An unsuspecting secretary receives an email about a package due for delivery, and clicks on a link or an attachment in the message to track its progress. In that split second, she unknowingly compromises her company's network security and starts a chain of events that will bring the company to its knees.
It may sound far-fetched, but scenarios like this play out every day as companies fall victim to "spear phishing" or targeted malicious email attacks. It was just a spear phishing attack that led to the 2011 breach at security firm RSA.
These attacks differ from more common general phishing attacks which are usually carried out by fraudsters and petty criminals. Spear phishing attacks are perpetrated by more sophisticated criminals as well as industrial competitors, industrial spies and even nation states. While phishers are usually attempting to steal from the victim, spear phishers attempt to compromise the victim's company's network and systems to steal corporate secrets, intellectual property and other valuable information.
It's not uncommon for some element of research to be carried out before potential victims are identified, and emails are specially crafted using social engineering techniques to entice the recipient to open a weaponized attachment, click on a link to a malicious site, or simply enter confidential information such as log-in credentials into a spoofed site.
Email and Emotion
"Spear phishers play on people's emotions, and often use curiosity, fear or the offer of a reward to arouse interest," says Scott Greaux, a VP at anti-spear phishing training firm Phishme. "They will often pique your curiosity by saying you have missed a package -- and who doesn't love to receive a package? -- or warn that an account is about to be closed. Or they will offer a reward; perhaps the email will say that you have won an iPad in recognition for outstanding work for your company."
The simplest way for a spear phisher to carry out an attack is to get the victim to click on a malicious attachment. Research by security firm FireEye found that in the first half of this year the names of 23 percent of malicious attachments included the words "DHL" or "notification" and 12 percent included the word "delivery." Typical attachment names included "DHL document.zip," "Fedex_Invoice.zip" and "Label_Parcel_IS741-1345US.zip." The malicious attachment that led to the RSA security breach was called "2011 Recruitment plan.xls."
Email gateways and anti-virus scanners can detect many of these email attachments, and for this reason Greaux says this type of spear phishing attack is becoming less common. "Malicious attachments are still viable, but there is a shift toward emails that entice you to click on a link that takes you to a website that then attempts to exploit multiple vulnerabilities in your system."
Security gateways may also filter out emails with malicious links, but the difficulty is that the websites that the links point to may not be malicious at the time that the emails are scanned and delivered. If malicious code is added to the websites after delivery, but before an employee clicks on the link, any attack could be successful.
Security firm Proofpoint has come up with an unusual way to counter this problem. Its Targeted Attack Protection service examines every email that comes in to an organization and rewrites any URLs so the links point first to Proofpoint's servers. If a user clicks on a rewritten link in an email -- perhaps a week or so later -- a Proofpoint server goes to the original link and opens the resulting Web page in a sandboxed environment and checks to see if any malicious activity results. If not, the user's browser is redirected to the page as if nothing had happened, but if the link is malicious then the attack is blocked.
"Traditional security systems will block 98 or 99 percent of malicious emails, but some low volume targeted attacks will get through. We deal with that last 1 or 2 percent, and are 99 percent effective with that," says David Knight, a Proofpoint marketing vice president. "So if we see 10,000 malicious URLs per day, we stop all but a hundred getting through. And if employee click rates are about 1 to 4 percent, then only about one to four potentially successful attacks are received per day."
Fool Me Once, Won't Fool Me Twice
To counter the threat of spear phishing, many companies provide staff training to help employees detect malicious emails before they respond to them. Trainers warn users against clicking on attachments or links in emails even if they appear to come from a trusted source unless they are expected, and recommend typing URLs into a browser by hand rather than clicking on a link in an email.
But Phishme's Scott Greaux says that even after a training session, typical users still fall for many spear phishing attacks. To make things worse, the percentage they fall for increases over time.
One way to increase the effectiveness of training is to send out realistic simulated spear phishing emails to employees after they have received training, Greaux says. Phishme's cloud-based spear phishing simulator enables security staff to import corporate email addresses into the Phishme system. Simulated spear phishing emails can then be crafted from templates based on real spear phishing emails and sent out to employees.
Those that "fall" for the email by clicking on an attachment or link are immediately presented with information telling them that the email was part of a security exercise -- either within the attachment they clicked on, or on the Web page that the link points to. They are also reminded about how they might have detected that it was a spear phishing email, how they can report spear phishing emails, and what they should do if they think that they have responded to a real one.
"The education is immediate, and delivered when employees are likely to respond to it," says Greaux. Phishme's system also provides administrators with statistics that show how many users respond to each simulated phishing email, the responses of individual users or groups of users, and how these vary over time. This information can be used to plan future training sessions, if necessary.
Phishme's service is used by large organizations such as Lilly, an international pharmaceutical company with over 40,000 employees around the world. "We get so much garbage malicious email coming in that it is appropriate to combat people's propensity to click on malicious links," explains Robert Pyburn, a Lilly security consultant. He uses Phishme's system to send out one email per month to a large group of employees - each one designed to be harder to detect than previous ones.
"If you came up with a difficult message to begin with, everyone would fail," explains Pyburn. "Ultimately the goal is to raise the educational level. We are quite early on in the process, but the signs are that people are beginning to learn and starting to think before they click."
For the system to be effective, Phishme recommends sending simulated spear phishing emails at least once a quarter. Greaux claims that one customer which carried out five exercises in six months experienced a drop in the proportion of staff responding to spear phishing emails from 52 percent to just over 3 percent. Another customer reduced its staff's response rate from 70 percent to 5 percent, but the number drifted back to 20 percent when no further exercises were carried out for a period of eight months.
Proofpoint Targeted Attack Protection. Pricing: $18 per user per year for 1,000 employees. Volume discounts available.
Phishme spear phishing simulator. Pricing on application.
Wombat Security Technologies PhishGuru phishing simulator. Pricing on application.
Paul Rubens has been covering IT security for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.