sb-au logo
Story image

Bait, hook and catch – targeted spearphishing on the rise

03 May 2019

Article by Barracuda Networks senior sales engineer Mark Lukie

Cybercriminals have a history of conducting attacks that cast a wide net hitting as many people as possible.

Most people have received emails from Nigerian princes offering to pay them an exorbitant sum of money, or drug companies offering a new drug to revolutionise their love life.

Cybercriminals now have their sights on enterprises using highly personalised attacks, going after fewer targets to extract a greater payload.

Spearphishing attacks, where a threat actor impersonates employees or popular web services, are on the rise.

At the end of 2018, the FBI warned that there was a 60% increase in 2018 in fake email schemes that aim at stealing money or tax data.

The latest social engineering iteration involves multiple steps.

Cybercriminals don’t randomly try to target executives with fake wire fraud.

Instead, they first infiltrate the organisation; then use reconnaissance and wait for the opportune time to trick targets by attacking from a compromised mailbox.

Step 1: Infiltration

Most attacks are easy for individuals to sniff out, containing weird addresses, bold requests or misspelled words.

Organisations are now seeing a rapid increase in personalised attacks that are difficult to spot, especially for people lacking security awareness.

A common example is an email apparently from Microsoft claiming they need to reactivate their Office 365 account.

It won’t appear suspicious, but if they hover over the link it’ll lead to a different website.

People with high security awareness would spot this, but the average employee wouldn’t.

The aim is to steal usernames and passwords.

Once the attacker gains control of these details, they can log into an account if multifactor authentication isn’t enabled.

Step 2: Reconnaissance

The attacker will typically monitor the account and read email traffic to learn about their organisation: who decision makers are, who can influence financial transactions or who has access to HR information.

They can also spy on interactions with partners, customers or vendors.

Step 3: Extract value

Attackers then launch a targeted attack.

They could send customers fake bank account information when they’re about to make a payment. Or trick employees to send HR information, wire money or click on links to collect additional information.

Since the email’s coming from a genuine (albeit compromised) account, it appears legitimate. Reconnaissance allows the attacker to perfectly mimic the sender’s signature and text style.

Take action

The best defence against phishing and spearphishing is to make users aware of the threats and techniques used by criminals.

1) User training

The best approach is to implement a simulation and training program to improve security awareness for an organisation’s users, to help them recognise subtle clues to identify phishing attempts. Regularly train and test all employees to increase security awareness. Staging simulated attacks for training purposes is by far the most effective method.

2) Authentication

Multifactor authentication is essential to stop attackers gaining access to accounts – whether an organisation uses SMS codes, mobile calls, key fobs, biometric thumbprints or retina scans.

3) AI protection

AI now offers some of the strongest hope of shutting down spearphishing.

By learning and analysing an organisation’s unique communications patterns, an AI engine can sniff out inconsistencies and quarantine attacks in real-time.

Story image
Research: Younger cybersecurity pros more fearful of being replaced by AI
According to the findings, 53% of respondents under 45 years old either agreed or strongly agreed that AI and ML are a threat to their job security, despite 89% of this demographic believing that it would improve their jobs.More
Story image
New project development inhibited by cybersecurity, Kaspersky research states
"There are still some practical steps that can be taken to make sure that an emerging technology or a product reaches its launch. Cybersecurity doesn’t have to be another corporate barrier, but it should be on an integral part of the project all long."More
Story image
UiPath and eSentire bring hyperautomation to Microsoft Security
UiPath and eSentire have announced a strategic partnership to deliver end-to-end security policy automation across multiple Microsoft Security services.More
Story image
Palo Alto Networks launches new SD-WAN solutions and enhancements
Palo Alto Networks has introduced two new SD-WAN appliances and enhancements to its next-generation SD-WAN solution, expanding the company’s CloudGenix SD-WAN solutions reach.More
Story image
The rising threat of human-controlled ransomware
Until recently, most ransomware attacks have been automated affairs. But things are changing, writes Attivo Networks regional director for A/NZ Jim Cook.More
Story image
Why best-practice threat data management provides confident automation
Understanding an organisation’s threat landscape requires having both the right threat data sources and the proper prioritisation to derive actionable threat intelligence for your organisation. More