This is a presentation I have delivered to many organisations over the past 12 months on the subject of Spear Phishing. It shows how easily companies can fall victim to Spear Phishing attacks and the methods that criminals use to increase their chances of success.
2. devanha digital security 2018
What is phishing?
Definition
Noun – the fraudulent practice of sending emails purporting to be from
reputable sources in order to induce individuals to reveal personal or
sensitive information, such as passwords and credit card numbers or carry
out some other actions such as installing malicious software or otherwise
bypassing security controls.
3. devanha digital security 2018
The scale of the problem.
Every day, 156 million phishing emails are sent.15.6 millional make it
through spam filters, 8 million are opened, and 800,000 recipients click
on the links.
Source: Symantec Security Technology and Response Group
4. devanha digital security 2018
What is spear phishing?
Definition
Noun – the fraudulent practice of sending emails ostensibly from a known
or trusted sender in order to induce targeted individuals to reveal
confidential information or carry out other actions.
It works because criminals have researched the target and
constructed an email, voice mail or text message with a greatily
increased likelihood of being actioned.
It’s absed on knowing the targets likes, interests, work history,
education, job title, home address, hobbies, friends and professional
acquaintances etc.
It’s done through research using freely available information.
5. devanha digital security 2018
Where do the criminals find this information?
The target organizations website
Press releases
Social media
Professional memberships
Genealogy sites
Google
6. devanha digital security 2018
Scenario #1 – IP Theft
Criminals have identified the (fictitious) company Azimuth Drilling as a
target
The company has developed a break through technology that will
revolutionize Oil & Gas exploration.
The new technology is a result of many years of expensive R&D and field
testing
Professional hackers have been engaged by an overseas competitor of
Azimuth Drilling
The criminals objective is to gain access to Azimuth Drilling’s internal
company network and steal engineering design drawings and field data
7. devanha digital security 2018
Research
A quick search of the companies website has identified ”John
Fenwick” as the director in charge of R&D.
A search of companies house provides the criminals with home
address and age of all the directors including John Fenwick.
A google search has thrown up a picture of of John at the annual Sub
Sea Golf tournament, proudly holding a trophy.
A google street view search of John’s house reveals his 7 Series BMW
parked in his driveway.
A search of 192.com reveals the names of John’s neighbours and
how long they have lived next to each other.
8. devanha digital security 2018
Research continued…
A check of Facebook for “John Fenwick” in Aberdeen throws up a few
people with that name in that area.
He is quickly identified by matching is profile picture with that of him
holding a golf trophy in the press release.
A check on his profile page under “family and relationships” reveals his
mother and father’s names.
With his mother’s and fathers names, a check on the marriage section of a
popular genealogy site finds their marriage details. This includes is
mothers maiden name, a popular security question.
The photos section of his Facebook account shows many pictures of John
at various golfing events, skiing on holiday and scuba diving.
9. devanha digital security 2018
Research continued…
Switching to Linked In, the criminals are able to see other potentially
useful information, such as:
Previous work history
Current and former work colleagues
University education
Industry groups he is a member of
10. devanha digital security 2018
The criminals now have:
the type of care he drives
the university he went to
when he graduated
what he graduated in
where he goes on holiday
and so the list goes on….
Identified a target
Found his
full name
age
marital status
job title
employer
neighbours
previous work history
mothers maiden name
hobbies and interests
11. devanha digital security 2018
Pretexting
Armed with the information they now have, the criminals can create
Spear Phishing emails targeted directly at John.
These include:
An offer to test drive the new BMW 7 series
The chance to win a weeks golfing holiday in the Algarve
A white paper on breakthrough technologies in Oil & Gas
A link to a humorous website (compromised with malicious software)
from a Facebook friend
An invite to a reunion with old University friendsAn encrypted document
from an colleague that requires he installs special reader software to open
it
12. devanha digital security 2018
The Sting
The offer to test drive a new BMW, the golfing holiday in the Algarve
and access to the industry whitepaper all require that he registers with
the respective site making the offer.
If he uses his work email and password combination used to access the
company network, he has just handed access to the company
network to the criminals!
This type of scam uses professional looking websites to dupe the target
into handing over their credentials. The sites may often have genuine
information taken from legitimate websites and be aimed at multiple
targets. This is known as a “Watering Hole”
13. devanha digital security 2018
The Sting continued…
Visiting a compromised website could also install malicious software
on John’s computer that would provide the criminals with all the access
they need.
Installing the “reader app” for the encrypted document, apparently
sent by a colleague, installs software that provides the criminals with
direct access to the company network. This type of software will often
be a “key logger” that records key strokes on a keyboard. This would
include other username and password combinations, as well as
passwords to protected documents etc.
14. devanha digital security 2018
The impact
To gain access to the company network the criminals needed only one
Spear Phishing email to be acted upon.
They were able to gain full access to the companies network as the
target was a director with network credentials to “access all areas”.
Many years of expensive R&D was now in the hands of the companies
competitor.
The release of a competing product based on Azimuth Drilling’s designs
has lost them market advantage and resulted in a steep fall in the
value of the company.
15. devanha digital security 2018
Does this scenario seem far fetched?
A “whaling attack” is identical
to Spear Phishing, it’s just
that the target and pay-off are
far greater.
16. devanha digital security 2018
“My business is too small to be a target”
It’s not just larger organisations that are impacted. In the past 18 months we have
investigated:
One micro business (3 users) that lost their entire business related data to a
Phishing initiated Ransomware attack.
A business that lost £1.2m to a Spear Phishing attack.
An engineering company that had their entire (7 years worth of) R&D data
(stolen.
A company that had its financial systems compromised and £500,000 diverted to
overseas bank accounts controlled by the criminals
ALL of these attacks were result of Phishing emails and could have been avoided
had the staff in question understood the risks, methods and impact of phishing
scams.
17. devanha digital security 2018
How can you stop these attacks?
Firstly accept that the cyber crime is here to stay. It is an unwinnable
war.
Each new technology offers criminals new opportunities to exploit
weaknesses. The good guys will always be playing catchup.
Understand that the most expensive and sophisticated technical solutions
to preventing cyber crime can be bypassed by the actions of a single
employee or contractor.
Education is the first line of defence. Put all staff & contractors that
have access to the companies IT systems through an security awareness
training program. Make it part of the induction process.
Regularly test your organizations defences. This includes simulated
phishing attacks to assess your staff’s susceptibility to this type of crime.
18. devanha digital security 2018
To find our more:
Visit http://devanha.com/training for examples of off-the-shelf and
bespoke user awareness training.
If you have any questions contact me at:
https://www.linkedin.com/in/markmair or
enquiries@devanha.com or
Call +44 (0)1224 060440