Category Archives: data leakage

What Is Spear Phishing and How Do You Prevent It?

There’s more than one way to catch a ‘fish’ than phishing. And because the world of hacking always delivers when it comes to wacky wheeling-and-dealing, in this article I’ll be talking about spear phishing attacks. What is spear phishing, you ask? Long story short, it’s a phishing technique that plays on the victim’s trust or, rather his gullibility.

Spear phishing attacks are surgical, while general phishing attacks are more like “let’s cast this lure in the puddle and see what bites.” So, without further ado, let’s dig right into it. FYI: in this article, I’ll be covering the difference between spear and whale phishing and how to protect your company’s digital assets against them.

What is Spear Phishing?

So, what is spear phishing? According to the Big Book of things that go bump on the Internet and can really ruin your day, spear phishing is an email spoofing attack that targets very specific and very ‘employed’ individuals. As Aaron Ferguson noted, spear phishing attacks are directed against an employee or an organization.

What makes them so successful? Good question! Ferguson, an NSA agent and West Point Professor, said that the spoofed emails used in the attack look like they’ve been sent by well-known market actors such as PayPal, Google, Spotify, Netflix, and even Apple Pay.

In some cases, they make even take the guise of in-house emails, asking the employee to fill in credential requests. Why would someone be willing to share his/her credentials via email? Well, think of it this way: how likely are you to nix an email from your CEO, asking you ‘nicely’ to share your password and user because you’re far behind on your deadlines?

To further enforce the illusion, these spoofed emails use the moniker of an authoritarian figure (CEO, CTO).

And yes; the unaware user will click on any link, share any details, no matter how private they are, and will go on thinking that he dodged another bullet. Unfortunately, that reply will never reach your boss; it will end up in some hacker’s database who will have complete access to the company’s records.

Still, why is spear phishing that successful? Because the ‘spoofer’ really does his homework. Before a spear phishing’s attempt been made, the attacker will try to gather as much info as he can about his victim: name, work address, company’s profile, position, phone numbers, emails. When he has enough info, he will dispatch a cleverly penned email to the victim.

Thor Foresight makes sure that link is safe!
Your parents and friends will click any suspicious link, so make sure they're protected.
Thor Foresight Home anti malware and ransomware protection heimdal security
Thor Foresight provides: Automatic and silent software updates Smart protection against malware Compatibility with any traditional antivirus.

SECURE YOUR ONLINE BROWSING!

Get Thor Foresight

An unlikely affair?

To show you just how effective these attacks are, I’m going to quote Ferguson’s example. Oh, by the way: successful spear phishing attacks are also called the ‘colonel effect.’ You’ll figure out in a sec why they’re called that way.

So, Ferguson, who’s also a West Pointer, wanted to find out just how knowledgeable the cadets are when it comes to cybersecurity. The teacher sent out some 500 emails to his students, but they appeared to have been sent by a certain Colonel Robert Melville from the same academy. In these emails, the ‘colonel’ wrote that the cadets can peek at their exam’s results by clicking on the enclosed link.

Naturally, nothing happened if they clicked the link. Instead, they would receive a follow-up message reading: “you have been spoofed. During this time, your computer could have been infected with trojans, viruses, or ransomware.” Seems like a harmless enough experiment, but the numbers paint an entirely different picture:  80% of cadets clicked on the bogus link.

Lesson learned – we still know squat about cybersecurity.

Spear Phishing vs. Whale Phishing

Source: IT-seal

There’s a huge difference between spear and whale phishing. While the first targets the ‘weakest link’ the latter is aimed at the big chief himself. Whale phishing attacks are designed to siphon confidential info from high-profile individuals such as chiefs of staff, C-level executives, celebrities, politicians, senior officers etc.

The technique’s more or less the same – spoofed emails sent from trusted sources. Still, compromising a high-profile target isn’t as easy as stealing data from a gullible employee. In this case, the attacker will also employ some social engineering tricks in an attempt to gather intel on his target.

Probably the best whale phishing example is the 2016 Seagate affair. Yes, the very same company that’s ‘responsible’ for your Barracuda hard drive had a major data breach three years ago after an HR officer sent out copies of employees’ 2015 W-2 tax forms, as requested via email by CEO Stephen Luczo.

Thinking that the email came straight from the “horse’s mouth”, the HR sent out the tax records copies. You can very well imagine what happens when someone shares very sensitive financial info on some 10,000 employees. Anyway, once upper management got wind of this data leak, they notified the authorities. No word so far on what became of the stolen data or the person(s) behind this attack.

Whale phishing attacks are more common then you think. During the same year, two other whaling attacks occurred – one of them involved Evan Spiegel, Snapchat’s CEO, and FACC, a plane manufacturing company that ‘incidentally’ works for Airbus and Boeing.

Phishing with a…rose

A bit on the poetic side, but rose phishing does exist although it’s not as as common as regular or spear phishing. It does sound rather outré, yet this type of scam has been around since like forever. Remember the ploy with the sickly father/uncle/brother and someone reaching out for cash? It’s basically the same thing; the only difference being that everything’s done online.

So, how does this work exactly? Well, let’s assume for a moment that a hacker wants access to your PayPal account. Bear in mind that rose phishing is  taking the high road, lots of cloak-and-dagger stuff.

Now, the hacker will first attempt to gather as much info as possible about you: tastes in music, clothing, favorite hangout places, and, most importantly, friends. After the ‘recon’ phase, the hacker will then try to get in touch with your close friends, posing as a distant relative, high school crush, or whatever. Of course, he’s not even remotely interested in establishing a rapport with any of them; he’s just looking for a way to reach you.

What does happen once the scammer gets in touch with you? Well, he will do everything to earn your trust. And when I say “everything”, I mean just that. Some are pretty good – sharing their sob life experiences, others may even say they fell in love.  Once they gain your trust, they will ask for some sort of favor – like my Facebook page (which is obviously spoofed), ask for a small loan, donation, or whatever. And we both know how this story ends, don’t we?

Spear Phishing IRL

Source: Easy Sol

And because no great piece of writing should be without some good stories, here’s what I managed to scrape up on spear phishing. Enjoy!

1. Alcoa

For those of you unfamiliar with the name, Alcoa’s is one of the world’s biggest producers of aluminum. With a business that spans 10 countries, the company makes for one tantalizing trophy. And, as fate would have it, then one who cracked open Alcoa’s treasure trove of industrial secrets was…the Chinese military.

Yes, I know that it sounds like something out of a James Bond movie, but the facts stand true. So, in 2008, a group of hackers hired by the Chinese military send out some 5,000 spoofed emails to various Alcoa employees. Without even flinching, all employees opened the email upon receival.

They didn’t click any links – once the recipient opened the email, the malware was installed on the computer. A couple of seconds later, the company’s closely-guarded secrets fell into the hands of the Chinese military.

2. PayPal’s Locky wacky ransomware attack

This wouldn’t be the first time PayPal customers are duped into opening spoofed emails. In an article I wrote a while back, I pointed out that it’s a very common scamming tactic to send out bogus emails to PayPal account holders; usually, the buyers take the bite, but it can happen to sellers as well.

Anyway, as for the Locky ransomware email campaign, back in 2016, around 100 million Amazon customers woke up with their PayPal accounts hacked after opening an email which was reportedly sent by Amazon.

If you’re wondering about the email’s content, well, apparently, it had a generic, ‘Amazonesque’ text like “Your Amazon.com order has dispatched (sic!)” followed by a random code. However, if one was to scroll down a bit, he would have found that the email had a peculiar attachment: a word document. Sure, the attachments won’t bat an eye, since it’s only natural for an email to contain a doc detailing the transaction. Guess what happened if someone attempted to download and open the document?

3. RSA

This one’s a little ironic since it happened to a company that provides online security services. In 2011, a scammer sent forged emails to all employees. Of course, the spam filter identified flagged the message and sent it to where it belongs. Apparently, one overzealous employee stumbled upon the scam mail while searching through the spam folder. Unfortunately, that brief moment of weakness took a great toll on the company’s reputation. Guess who opened the malicious email?

4. Ubiquiti Networks Inc

Around 2015, several Ubiquiti Networks employees received emails from what appeared to be senior execs. As the story goes, the persons posing as managers asked their employees to funnel funds to a Hong Kong subsidiary, which was supposed to have been managed by a third party. Of course, the money never reached the subsidiary’s account since the emails were spoofed. An incident report indicates that the company lost about $40 million in the incident.

5. EFF (Electronic Frontier Foundation)

The same year, a group of scammers managed to distribute keyloggers and other malware, by tricking users into following an in-mail link which was reportedly sent by the Electronic Frontier Foundation. Of course, EFF got wind of the scam and managed to shut down the illegal op.

6. Epsilon

In 2011, Epsilon, one of the world’s leading data-driven marketing platform, had to face its “mid-life crisis”. Thousands of customers were tricked into opening spoofed emails linking to bogus websites, all of them laden with malware. At that time, reports revealed that the Epsilon spear phishing campaign might have been a diversion for a much larger operation. A subsequent analysis revealed that the malicious website downloaded malware in the background that could do anything from providing remote access to disabling antivirus software.

Any difference between regular phishing, spear phishing, and whale phishing?

Well, apart from the fact that it’s all about “the phishing”, yes, they’re certainly different. Think about it this way: phishing is like throwing a net, hoping to catch something; spear phishing’s like using a rod, and whale phishing is, well, like going full Ahab on someone.

Let’s elaborate: phishing is when you send out hundreds or thousands of spoofed emails, hoping that some unfortunate soul will open them, follow the link to the credential-grabbing website. Spear phishing, on the other hand, is where you add a dash of finesse to the whole scamming gig – no more flying in blind; you hit, grab, and scoot.

Keep in mind that high-profile targets are more likely to strike back compared to your regular working Joe. This means that he or she might have more resources available for investing in the hunt for the hunter.

There’s also the matter of scarcity or rather the frequency of each of the three types of attacks. As you probably know by now, email phishing’s boorishly common; chances are that there’s a spoofed email collecting dust in your spam folder as we speak.

Spear phishing attacks take some time to prepare and deploy, but they’re not that uncommon as one might think. Even with the above-mentioned ‘incidents’, that’s still a lot. The truth of the matter is that no one can say for sure how many successful spear phishing attacks have been so far considering that they’ve been around since the ‘90s.

Anyway, my giveaway to you is this: if it’s generic, then it’s simple phishing. If you one day fire up the work email and see an email from your boss telling you to transfer money to some off-shore gig, then it’s spear phishing. Last but not least, if you’re part of the upper-class and you receive a message begging you give, submit, or remit, then it’s whale phishing at its finest.

5 tips to avoid spear phishing attempts

Source: Mozilla

1. Continuous cybersecurity education

Remember that scene from the Conjuring movie where Lorraine says that knowing what evil is called gives you power over it? It’s the same with phishing. Nowadays, it’s really not enough to hire an entire IT department to take care of your company’s cybersecurity. There’s not much anyone can do if, say, one of your employees decides to pop open a suspicious email.

So, if you’re a business owner, turn cybersecurity ‘awareness’ into a routine; it doesn’t need to be that frequent. Once or twice per month is more than enough. Try using some printed handouts, perhaps even short video presentations. What’s the purpose of all of this? To teach your employees that opening suspicious email attachments is really not okay. You should also let them know the difference between regular phishing, rose phishing, and spear/whale phishing.

And don’t forget about the most important cybersecurity lesson: it only takes one weak link to make the entire chain break apart. Recall the Seagate affair? One misinformed HR officer sent the entire company in a downward spiral. Lesson learned!

If you’re a home user, you can always look out for new resources on how to better protect your devices. Check out our educational section for antimalware tips and tricks.

2. Deploy a professional antimalware/anti-fraud network. AI for the win.

I really don’t think that there’s anyone out there who would risk losing everything just because he doesn’t want to spend a couple of bucks on an antimalware solution. With companies, it’s a matter of upscaling and going pro all the way.

Most AM/AV suppliers offered tailored enterprise services. You should also keep in mind that signature-based antimalware solutions are obsolete, since they’re unable to compete with malicious loads backed up by rogue AIs.

So, if you’re looking to bolster your company’s cybersecurity, be sure to choose an AI-powered one. It’s even better if it employs heuristics search engines based on machine learning techniques. Remember that only a well-balanced AM/AV solution can protect you against online fraud attempts, spear phishing included.

The easy way to protect yourself against malware
Here's 1 month of Thor Foresight Home, on the house!
Use it to: Block malicious websites and servers from infecting your PC Auto-update your software and close security gaps Keep your financial and other confidential details safe

EASY AND RELIABLE. WORKS WITH ANY ANTIVIRUS.

Try Thor Foresight

3. Stay on top of your email accounts

Probably the best way to safeguard your endpoints is to continuously monitor your accounts’ activity. Look if the spam filters are up and running and doing their job properly. If you see anything suspicious, don’t think twice before deleting or sending it to the spam folder. Doesn’t matter if you have a personal, business, work or work email account; any one of them can be hit by malware.

4. Full-throttle your DMARC

DMARC, which stands for Domain-based Message Authentication, Reporting, and Conformance is a sender/receiver protocol capable of figuring it if a message comes from a legit source or not. To deploy DMARC, you will need the Sender Policy Framework (the protocol that checks out email servers) and DomainKeys Identified Email (checks if the email has an embedded encryption key). Check with your AV/AM provider to see if your cybersecurity solution also covers DMARC standards.

5. Multi-factor auth whenever possible

If your company’s using several accounts, you should think about deploying multi-factor authentication solutions. Think Gmail’s 2FA. Yes, it may not be that Fort Knox-like security you were looking for, but an extra layer of protection doesn’t hurt. As for multi-factor auth, you can either go with digital tokenization or stick with physical keys just like Google’s Titan. Also, if you’re going to use 2FA from now on, you should definitely refrain from recycling passwords.

Wrap-up

Any takeaways? Don’t get hooked – I think that’s perhaps the most important lesson one needs to learn. Keep in mind that scammers are always looking for ways to get to you, whether it’s through phishing, whaling or spear phishing. Do you have any interesting spear phishing stories to share? Shoot me a comment and let the games begin.

The post What Is Spear Phishing and How Do You Prevent It? appeared first on Heimdal Security Blog.

Ten tips for better AWS cyber security

Amazon Web Services (AWS) offers a huge variety of benefits for businesses, and organisations are increasingly opting for cloud solutions for their data, website, and applications. However, there are still some businesses using AWS that have not put the proper cyber security controls in place. Here we take a look at ten great tips to improve your AWS cyber security.

  1. Understand your responsibilities

When you work with any kind of web services provider you need to understand what you are responsible for and what will be managed by the provider. This is absolutely true in terms of AWS – where Amazon runs its so-called ‘shared responsibility model’. In this model AWS is responsible for protecting the infrastructure of the AWS cloud system including hardware, software, and networking.

On the other hand, you as the customer is responsible for customer data, identity and access management, firewall and anti-virus configuration, and issues such as data encryption. It can sometimes be necessary to work with outside agencies to manage your own cyber security.

  1. Ensure you have a coherent strategy in place

There is often a debate regarding cyber security: should you put controls in place to protect your business first and then update the system as necessary, or should you prioritise establishing a coherent strategy first, before investing in expensive services and tools? You might assume that you need to put defences in place immediately, regardless of whether they are right for your business, but in fact this can often be expensive and difficult to change at a later date.

In the majority of cases it is important that you should put a strategy in place first. With the complex requirements of modern cyber security, you need to understand the needs of your operation before you commit to services.

  1. Use a secure password policy

You need to ensure that your users are protecting themselves with strong passwords. You should put a secure password policy in place – this should not only mean that the passwords have specific requirements (such as: at least 8 characters; numbers, letters and symbols used; etc.) but also that the passwords should need to be updated periodically, and must be unique from previously used passwords.

The policy needs to be configured in the settings of your system so that there is no option for users to not follow them.

  1. Clearly define users’ roles

One major cyber security issue can occur in AWS if a business fails to define and set user roles. If all users have the same permissions and can access the whole of the system then your company is at serious risk if just one of them is compromised by cybercriminals.

You can easily manage user roles in your AWS account, ensuring that staff only have access to the data and files that they need in order to do their job. Of course, it is also important to regularly re-assess accounts to be sure that individuals do not have access to information across the whole of the system.

  1. Opt for a managed service if you require technical expertise

If you want to use AWS services for its many benefits but you are concerned that you do not have the kind of in-house technical expertise required to do so successfully, it can be a great idea to use a managed service. AWS specialists, Wirehive, say:

“There’s no doubt that managed AWS solutions can be extremely powerful and valuable for businesses. However, with the range of tools and options available to AWS businesses, day-to-day infrastructure management activities of the service can be demanding and complicated, taking significant expertise and resources away from more profitable tasks.”

You can work with companies offering a wide range of options to suit your needs, whether you are looking for 24/7 support and the whole system managed for you, or you just need expertise on specific issues.

  1. Put written procedures in place

It is a great idea to ensure that you have your cyber security procedures written up so that they can be accessed by anyone in the company. It is important to have a documented record of plans so that staff are ready to implement them.

  1. Include security at all layers

Yes, it is important to have cyber-security solutions such as firewalls and anti-virus software, but they are no longer enough to keep your business secure. When you work with AWS it is important to provide cyber security solutions for all layers of your business. This means everything from endpoint security measures to integrated SIEM services.

Once again, it is important to note here that if you do not take expert advice on the right sort of security services that you need, you can end up spending a large part of your budget on services that aren’t really doing anything for you.

  1. Encrypt sensitive data

AWS encourages its users to encrypt their data, and even offers you the option encrypt with the click of a button using their native encryption. However, you may prefer to implement your own encryption in ensure that you are protected to your own standards.

Additionally, it should be pointed out that encrypting data will not slow down your system, as some believe – it is simply an important method of securing your data.

  1. Never use expired certificates

It might seem like common sense, but it is still a problem for some AWS users. You should not be using expired SSL/TLS certificates – they may not be compatible with AWS services anymore, and this can create a whole range of issues.

    10. Backup everything

AWS offers backup solutions, and they really are worth considering. Every organisation needs to ensure that its data is backed up in case of either a ransomware-style cyber-attack or some other major issue.

 

The post Ten tips for better AWS cyber security appeared first on CyberDB.