Blog-Hero.jpg

blog

Isolate the Unstoppable - Spear-Phish

Mar 31, 2017 05:06:30 AM

spear phishing600x340.jpg

Just like a tsunami, spear-phishing attacks continue to be unstoppable. As spam and phishing filtering has improved, attackers have ‘upped' their game even further. Just like in sports, attackers operate at many layers, from amateurs to low-level professionals through to nation-state and specialist gangs focused on specific targets. 

Phishers and spammers no longer send tens of millions of the same message any more, making it much harder to detect at the network and ISP level. Even top level anti-phishing gateway solutions fail to detect them accurately every time. Many of the high-level and professional phishing emails are truly unique, like snowflakes, called 'patient zero’ in the industry. This means it’s impossible to create a rule to address every iteration of every phishing email without slowing down email to such an extent that employees can no longer do their job via email efficiently.  

Anti-phishing vendors have to walk the line of being able to detect enough of the bad stuff without blocking too much good stuff….which allows a grey area in which good, targeted phishing emails can safely ‘play’ within an inbox today. Herein lies the problem. If my solution catches lots of bad stuff, it’s likely to block lots of good, legitimate email as well, because really well-written phishing emails look exactly the same as a bad one, typically. But, if I dial the detection engine down, employees get lots more junk and spam email to decide what is or isn’t legitimate.

Factor in that most employees may get security training once or twice a year at best, then they forget it and get on with their day jobs. Reminding users about email security and phishing attacks is getting better with physical awareness, posters in the office, etc., which continue to raise awareness to the less professional phishing emails. And, while it can help some of the time, it will never work for all users all of the time.

By far the biggest challenge today for most good anti-spam solutions is they don’t know what happens when the browser fetches the web content with the employee’s browser. They can’t understand and evaluate the risk associated with the JavaScript embedded on a web page. As I have seen throughout my career, a great sandbox may find threats many times, but not every time. Attackers can be highly sophisticated and use varying browser types, versions, IP ranges, language settings and many other variables to trigger delivery or non-delivery of payload. This intelligent design ensures even market leading anti-spam solutions will fail to detect well-written spear-phishing emails, even in 2017,  and that some spear-phishing emails may end up in the inbox of an employee. Many employees have been told that their emails have been filtered for bad stuff and assume they can freely click on most things; they assume security is doing their job and therefore they don’t have to think too much. If we layer user education into this, then we can help and hope that the employee will remember their training... ‘hopefully.’.

As an example from my own HotMail account, what if every link (bar the final one) is correct, legal and looks exactly like a legitimate message? It’s unlikely then that even a trained user would spot it and call it suspicious. For example, one email I received was from a vendor invoice for songs I didn't buy. Every single link was a legitimate link, apart from the  'Manage Subscription' link at the bottom. It took me ten minutes to work out that the email was fake. The URL took me to a fake vendor page in Russia that was created the day before.

In short, awareness is critical for employees to ensure that they continue to think and consider before clicking on links. However, professional attacks could even be legitimate internal messages.

One of my favourite spear-phishing hacks was the CNN social media hack in 2014 by the Syrian Electronic Army. A CNN social media employee was tricked into a fake Outlook login page, where he entered his username and password, and gave his credentials to the attacker. The attacker then sent an email on his behalf to the rest of the team asking for their Twitter and Facebook credentials - the proverbial keys to the kingdom - in what looked like a legitimate email from a colleague. There are many other stories we could share as well, but I think you get the theme. Employees are busy, distracted and even with the best training and intentions, will make mistakes. This is where the good phishers flourish.

Awareness- and detection-based technologies will only get you so far. There is no silver bullet to stop really good phishing emails getting to their target, even in 2017, after 20 years of fighting this battle. 

Technologies like Isolation can help customers further mitigate this risk for those phishing emails that do get through to inboxes, and provide realtime end-user awareness and education while protecting users from browser-based attacks or potential credential theft attacks that phishers are hoping to succeed with.  

Attackers will always outsmart defensive layers. Many years ago, I spent some time with a spammer, Spammer X, and his job was to work out what spam and phishing filters were looking for, every hour of every day and then defeat them. The research pays off when you can steal millions of dollars of data, intellectual property or money via electronic transfer, as some examples.  

Spear-phishing isn’t going away; it’s simply too effective for attackers. It’s time to consider new ways to mitigate the risk.

Jason Steer
Written by Jason Steer

Connect with us

Lists by Topic

see all