The anatomy of a spear phishing attack
•Download as PPTX, PDF•
0 likes•180 views
This webinar illustrates step by step how hackers create personalized spear phishing attacks. Learn how hackers identify and research targets, how they compromise email accounts from which to send their attacks, and how they apply social engineering techniques to pressure recipients. Watch the on-demand webinar: https://register.gotowebinar.com/register/3069259620284477709
Recommended
Recommended
More Related Content
Similar to The anatomy of a spear phishing attack
Similar to The anatomy of a spear phishing attack (20)
Recently uploaded
Recently uploaded (20)
The anatomy of a spear phishing attack
- 1. © Information Security Media Group · www.ismg.io The Anatomy of a Spear Phishing Attack: How Hackers Build Targeted Attacks Presented by Adrien Gendre Vade Secure
- 2. © Information Security Media Group · www.ismg.io About Sponsor Vade Secure helps SMBs, enterprises, ISPs and OEMs protect their users from advanced cyberthreats, such as phishing, spear phishing, malware, and ransomware. The company’s predictive email defense solutions leverage artificial intelligence, fed by data from 600 million mailboxes, to block targeted threats and new attacks from the first wave. In addition, real-time threat detection capabilities enable SOCs to instantly identify new threats and orchestrate coordinated responses. Vade Secure’s technology is available as a native, API-based offering for Office 365, as cloud-based solutions, or as lightweight, extensible APIs for enterprise SOCs. To learn more, visit www.vadesecure.com
- 3. © Information Security Media Group · www.ismg.io About the Speaker Adrien Gendre Chief Solutions Architect, Vade Secure As Vade Secure's Chief Solution Architect, Adrien Gendre owns a broad and ambitious remit: driving all aspects of the business that directly impact customer experience. His responsibilities include formulating the company's product strategy and roadmap, overseeing integration with security vendors, and managing the global Solutions Architect, Training, Documentation, and Customer Support Teams. Adrien is passionate about understanding the rapidly evolving, increasingly sophisticated techniques used by today's hackers. This deep knowledge informs Vade Secure's product strategy and helps ensure the technology stays one step ahead of the evolving threat landscape. Adrien has also spoken extensively about how hackers design their attacks at events like M3AAWG, , SINET Showcase, Data Connectors Cybersecurity Conference, CIO VISIONS Mid-Market Summit, SecureWorld, and RMISC.
- 4. ©2019– Vade Secure Hierarchy of Email Threats Spear Phishing / BEC Phishing Malware Scam Spam Volume
- 5. ©2019– Vade Secure Phishing vs. Spear Phishing Phishing Spear Phishing Volume One to many/few One to one Target B2C or B2B B2B Impersonates Popular brand (e.g. Microsoft, Netflix, PayPal) Known acquaintance (e.g. colleague, executive, partner) Goal Harvest credentials or credit card numbers Payout via wire transfer, gift cards, direct deposit Malicious Payload Link to phishing page No link or attachment Harder for humans and machines to detect!
- 6. ©2019– Vade Secure Spear Phishing / BEC is on the Rise 0 5,000 10,000 15,000 20,000 25,000 2014 2015 2016 2017 2018 # of Complaints Source: FBI Internet Crime Reports (2014-2018)
- 7. ©2019– Vade Secure The financial impact of spear phishing / BEC is massive Source: FBI Internet Crime Reports (2014-2018) $- $200,000,000 $400,000,000 $600,000,000 $800,000,000 $1,000,000,000 $1,200,000,000 $1,400,000,000 2014 2015 2016 2017 2018 Reported Losses $1.297 billion
- 8. ©2019– Vade Secure Any business, any person is now a target Level within organization Sizeofcompany Historical BEC focus “It is often thought that small businesses were too small to be much of a target for spear phishing. Not so. These businesses are prime targets.” SC Magazine Expert Focus, “Defending the Inbox”
- 9. ©2019– Vade Secure Spear phishing example: gift card scam • Target: Me • Impersonated: CEO • “Sent from my iPad” • Sense of urgency but no immediate demand • Ultimate request: gift cards Vade Secure, “Gift Card Scams: A Spear Phishing Attack Hits Close to Home” 1 2
- 10. ©2019– Vade Secure Spear phishing example: visible alias spoofing • Same company, different target (marketing director) • Impersonated: CEO • Sense of urgency but no immediate demand Visible alias spoofing is particularly effective against mobile email users
- 11. ©2019– Vade Secure Spear phishing example: payroll direct deposit • Target: HR assistant at 100- employee construction company • Impersonated: COO • “Sent from my iPad” • No immediate demand • Ultimate request: update direct deposit Vade Secure, “Vade Secure Uncovers Ongoing Direct Deposit Spear Phishing Attacks”
- 12. ©2019– Vade Secure Step-by-step demonstration of how hackers create spear phishing emails
- 13. ©2019– Vade Secure Step 1: Hack any email account
- 14. ©2019– Vade Secure Step 2: You want to use a dormant account Ed alias John Doe linkedin.com/in/edjohndoe edjohndoe.myblog.com www.techcompany.com (Personal Blog) (Company website) demovade@yahoo.com edjohndoe
- 15. ©2019– Vade Secure Step 3: Change the name on the dormant account Ed alias John Doe linkedin.com/in/edjohndoe edjohndoe.myblog.com www.techcompany.com (Personal Blog) (Company website) demovade@yahoo.com edjohndoe
- 16. ©2019– Vade Secure Step 4: Write your spear phishing email
- 17. ©2019– Vade Secure Step 5: Finished!
- 18. ©2019– Vade Secure Practical recommendations to protect your business from spear phishing attacks
- 19. ©2019– Vade Secure Think beyond DMARC to real-time BEC prediction Entity model Decision Tree Natural Language Processing Unsupervised Anomaly Detection Real-Time BEC prediction
- 20. ©2019– Vade Secure Involve users in the decision with the “third verdict”
- 21. ©2019– Vade Secure Augment structured training with on-the-fly learning Scheduled Training Scheduled TrainingXEmployee A clicks phishing link XEmployee B responds to BEC email Correct bad behavior as it occurs!
- 22. ©2019– Vade Secure Evolve business processes & controls with threats
- 23. The Anatomy of a Spear Phishing Attack How Hackers Build Targeted Attacks Watch On-Demand
Editor's Notes
- \
- \
- To detect spear phishing, Vade Secure for Office 365 first pulls your organization’s entity model through the Microsoft API to establish the legitimate users within your company. The solution’s unsupervised anomaly detection capabilities then compare the message sender against that model to identify impersonation attempts, such as visible alias spoofing or cousin domains. In addition, Vade uses Natural Language Processing to analyze the content of the email for malicious intent and a sense of urgency. Based on this combination of suspicious sender and content, we calculate the probability of the message being spear phishing; if it's above a certain threshold, we display a fully customizable warning banner in the message alerting the user. While you can configure the solution to move or delete spear phishing emails, the default action is displaying the banner. That’s because the risk of false positives is much higher in this context. You could conceivably receive an email from your CEO’s personal email, asking you to complete an urgent task. The decision cannot be Boolean, because it’s such a fine line between legitimate and fraud. That’s why for scenarios where we cannot be 100% sure, we involve the users by warning them that the message is highly suspicious.
- How do you detect those attacks, especially when a legitimate account gets compromised? >>Compromised accounts, cannot rely on sourced based. SP, cannot rely on fingerprinting. Need behavioral analysis based on way email has been built, purpose, and the activity of the account. To be transparent, most complicated form of attack. How do you balance between "internal spear phishing" detection and false positive in that regard? >>Risk is FP much higher in this context. Cannot be Boolean. Need to involve the users and warn them that it’s highly suspicious. Answer: in-message banner when we can’t be 100% sure. Warn users and admins. Are multi-phased attack carried out in environments other than O365? >>Yes. Not something new. But the trend is increasing for the reasons we presented earlier, with O365 becoming the main provider. One target and easier process than SP. Do you see malware being used in multi-phased attacks? >>2017 was the year of malware, but in 2018 we saw a steep decline in malware-based attacks. Shift to phishing and SP. Easier to send phishing or SP through insider attach than malware. With malware, you still have desktop AV.