But as the content of the email seemed to be more relevant to another department, the email was forwarded to HR and 2 members of that team, who, unaware of the hidden threat, opened the attachment. Clicking on the attachment resulted in both members of staff installing the Cryptolocker Ransomware. This proceeded to encrypt files on their machines using different 256-bit RSA keys, then on network drives and finally on other machines connected to those network drives. Compared to the remediation costs and loss in productivity for the company, the ransom figure demanded for supplying the keys to decrypt the data was relatively small. As you can see, this is not a high profile company in a lucrative financial sector. It is one of many thousands of UK companies carrying out its normal business, as your organisation is probably doing.
Whilst more expensive for the cybercriminal to set up, spear and targeted phishing attacks are far more lucrative in terms of results. The objective of the attack is to dupe the targeted individual or group into clicking on an attachment or a link to a fake website containing malicious code, where clicking on a link or button will result in the individual unknowingly installing malware on his device. As in the case above, this could be blatant ransomware or it could be a more sinister Trojan, used to make a point of contact within the targeted organisation from which the attacker can gather more information which will help him to his objective.
It is commonly accepted that overall spear-phishing attacks have a high success rate of 20%, compared to less than 5% for general phishing attacks. Various sources report that as many as 70% of targeted individuals are likely to open such an email. Trend Micro has reported that 91% of all successful data breach attacks in 2012 started with a spear phishing email, and in 2013 Allen Paller, director of research at the SANS Institute reported this figure to be 95%.
Why are Targeted Phishing Attacks so effective?
Any specific email used to launch an attack is likely to come from a known or trusted source, using authentic logos etc. The attack is made simpler for the attacker by the various social media sites and information about individuals readily available on the Internet. In a recent high profile case, the target was identified on LinkedIn. All the information required is nicely packaged for the cybercriminal.
What can be done to stop these attacks?
One of the problems with these types of attack is that they are quite individual, meaning that email security systems have a difficult job identifying them.
Dealing with it technically is certainly a challenge. It is commonly accepted that users are the greatest threat to any organisation’s security. No matter how big the security budget or level of security compliance, it may take only one user to make a mistake, which could cause huge financial damage.
While user education must certainly be part of the solution, opinion seems to be divided on the effectiveness of IT security awareness training for non-IT users. Essentially we have been trying to educate users about security for the past 20 years, but how much really sticks and at what real cost to the organisation? In the past most awareness programmes were to tick the box to meet compliance requirements. As a result, these bare-minimum awareness programs are a PowerPoint presentation once a year or security newsletter once a quarter. To effectively reduce security risks of targeted email attacks, you will need to start changing user behaviour.
William Pelgrin, director of New York’s Office of Cyber Security, organised a fake spear-phishing exercise in which 10,000 state employees were prompted to link to a password checker. 15% of the targeted employees clicked on the link, denoting failure. One month later a second email was sent where staff were asked to enter personal information. Click results showed a 40% reduction of people clicking on the links in a single month over only 2 emails. The effectiveness of this type of “live situation” training is enormous. Pelgrin was able to use common user behaviour to educate and bring about positive behavioural change to reduce the risk of targeted attacks.