Despite the funny name, phishing is no joke. In the last year, approximately 1.2 million computer users in the U.S. felt the pain of being hooked by a phishing exploit, according to a recent report by the Anti-Phishing Working Group (APWG), an industry association set up to fight this threat. Losses added up to almost a billion dollars.Unlike traditional phishing, which takes a scattershot approach, spear phishing is a carefully planned and executed attack against selected organizations. But it still succeeds by getting individuals in the organization to drop their guard.Text
Since its emergence as a scam against AOL members in the mid-90s, phishing has been used to get individuals to divulge personal information, such as passwords and bank account numbers, through e-mail messages that appear to be legitimate requests for such information. Victims may have thought they were responding to a message from their bank, or other trusted organization, asking them to verify their username and password. This information is then used to steal their money or their identity, or both.
Spear phishing targets corporations
Increasingly, though, this scam has become more targeted towards obtaining corporate information, or abusing corporate computing resources. Unlike traditional phishing, which takes a scattershot approach, spear phishing is a carefully planned and executed attack against selected organizations. But they still succeed by getting individuals inside the organization to drop their guards.
Another report by the APWG identifies financial institutions as the prime target of spear phishing exploits, accounting for at least 80% of all attacks. ISPs and retailers are also frequent targets.
At a November roundtable discussion, where it was reported that more than half of all Canadian corporations believe their data to be at risk, Dr. Clemens Martin, assistant professor at the University of Ontario Institute of Technology, demonstrated how spear phishing works.
In Martin’s example, an e-mail was sent to selected university employees, by name, supposedly from the IT department. It notified the employees that they were required to verify their user information and change their password in response to a possible breach of security.
The message looked authentic. It appeared to come from an authorized person, using proper corporate logos and a familiar format. A link was provided that took the victim to a web page that, again, looked authentic. All of the links on that page worked and they all pointed to real university Web pages, except the one that took the victim to the false page where the password was entered.
Even after the password had been entered, there was no indication that anything was wrong because the password was actually changed in the university system — by the phisher, after he or she had captured it for future use.
Fortunately, according to Andrew Klein, manager of the MailFrontier Threat Center at Palo Alto, California-based MailFrontier Inc., exploits like this are still quite rare. It takes a lot of planning and effort to set something like this up. On the other hand, this sniper-like precision makes them all the more dangerous because they are difficult to detect.
MailFrontier develops e-mail security software that defends against spam, phishing, viruses and a host of other e-mail-borne threats.
As Martin puts it, “It’s astonishingly easy to create the exploit. The harder part is doing the research on the company and figuring out which employees might fall for the deception.”
It would be extremely difficult for even an aware employee to detect the fraud being perpetrated here, but not impossible.
Klein points out some things to watch for, despite the difficulty of identifying a spear phishing exploit. “There are several clues in the header that help determine if the e-mail is fraudulent,” he explains. “These include the original source and the number of hops it took. Comparing this to what it’s supposed to be will tell you if it’s fraudulent. This sort of vigilance will thwart most attempts.”
A three-pronged defence
Experts identify three components of a successful anti-phishing strategy: education, technology and best practices.
“Employee awareness is one part of the solution,” says Martin. “You have to do that continuously — to make them aware of their responsibility for the health and safety of the computing and networking equipment.”
In a somewhat controversial training regime, some organizations hit their own employees with simulated phishing attacks to raise awareness of the problem. If they fall for the ruse, they receive a warning.
On the technical front, some phishing filters – such as MailFrontier’s – do a pretty effective job of deflecting attacks. But they have to be designed specifically to catch phishing e-mail. A straight spam filter won’t work, according to Klein.
“Spam filters are designed to catch words that are not acceptable, such as ‘Viagra’, or spelling variations. Phishing e-mail would not use misspelled words. I have to create something that you would reasonably expect to receive in your e-mail flow, and that is exactly what spam filters are looking to let through.”
Filters can quickly analyze e-mail for specific indicators, and will flag a given message as having a high probability of being phishing. But the recipient, or the IT department, can look more closely to be sure. It’s up to the customer to decide how to respond to the threat.
There are other technical steps companies can take, beyond phishing filters.
For instance, Martin urges companies to build defense systems and anomaly detection systems inside their networks as well as at the perimeter, so they know what’s going on inside and outside.
“We might also consider investing in infrastructure that does a more strict compartmentalization of internal networks,” he adds.
“So that a successful attack to one area does not spread as easily to other parts of the network.”
Companies also need to make these measures part of comprehensive security plans based on best practices as they apply to their particular situations.
But when Klein uses the term “best practices,” he is referring to more than good security practices. He is also talking about good e-mail practices.
In other words, companies need to ensure that the legitimate e-mail messages they send out conform to good practices so they are easier to identify as legitimate.
He relates the experience of one company, whose employees received e-mail from their ISP notifying them of changes to the e-mail servers. Despite being legitimate, these messages bore all the hallmarks of a phishing attack: They were unexpected. They were not addressed to individuals by name. They told the recipients to respond by clicking on a vague link and gave them no alternative.
The effect was to confuse and frighten many employees, and diminish the effectiveness of prior training.
“We want people to continue to use e-mail, and companies have a role to play in ensuring that by following standards,” Klein adds.
Phishing season
There are many possible motives behind phishing attacks. Martin cites the possibility of industrial espionage, extortion, theft and revenge, among others. He believes organized crime or hostile countries may be active in these exploits, as well as gangs.
Klein says the professional nature of the attacks, the linkages between different capabilities and functions, and the ability to scale projects, all indicate the involvement of a group of people working together to achieve its goal.
Arrests and convictions