December 18, 2014
Spearphishing: Protecting Yourself and Your Company
(Continued from Part 1: The Rise of Spearphishing)
The human element is often the easiest attack surface for malicious hackers. Networks can be hardened and secured, but this only goes so far if an organization neglects to train employees about the ways in which they personally can be used and manipulated in an attack. In the previous entry, we discussed the threat of spearphishing and its prevalence. In this entry, we will discuss ways to minimize the risk of this threat. There are four key elements to protecting yourself and your company from spearphishing attacks:
Employee vigilance and email link inspection
Far and away, the most effective way to minimize the likelihood of a successful spearphishing attack is employee awareness training and education. A qualified third-party security firm should conduct awareness training. Alongside this, we recommend company-wide phishing tests be performed to simulate a real attack and to help discover those individuals that may need further training.
In a spearphishing attack, a URL link is often provided which the victim is encouraged to click on. Two critical tips can help reduce risk here:
- If you are sent an email containing a link, mouse over the link. A small box should pop up displaying the destination URL if you were to click on the link. Say for example you receive an email from a friend asking if you’re attending a particular Facebook event, with a link to the event provided. When you place your cursor over the link, you see the destination URL is actually to “https://face-book159.com/login.html”. The destination URL is likely a fraudulent copy of Facebook’s site where the attacker will steal your password. Do not click the link and forward the email to your IT administrator.
- Any time you receive an email from a popular institution that requires you to login, never click any links in the email – even if the links appear legitimate (have a valid destination URL). Instead, manually type the URL in your web browser’s address bar. So for example, if you receive an email from Amazon.com saying that a password reset is required, do not click any links in the email and only navigate to Amazon by typing https://www.amazon.com in your address bar.
These should be the first line of defense used to protect you and your company from spearphishing attacks. Without the utilization of the above strategies, the remainder of this article is not very helpful – so make sure you have your priorities set correctly!
Limiting information available about you on the web
The spearphishing methodology requires that an attacker performs research on a victim in order to make fraudulent communications with the victim appear to be from a trusted source and to increase authenticity. The first place an attacker will look is Google. If you Google your name, what comes up?
For most people, the answer is social media accounts, web forum memberships, and perhaps other sites that reflect your interests. This information can all be used to create a spearphishing attack that appears genuine. For example, if a Google search of your name shows your Twitter account, an attacker may research this account: see who you tweet to, what their names are, what your conversations are about.
Minimizing this threat is simple. Wherever you can, disable public display of your profile on these sites. Require that requests be sent to you, that your profiles are not included in search engines, and that all of your personal information and pictures are restricted.
Furthermore, if someone you don’t know sends you, for example, a friend request on Facebook – don’t accept! Be conscientious of what information about you is out there and who can see it.
Avoiding reuse of the same password
This is an extremely common problem. Many people use the same password for all of their online accounts: social media, banking, email, PayPal and everything in between. Well guess what … bad guys know that!
If you do fall victim to a spearphishing attack, the extent of access in which you give a hacker can be limited by having dissimilar passwords across different services and accounts. In other words, don’t use the same password for everything! During a penetration test, when OST discovers a password, the first thing we do is try it in as many other places as we can. It almost always provides us further access.
Not to mention, there’s a big difference between losing control of your Facebook account and losing control of your bank account!
Proper patching, email/web filtering, and antivirus
The primary target in a spearphishing attack is a human. Spearphishing risk mitigation occurs most effectively through awareness, training, and pattern change as described above. However, a strong second line of defense can be added via technology. Regular patching, active filtering and antivirus are also critical elements to protecting yourself. Spearphishers may use infected files as part of their phishing attack (i.e. your “boss” sending you a PDF report on your performance). Though it may not catch all, filters are designed to prevent delivery of these types of infected messages; antivirus is designed to prevent infected files from running.
Everyone knows that computers and networks need to be protected from hackers. Lack of awareness regarding the human element to IT security is the reason that spearphishing is as prevalent and successful as it is. While it is impossible to be perfectly safe, making use of the tips outlined above will dramatically reduce the risk of you or your organization falling victim to a spearphishing attack.