by Jovi Bepinosa Umawing of GFI Software
When RSA’s executive chairman Art Coviello broke the news in March that his company’s SecurID two-factor authentication products had been compromised by a then-unknown sophisticated attack in the form of an advanced persistent threat (APT), which resulted in a huge black-eye for the much vaunted security firm and cost it millions to remediate the damage, the news went viral.
Months later, our industry colleagues at F-Secure identified the file the attackers used to infiltrate RSA’s databases along with their method of attack. The former was found to be a backdoor program variant of Poison Ivy, which was transported by the primary means of business communication today: email. Because email is used by virtually all business professionals, it remains a popular method of attack for online criminals looking for monetary gain.
One of the biggest online dangers businesses face today is spear phishing — a focused attack wherein an individual or group is isolated from the larger company population and targeted with an email threat that could compromise the security of the entire organization. In order to enhance its legitimacy and authenticity, cybercriminals design spear phishing emails to be highly personalized. In doing so, they exponentially increase the possibility that someone within the target group will open their email and either run an infected attachment or visit a malicious link within the message body.
In the second quarter of 2011, Cisco Security Intelligence Operations (CSIO) released a report discussing the changing tactics of spear phishers. According to the report, phishers are now shifting their email-based attacks to target smaller groups. This new tactic is in total contrast to the way online criminals typically do things, which is to send out spam indiscriminately by the billions on a daily basis.
To illustrate this point, the report noted that traditional email attacks declined by more than 50 percent last year, dropping from 300 billion emails sent out by spammers (worth $1.1B of criminal benefits) to just 40 billion (worth $500M). Contrary to what one might think, this decline is actually favorable for cybercriminals because not only is a targeted, highly-sophisticated email attack difficult to detect by the security industry, it is also substantiated to be highly potent against targets. In addition, criminals are likely to receive 40 times more in benefits for every successful attack.
Though online criminals are now putting the success of their spear phishing campaigns into the hands of a smaller group of individuals, the fallout of this type of malicious attack affects the entire organization. All it takes is one person to unknowingly click a malicious link or open an infected file and businesses are at risk of suffering major financial and reputational losses.
At a minimum, IT departments will have to take the necessary steps to clean up infected systems and implement stricter security policies to prevent this type of attack from happening again. But, at the forefront of every network compromise, is the overwhelming fear that criminals have stolen valuable corporate and client data and network credentials — and will use the information to extort money from them, or sell the information to competitors, or to an underground black market.
To complicate matters, if a network compromise is not detected right away, criminals can take full control of infected machines by turning them into bots. Cybercriminals can then target other individuals or groups within and outside of an organization and use the bots to host and send out malware.
Additionally, successful spear phishing attacks can also deeply mar a company’s reputation. The negative impact and media attention brought about by the compromise can lead to employee, customer and partner mistrust.
Securing company and customer data has become crucial to a company’s reputation as well as its bottom line. If they aren’t already, companies need to start taking cyber threats, such as spear phishing, seriously and must implement proactive security measures to combat them. Keeping employees updated and informed on the latest malware and attack methods is a great first step, however, with the ever changing threat landscape, education is no longer enough.
Companies must combine education and awareness with a comprehensive security strategy because, after all, prevention is always better than remediation. To further that end, here are some basic security best practices companies can follow to protect themselves from spear phishing and other malicious attacks:
Balance email protection with productivity: Setting up a strong email security solution that protects the network while accommodating the needs of the business is essential. An effective email security solution will prevent emails with malicious links and attachments from reaching your inbox, while making sure important communications don’t become trapped in your spam or junk folder.
Implement a comprehensive security solution: The market is teeming with security solutions so buy one from us or someone else but protect the network from spam, infected URLs and other malware, and invest in a patch management and network vulnerability scanning solution to ensure software patches and hardware settings are up to date.
Stay vigilant: Be wary of clicking unfamiliar links and opening suspicious attachments in emails, especially if they purportedly came from someone within your organization. If in doubt, always double check with the sender by getting in touch with them personally.
No matter how tedious some of these tasks may seem, it’s always better to be safe than sorry.
Jovi Bepinosa Umawing is a threat research analyst at IT security firm GFI Software.