According to the 2014 Symantec Internet Security Threat Report, which examines the data from more than 41.5 million attack sensors and records thousands of events per second, spear phishing is not dead – it’s merely evolving. The technique uses fake emails to target a specific organisation in order to gain access to internal data, and although attackers used fewer emails on fewer targets last year, the total number of spear-fishing campaigns was up a startling 91%.
More user awareness and better security means attackers are simply choosing their targets more carefully and sharpening their social engineering tactics, leaving campaigns to run for longer and combining virtual and real-world attacks to increase the odds of success.
Small business and spear phishing
Of all the spear-phishing attacks in 2013, a significant 30% were aimed at small businesses. One in five small businesses received at least one targeted spear-phishing email, and that figure rises sharply for certain industries, such as mining, government and manufacturing. So how do you protect your business? By knowing what to look for.
A spear-phishing email will appear to come from a trusted source, such as a co-worker or a figure of some authority within the organisation, and will usually contain some information that appears to back up that identity, along with a reasonable request of some kind. It could ask the employee to log in to a bogus web page, revealing their password in the process, or click a link that downloads spyware onto their work computer. The most aggressive attacks might even follow up the email with a phone call impersonating the supposed sender.
Attackers will target personal and professional email accounts of any individual in the company, although professional accounts make up the majority. Campaigns used to be focused over one or two intense days, but have become more spread over time to avoid drawing undue attention. The reason spear-phishing hasn’t gone away is that it works, so be sure to educate your employees as to the dangers.
Watering holes
The most sophisticated form of targeted attacks make use of so-called “watering holes”. This technique sees attackers use a discovered vulnerability to infiltrate a legitimate website used by their target, plant malicious code, and then lie in wait. If the target visits the site – checked using IP addresses – the attacker can take over or infect their computer with malware; for all other visitors, a patient attacker may choose to do nothing in order to avoid detection.
You might think infiltrating websites makes this approach too difficult, but Symantec’s Website Security Solutions division found that 77% of scanned public websites contained vulnerabilities that could be exploited. Of these, 16% were critical enough that they could allow an attacker to compromise a visitor’s computer. That’s one in eight websites – a frightening number.
To limit the risks it’s important to have the latest versions of antivirus software installed, with additional layers for browser protection, endpoint intrusion prevention and behavioural prevention. Make sure your websites are secure, scanned daily for malware and assessed regularly for vulnerabilities. Restrict email attachments, put in place procedures for infection response, and – most importantly – educate your users on basic security protocols.
Get reliable protection from a name you trust. Check out Norton Small Business to keep your business safe as it grows.