The Art of Spear Phishing

In the past, users may have been requested to go to their company website via a link embedded in an email to provide personal or corporate information. There was a good chance both the email and website were not valid.  At that point, critical information may have been compromised and used by these “hackers” to obtain confidential information.   

Now fast forward to the future of today’s business cybercriminals.    

“Spear-Phishing”

“Spear Phishing” perpetrators target specific people within an organization as opposed to sending out emails to mass users in the hopes that some will respond. The new cybercriminals send out what looks like a real email from an actual user name within the company. Company websites and Social Media come into play as a resource for this information. The receiver is likely to be a person within the financial department that can process payments and/or other financial transactions.  The receiver sees an email from the supposed Executive requesting, perhaps, a wire transfer of funds to the company’s client. The email received may also look like it is coming from the Executive’s personal email account. The email would most likely request that a wire transfer of funds to a known customer or client be performed, which is normally a legitimate request. The account information embedded within the email would contain the perpetrators account information that is temporarily valid until the scam is reported.  

Spear-Phishing depends on 3 items.

  • The sender must be known. - An Executive CEO, CFO, CTO, etc.
  • The embedded info in the email looks legitimate. - Logos, even noted people within an organization
  • The request also falls into the legitimate arena. – From the CEO or CFO - “Please wire money to our client”

An example of a typical Spear-phishing attempt is below:

John Smith – CEO of Our Company – Found on the Website
Becky Thomas – working in their Finance department. – Found on Social Media

Statistics from the FBI – Krebs on Security


In January 2015, the FBI released stats showing that between Oct. 1, 2013 and Dec. 1, 2014, 1,198 companies lost a total of $179 million in business email compromise (BEC) scams, also known as “CEO fraud.” The latest figures show a marked 270 percent increase in identified victims and exposed losses. Taking into account international victims, the losses from BEC scams total more than $1.2 billion, according to the FBI. 
                                                                                                                                                   While email threats continue to rise, recent data shows that establishments across assorted fields are protecting their total environment with the DMARC protocol. 

What is DMARC

DMARC, which stands for Domain-based Message Authentication, Reporting & Conformance, is an email authentication protocol. It builds on the widely deployed SPF and DKIM protocols and adds a reporting function that allows senders and receivers to improve and monitor domain protection from fraudulent email. More companies are implementing this protocol such as AT&T, Comcast, Yahoo, Facebook, and Microsoft.

Image taken from The Register 

Image taken from The Register 

DMARC is a great defense against Spear-Phishing and stops many of the most common attack methods. It is also a free service; however, implementing DMARC should be done conservatively and with a watchful eye.  There is a high risk of false positives.   

Implementing DMARC

Preparation

Create a DMARC record on your public DNS entries. This tells your organization and others what to do with bad/fake mail that is pretending to come from your organization. If you don’t already have SPF and DKIM entries, these will also be created at this time.

Monitoring

For about a month, someone needs to monitor the deployment to identify false positives in order to catch all the reports that your partner organization sends on your behalf (that don’t go out that often), or to identify a server that sends email through irregular routes. This can take anywhere from few hours to a couple of weeks to sort through the initial flagged emails and separate the good from the bad. During this time, adjustments are made to make sure that the legitimate emails will fall under the scope of the implementation.

Deploy and maintain

Once things have settled into a steady state where there are few or no false positives, the DMARC record is updated to tell other servers to quarantine or reject bad messages. Since no company’s environment is static, DMARC includes a provision to send a log of flagged mails to your administrator. This allows any future necessary adjustments to be identified and addressed without the need for a regular manual check-in. 

There are tools out there that will help thwart these types of email attacks.  However, these tools are not the “End All” solution. End-users should be cognizant and diligent with any communications that come into their company by double checking (in person or phone calls) to verify requests such as wire transfers.  After all, “fool me once, shame on you, fool me twice shame on me.”  Only problem is that once is all it takes.