spear phish vs. spear phish

An odd title for a blog post but something that has been on my mind for a while now. We get a fair amount media requests for comments or perspective on phishing stories.  This is a good thing. It’s nice to have recognition in your field. Of course 2011 was no shortage of phishing related news. (What’s up RSA, I’m looking at you. I’ve noticed you frequent our website a lot. How about a demo. Couldn’t hurt?)

In 2011, the term “spear-phishing” shifted gears a bit. Once reserved to define highly targeted and personalized  email attacks against organizations, the taxonomy of phishing is changing again.  The term spear-phishing being applied to consumer/fraud/ based phishing.

First, some of the defacto high profile spear-phishing events in 2011:

• RSA
• Nitro spear phishing
• Mitsubishi Heavy Industries

But something new has been brewing. Massive data breaches of big consumer organizations with millions of users became more common place. It first started with the Epsilon compromise, then we had Sony, and now the Steam breach putting 35 million gamers at risk.

As the trade journalists made the rounds, the security experts commenting talked about how these data breaches will lead to more spear-phishing incidents of consumers. What they mean by that is instead of the consumer Bob receiving a generic phish:

“Dear Citibank Member,

There is something wrong with your account. Please read the attached statement to verify charges.”

Attackers can now cobble a bit of personal information into the phishing email to make the bait look more believable: (See Pretexting: Wikipedia )

“Dear Bob Dobolina,

I ran into a mutual friend of ours in Charleston SC,. He said you were into video games. Check this out …..”

Ok, I’ll tip my hat to the use of some personalized information somewhat resembling what we’ve been calling a spear phish.  But this is in no way resembles the effort and sophistication used by advanced threats against our most trusted institutions.  They are facing attackers armed with department names, locations, org charts, contract names,  names of sub-contractors, and whatever else they can scrape together to increase the chances of a successful mission.

I chose the word mission for a reason. The  first of its kind DARPA meeting last week a stone’s throw away from the PhishMe offices started to cast light in not-so-vague terms about what organizations have been dealing with for quite some time.

Spear Phishing v.s Spear Phishing. There is a difference.

Aaron Higbee

p.s. Don’t even get me started on whaling.

Once thought of as a threat that could be mitigated simply by an email filter solution, phishing (and now more importantly, spear phishing) has evolved to such a sophisticated level that technical controls are no longer effective in differentiating well-crafted and targeted emails from legitimate ones.  This leaves employees as the last line of defense which is highlighting the need for improved education. The challenge for many security IT professionals is that they have little time to develop programs that provide effective education and reduce the risk to their organization. While many companies indicate they have an awareness program, they also indicate that they lack consistency and content.  This awareness model does little to increasing their employees’ awareness or change their behavior.

Organizations with mature awareness programs attribute their success to a mix of periodic communications and structured training that provide immediate, informative and relevant awareness content to employees. The inline awareness saves both time and resources and targets training to those who need it most. At PhishMe we encourage our customers to conduct sanctioned simulated phishing exercises. This allows organizations to identify where targeted education should be directed and offers the ability to provide immediate education.

There are several different ways PhishMe works with our clients to improve overall employee awareness including online games, tutorials, custom training and awareness program consultation.  In the end it comes down to striking the right balance between content and repetition for your enterprise.  Having trained over 2 million users to date our customers have seen how consistent training can raise awareness and reduce the risk of employees falling victim to phishing attacks by up to 80 percent.

If we are in your area, we welcome you to come speak with us at an upcoming event!

The PhishMe Team

 - Rohyt

“The penetration team started by tapping into distribution lists for SCADA user groups, where they harvested the e-mail addresses of people who worked for the target power company. They sent the workers an e-mail about a plan to cut their benefits and included a link to a Web site where they could find out more.”

Are we surprised they were successful? Absolutely not. We’ve been using this technique and responding to real incidents that that used spear phishing for quite some time now. But what if those same employees had already been “phished” through targeted awareness and then presented with the appropriate training material? What if you ran this exercise against all your employees regularly?

Phishme.com already has pre-built scenarios to make this training quick and easy. It has many generic domain names to choose from or you can register your own look-a-like domain.

There is no sense in paying a pentest company high dollar consulting fees to find out if your employees are vulnerable to phishing. I’m about to save your company a boat load of money.

Dear Magic Eight ball, I don’t currently conduct phishing attacks against my own employees as a means to train them. Am I vulnerable to spear-phishing attacks?