Tech Insight: Spear Phishing A Tough Catch

Recent high-profile breaches exposing large amounts of consumer data are raising concerns of increased phishing attacks. The good news: The breaches have raised awareness about phishing. The bad news: It could be months or a year or more before the full effects of these breaches are fully realized, so in the meantime users could become complacent and easier prey to these socially engineered email attacks.

The impact of a breach like that of email marketing firm Epsilon's can be far-reaching: Epsilon reportedly "sends over 40 billion emails annually and counts over 2,500 clients, including 7 of the Fortune 10 to build and host their customer databases." Looking at a sampling of Epsilon's client list gives us an idea of the breadth of affected individuals: Best Buy, Walgreens, US Bank, Capitol One, Home Shopping Network, New York & Company, and many more as seen in this list.

The data thieves behind the Epsilon attack, as well as the recent attacks on Sony and others, now have a treasure trove of information for targeted, spear-phishing attacks -- information that will remain relevant because humans are creatures of habit. We like to shop at the same stores, and we don't want to change cellular carriers or credit card companies because they might have lost our data. We've seen proof of this with other large breaches; the majority of the breach victims simply are not going to stop using the services or buying products from the companies that lost their data.

The increased threat of spear-phishing attacks brought about by the breaches is due to the nature of the attack and the targets. Spear-phishing targets specific groups of people -- a group who works together at the same company or in the same department, for example. Or a group of consumers who shop at the same store or have the same cell phone provider.

Any one of Epsilon's clients is ripe for spear phishing now that attackers have names, e-mail addresses, and possibly other pieces of information to leverage. Take that data, put it into a well-crafted e-mail using the retailer's graphics, and it becomes an effective weapon to lure end users into clicking on a link or responding with their credentials. And no matter how much time you put into security awareness for your users, someone is going to click the link or respond to the e-mail.

The recent high-profile spear-phishing attack against Oak Ridge National Laboratory is proof that anyone can be a victim. The Oak Ridge lab conducts classified and unclassified research for the federal government and even has a group researching malware and vulnerabilities in software and hardware. The lab's network was compromised from users clicking on a link in a spear-phishing e-mail that took them to a website that exploited a zero-day vulnerability in Internet Explorer. The exploit resulted in malware being installed on at least two workstations, and several servers were compromised that were sending data outside the network.

Security professionals are stuck holding the bag when asked why a spear-phishing message got through. The question could be asked why the user clicked on it, but if he hadn't received it -- well, you know the drill. Instead of blaming the e-mail security solution for failing, first look and see whether there is a way to modify the configuration to catch similar e-mails in the future. Once that's done, move on to other areas of the environment to make sure there are controls at multiple layers to catch the malware on the workstation or that spread to a server.

We all know layered security is the best approach, and fighting phishing attacks is one of those threats that requires defense-in-depth. Beyond the usual e-mail security appliance or cloud service, there needs to be the standard desktop-hardening with regular patch management, antivirus, and ensuring that users are not administrators on their workstations.

Going a step further, application whitelisting can be added to provide a protection layer that could stop the malware from getting installed after exploiting the Web browser, similar to what happened in the Oak Ridge breach.

Some organizations have tried to "de-fang" e-mails coming through by banning HTML e-mails and rewriting URLs so they cannot be easily clicked on. Users have to copy and paste the URL into a Web browser manually to visit the link. The extra step causes them to look at the URL more closely and has lead to a large reduction in malware infections due to phishing and a rise in user-identified phishing attacks.

Forcing all users through Web proxies can stop executables and exploit code from ever reaching the desktops. Choosing a different vendor for the Web proxy from your e-mail security vendor can also increase the rate of detection because not all vendors catch the same things.

As the last line of defense, intrusion detection systems (IDS) and data leakage prevention (DLP) solutions can aid in detection and prevention of data as it is being siphoned from the internal network out to the attacker. Of course, no one ever wants a spear-phishing attack to get to this far, but having these solutions in place can help.

Spear phishing is a difficult attack to defend against because it targets the humans in your network, not the computers. And we all know that you can't patch or upgrade a human. But you can train users to help identify phishing attacks as they occur. Even so, training and awareness does not work for everyone: There's always someone who will click the link, and that's when the other layers of security must be in place and up-to-date.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.