By Ray Ancel, Information Security Analyst, CliftonLarsonAllen LLP
Most of the general public has wised up since the early days of phishing; most will simply ignore those grammatically-challenged emails promising “Free Amazon Gift Cards” instead of clicking on the trick link. Networks and spam filters have also become stronger, blocking most of these emails from even arriving in your inbox.
But phishing has evolved since those early days. Today’s phishing is much more sophisticated, because it’s a targeted attack, duping people and systems alike.
In a targeted phishing campaign, attackers conduct detailed research on an organization ahead of time. They learn the services provided, the personalities of the people who work there, and the types of controls that might be used to mitigate phishing attempts. As an ethical hacker, I know how they work because I utilize similar tactics. Here’s what they do, and what you can do about it.
Step one: pre-phishing research
Facebook, LinkedIn, and an organization’s website are rich sources of personal information. They reveal personality and language norms (casual or formal) that might shape the tone of a phishing email. Search engines can reveal additional details, like a local news outlet reporting a feel-good story of the CEO retirement, and the name of their replacement.
As an example, while Googling my target organization during a recent test, I discovered who their security vendor was because their IT leader endorsed the vendor on that vendor’s website. The endorsement included the name of the organization I was working with and the name of the chief technology officer.
The vendor’s website detailed the types of services offered and how those services work. This information allowed me to know what services were not offered, and then create a phishing email I knew would slip past their filters with a malicious file I knew would go undetected.
Step two: the phishing attack
Once attackers have the information they need, they can start employing social engineering techniques to dupe employees. They first buy a domain name similar to the target, so only a particularly attentive employee would spot that the “I” in the email address had been replaced with an “L.” Then the attackers carefully craft a phishing email with perfect English and spelling.
It may drop the name of the head of human resources, or the CEO. The email may inform users about a small update to the employee handbook and ask the user to review the changes by downloading it from a link or opening an attachment. The email likely references the organization and the employee by name, and even uses a valid email signature.
Step three: clicking the bait
Once the user opens the document, the attackers might take various routes depending on their motives. Some will deploy ransomware, which spreads across the network, encrypting files and informing the user that to regain access, he or she has to pay a ransom, usually using a crypto-currency such as bitcoin. Ransomware can impact operations for days, resulting in massive downtime or an expensive payout to try and regain access to data.
Other attackers are looking for sensitive information. This might be employee records, customer records, or trade secrets, which will be used to gain market advantage or be sold to a third party. They may look for financial information to perform an unauthorized wire transfer or hijack your network to compromise another target.
Some attackers plant malicious files that may contain a virus or worm like Stuxnet, which targeted programmable logic controllers that are often used to control manufacturing equipment and assembly lines. In this case, Stuxnet caused physical damage to equipment, shut down assembly lines, and set Iran’s nuclear program back years.
Other phishers are attempting to obtain user credentials, so they can log in to the network via a VPN, or access webmail. They could then spread malware, ransomware, or obtain access to sensitive confirmation, all as the result of a single user falling for an email phishing attack.
What you can do
There are three main lines of defense to combat these advanced phishing threats that focus on having an educated workforce, a clear set of rules, and tools that work.
Educate your people
Your employees are your first line of defense in the age of social engineering. Make security awareness training a part of your onboarding process for all users. Training should include examples of phishing attacks to help users identify malicious emails. Regularly communicate phishing stories from the news that show a new twist on the basic technique.
These stories can help prevent a similar attack from working against your users. In some cases, it may provoke a user to come forward to report that they have been targeted. Make it easy to come forward. Implement a memorable email address and instruct users to forward suspicious emails to that address for IT to review.
Build robust security policies
Do your employees routinely share passwords or check personal email at work? Do IT personnel open ports on the firewall to operate from home? Strong security policies are the backbone of a resilient security strategy. Policies should address your unique organizational issues, and clearly outline end user responsibilities and accountability. Good policies help build a culture of awareness among employees.
Build strong controls
Make sure your network is designed to protect the unique characteristics of your organization. Do you have a mobile workforce and multiple locations? One central location with one network? Secure your systems and applications with a network built to protect the vulnerabilities of your situation.
How we can help
We can test your organizational readiness by simulating an actual phishing attack to see what percentage of users fall for the trap. We can also review your policies and procedures, test your social engineering readiness, assess your current training program, and deliver training for you.
Ray Ancel is an information security analyst at CliftonLarsonAllen LLP. He can be reached a Ray.Ancel@claconnect.com.
CliftonLarsonAllen Wealth Advisors, LLC disclaimers (http://www.claconnect.com/general/wealth-advisors-disclosures) © 2018 CliftonLarsonAllen. All rights reserved. “CliftonLarsonAllen” and “CLA” refer to CliftonLarsonAllen LLP. Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor.
CliftonLarsonAllen is a member firm of the “Nexia International” network. Nexia International Limited does not deliver services in its own name or otherwise. Nexia International Limited does not accept any responsibility for the commission of any act, or omission to act by, or the liabilities of, any of its members. Each member firm within the Nexia International network is a separate legal entity.