Spear Phishers Aiming At SMBs

As news of new breaches associated with targeted phishing attacks stream the wires, and hackers continue to refine their method of homing in on highly specific victims, it is becoming clear that this season is shaping up to be the summer of spear phishing. The breaches at RSA, Epsilon, and the International Monetary Fund (IMF) all showed signs that spear phishing was used as the point of origin for more sophisticated attacks. And while some of the splashier stories have featured enterprises foiled by spear phishing, the threat is very real for small businesses as well.

Security researchers from Symantec this month reported that spear phishing is currently at a two-year high, with the majority of attack schemes targeting individuals -- particularly high-value victims, such as small businesses, that might have larger bank accounts than consumers, but fewer security tools and less awareness than large organizations.

“Spear phishing is difficult to defend against because it primarily targets users, not PCs, and the information that attackers can gather from social networking sites makes the phishing emails look very convincing," says David Beesley, managing director of security consultancy Network Defence. "As we’ve seen, it makes these attacks effective against any size of organization."

According to Francis de Souza, group president of enterprise products and services for Symantec, these attacks "thrive on familiarity," with attackers using the abundance of personal information available online through social networks and through a plethora of black market information available from past data breaches involving email addresses to craft very personalized phishing messages.

"All of this information, where someone works, their title, where they went to school: It is all available on the Web, so you can design a spear-phishing email very easily, and it can absolutely fool pretty much anybody," says Brent Remai, vice president of marketing for FireEye. "They click on it, and guess what? They're infected, and then it propagates itself to all the other devices in the organization."

And with millions more addresses and personal details hitting the street in the wake of the Epsilon and Sony breaches, the deluge is bound to get worse.

"[With Sony], it's 100 million users at significant risk of spear phishing and identity theft, and that risk is perpetual. It is not going to go away," says Jon Heimerl, director of strategic security for Solutionary. "Once that information is out, it is out: names, addresses, email addresses, birthdates, user names, and challenge questions. All of it can be used."

The rise of spear phishing is a rational extension of cyberattackers' evolution to adjust to better security measures designed to thwart generic phishing attempts that blanket a large swath of email users with easily detected messages. Attackers have now developed a range of tools to leverage readily available information to quickly create very targeted messages to a more select group of users. If SMBs are to wriggle off the spear phisher's point, then they'll need to regularly evolve.

“Really, firms need to use a mix of user education and layered security solutions to defend themselves. Employees should be aware that even plausible-looking emails should be treated with suspicion, and IT teams should look at their AV and anti-spam solutions to try and stop malware propagating," Beesley says. "Using Web proxies can stop executables and exploit code from reaching desktops, and intrusion-detection systems can help spot unusual data traffic movements.”

It is also critical to get back to basics -- many spear-phishing attempts are just the start of further attacks into an organization's network. Many of these depend on vulnerabilities for which patches already exist. SMBs that fail to update their software are at far greater risk of a debilitating incident than those who patch religiously.

"Many companies don't have good controls in place to ensure that software is kept up to date and that security patches are installed in a timely manner," Heimerl says. "Just because something is simple doesn't mean it is unimportant."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.