Without taking proper precautions, your computer is a veritable smörgåsbord for hackers. Hackers have developed an array of techniques to infiltrate your system, extract your data, install self-serving software, and otherwise wreak havoc on your system. Every network in the world is vulnerable to hacking attempts; it’s simply a matter of which systems the hackers deem worth the effort. Preventing hackers from successfully compromising your data requires an understanding of the various solutions. However, very few of those solutions are truly effective.
The Differences Between Phishing and Spear Phishing
Phishing casts a wide net to hundreds, thousands or even millions of email addresses. Phishing can be used to steal passwords, perform wide-scale malware deployment (think WannaCry), or even as a component of disinformation campaigns (think Russia). More often than not phishing is carried out by financially motivated criminals. In most cases, the phishing breaches are not detected until it is too late and it is nearly impossible to prevent damages.
Spear phishing, like the name implies, is a more targeted version of phishing. Spear phishing campaigns are generally conducted against companies, specific individuals, or small groups of individuals. The primary goal of spear phishing campaigns is to make entry into a target network. The DNC hack for example, was accomplished by using spear phishing as an initial method of breach. Once the breach was affected the hackers began performing Distributed Metastasis (aka pivoting) and secured access to sensitive data.
In nearly all cases, businesses and governments are ill prepared to defend against phishing attacks. This is in part because the solutions that exist today are largely ineffective. Most commercial phishing platforms provide the same basic level of benefit as automated vulnerability scanners. If you really want to defend against phishing then you need to use a solution designed specifically for you and your network.
Real (not commercial) Tactics For Phishing and Spear Phishing
An email will go out, supposedly from a trusted source. In reality, it will be a chameleon domain set up specifically by the hackers to leverage your trust. A chameleon domain is a domain which appears to be the same as your company’s domain or a high profile domain but isn’t. (The domains are often accompanied by a clone website with a valid SSL certificate.) For example, instead of linkedin.com, the chameleon domain might be 1inkedin.com. These two domains might look identical at a glance, but in the second the L of LinkedIn is exchanged for the number one. Historically, hackers used Internationalized Domain Name (IDN) homograph attacks to create chameleon domains, but that methodology is no longer reliable.
An email might also arrive from a different Top Level Domain (TLD). Let’s say, linkedin.co, linkedin.org, or even linkedin.abc. There are many opportunities for deception when it comes to creating a chameleon domain. All of these oppotrunities exist because the human brain will read a word the same way so long as the first and last letter of the word are in the correct place. For example, you will likely fall victim to phishing if you just the word “opportunities” and didn’t notice that we swapped the places of the letters “T” and “R”. Experienced hackers are masters at exploiting this human tendency. (https://www.mrc-cbu.cam.ac.uk/people/matt.davis/cmabridge/)
When (spear) phishing is combined with malware it becomes a powerful weapon. A common misconception is that antivirus and antimalware software will protect you from infection. If that were in fact true, then things like the recent WannaCry (MS17-010) threat would never have been a problem. The reality is that antivirus technologies aren’t all that effective at preventing infections. In fact, Intrusion Prevention Systems (IPS) also aren’t all that effective at preventing intrusions. If they were then we would not be seeing an ever-increasing number of breached businesses (nearly all which use some form of IPS or third party MSSP).
The bad guys may target 3 or 30 people with a spear phishing attack. To be successful with a well-crafted attack they only need a single victim. That victim usually becomes their entry point into a network and from there it is only a matter of time until the network is fully compromised. With a normal phishing attack, campaigns with larger numbers of victims are desirable. More victims equates to more captured data.
Businesses Making Money from Anti-Phishing
For some companies, there’s not a week that goes by without a phishing attempt landing in their email server. They are the consternation of companies everywhere.
Security companies, concerned about the devastation that phishing and spear phishing efforts can rain, have taken up the mantle of offering education about phishing to their clients. They have special programs for mid- and large- level corporations to combat phishing efforts.
Once a company signs up for education it’s common to test the company soon afterward to see what needs to be covered. For instance, a phishing attempt is made against half or all of a company. It will be a typical, run-of-the-mill ‘attack,’ where the users are given a convenient link and encouraged to go there to ‘make it right’ again.
After clicking on the link, the user is taken to a site which informs them that they were phished, how they were phished, and safety measures to prevent future successful phishing. Information about the success rate of the phishing attempt is also gathered, so the security company has a baseline. From that information, educational materials are given to the company for further training.
A set amount of time later, usually a few months, the security company runs the same type of phishing attempt on the employees of the target company. The success rates are then compared (the second try usually has fewer people who were fooled) and the target company receives certification that they are safer from phishing attempts now that they have been educated.
How Effective Are Anti-Phishing Companies?
Employing an anti-phishing security firm can provide a false sense of security for companies that would be vulnerable to phishing attempts. Going through the education prevents the likelihood of a blatant and basic phishing attempt from being successful, but it usually does not do much to prevent a real-world, targeted attack, especially a spear phishing one.
Anti-phishing companies generally use automated systems to test a company’s phishability. They use the most rudimentary phishing techniques, but many advertise that their solutions will be more effective than they actually are against real-world phishing attempts. In other words, these anti-phishing companies generally provide a political solution rather than a real solution to the problem of phishing and spear phishing. This very similar to how vulnerability scanning companies market themselves.
The people who want to break into a company’s system are patient. They custom-create a strategy to get into your systems, not send a blanket email to everyone in the company. It’s too blatant. Their attempts to socially engineer a favorable outcome are most likely going undetected.
The biggest question that an anti-phishing company has to ask itself is whether they are providing the level of security that they are promoting. By certifying employees as being phish-proof, does that mean that those employees are truly savvy enough to detect ANY phishing attempt? Is the security company simply marketing, or is it truly interested in protecting their clients against phishing?
Before going with a company that advertises anti-phishing education, keep in mind that spear phishing is highly customized and most likely won’t come to you as an email from Paypal, LinkedIn, or another popular site. It will most likely come to you from someone you know, possibly within your own company. Ask them what measures they plan to take to help you truly fight against the spear phishing attacks at your company.