Cyber Security is continually in the mind of a corporate IT leader. We read daily of website hacking, information theft, and ID theft. Businesses have been brought to their knees and sometimes made to fail through hacking attacks and information theft. Enough to give any business executive grey (or no) hairs.
However, concentrating Cyber Security on electronic hacking defences is not enough. The continual war between the white hats and black hats ensures that neither will win. It usually results in more expenditure on new hardware and software to counter malware attacks.
The objective of the thieves is gaining information. This information is often financial information like online banking and credit card information, or commercial information they can use to blackmail an individual or organisation or sell to a competitor.
Ideally, they want to do this in as unobtrusive a way as possible so that they can use or dispose of the information before its theft is detected.
This has led to a specific type of threat that is directed at individuals, the objective is to get hold of user credentials that give access to individual and corporate information.
The most common type of attack of this type is phishing, or in a more directed variant, spear phishing.
Simply put, phishing is a scattergun attempt, usually via email to extract user credentials. Spear phishing is a more targeted variant of the same attack vector on a specific corporate organisation.
Phishing is an attempt to secure user credentials that allows a hacker to acquire credentials like bank system sign-on codes or credit card details.
This is usually an attempt to catch as many user credentials as possible with a general email:
- The hacker creates a standard email with personalised elements containing an internet link. Often the email is crafted to look like it comes from a trusted source like a bank. The link leads to a website that either mimics the real website with the objective of capturing sign-on information or downloads and initiates malware on a user PC. The malware captures user keystrokes, including user credentials, which it returns to the hacker.
- The hacker sends the email to an email mailing list.
- If successful, the user and clicks on the link. The user visits and uses the bad website, or the website installs malware on the user PC and starts operation. Either way, user credentials are acquired.
The mailing list often has tens of thousands if not hundreds of thousands of addresses. This high number ensures that even a very small response will return some results.
However, the broad range of the addresses means that all results will need to be analysed before they can be used. Some credentials will not have any value.
The big downside of Phishing is the random nature of the results and the very large number of emails needed to generate any worthwhile results. Most internet service providers will not send this volume of emails and finding or creating an email server to do it can mean extra effort and expense.
Spear Phishing is a targeted variant of this approach, designed to acquire specific results from a specific organisation. The targets are usually senior corporate officers who will have access to the target systems and data.
It can take several forms and happen in several stages:
The objective is to acquire information to be used to create a target list. Often the first stage is to acquire employee information, including email addresses. This can often be supplied by an unwitting receptionist or secretary. Sometimes the corporate website has email contact information for senior executives.
Sometimes it can be in the form of a call purporting to be from IT Support seeking access to a desktop “to install an essential software update”. Access requires the user credentials or at the very least an email address for the user to do it themselves from an email attachment.
Sending the Spear Phishing Email
As with the generalist phishing approach, the hacker creates a personalised email containing a malware link. Clicking on the link leads to a website that downloads and installs malware on the user PC. The malware collects desktop clicks, including login details and sends them back to the hacker. It often installs software that allows the hacker to take over control of the user PC.
In essence, the main difference between general phishing and spear phishing is the nature of the targeting. General phishing is a scattergun approach needing a large volume of emails to a general target list with the desire to take whatever turns up. Spear phishing, in contrast, is a highly targeted approach to a known target with a known objective. In both cases, success is reliant on a user making the error of clicking on an embedded internet link in the email.