Phishing Techniques Steal Sensitive Data
By Samuel Greengard
Recent cyber-attacks directed at the White House and a number of other organizations have demonstrated a growing threat: sophisticated social engineering attacks designed to steal data through cleverly designed emails and instant messages. In many cases, says Edward Ferrara, principal research analyst at Forrester, "As systems have become hardened, operatives from foreign governments are looking for different ways to penetrate systems."
Phishing and so-called spear-phishing—highly personalized messages directed to a specific individual or group—attempt to steal sensitive information, including passwords that can be used for system access. Typically, the next step for intruders is to install malware and keylogging software on a network.
Recently, the White House confirmed that one of its internal computer networks had been targeted in a successful attack, though officials insisted that perpetrators obtained no sensitive information. The intrusion was traced to China.
Last March, National Security Agency (NSA) director General Keith Alexander disclosed that the U.S. and China are locked in a clandestine cyber-war. He asserted that China is stealing intellectual property from the U.S. government and from private companies.
Scott Gréaux, vice president of product management and services at PhishMe, says that spear-phishing attacks against government and business have escalated markedly over the last decade. "Espionage—in this case, political, military secrets and economic information—is the desired intellectual property," he explains.
According to Verizon's 2012 “Data Breach Investigations Report,” about 20 percent of all breaches now involve social engineering, including pretexting and phishing. It reported that larger organizations are at greater risk for phishing and spear-phishing, and the use of malware-baited lures is growing.
Not surprisingly, it's becoming more difficult to thwart espionage techniques that incorporate phishing. More worrisome than mainstream attacks is an advanced persistent threat (APT) attack. "These are low and slow and can exfiltrate [extract] significant amounts of information using a variety of intelligence-gathering techniques to access sensitive information," Forrester’s Ferrara notes. What's more, these types of attacks are extremely difficult to detect and stop.
Preventing spear-phishing is a challenging task in an era of widespread information availability. Although it's essential to deploy a variety of security tools and techniques—including endpoint monitoring, IP blacklisting, time-of-use rules, two-factor authentication, filtering and other methods—the biggest problem revolves around workers who aren’t trained to spot phishing methods and sidestep attacks. Even savvy technology users can find themselves fooled by messages that seem authentic.
"Security professionals need to educate users on the threats presented by spear-phishing," Ferrara points out. "The rise of social networks has increased this problem because so much of our online life is now available. This familiarity makes it easier for the spear-phishing social engineering attack."
PhishMe’s Gréaux says that typical lunch-and-learn sessions, combined with posters and computer-based training courses, aren't enough to defeat spear-phishing. Computer users require a far more immersive and holistic approach to security and work practices. In the final analysis, he says, it’s critical to recognize that "everyone in every industry and at every company is ultimately a target."