Kevin Doyle, CISSP, CISA, CISM, ISSMP
Recent attacks on Sony, IMF, and Citigroup shared a relatively new attack method, but it has a very high payoff and is very successful. Older attack methods involved reconnaissance on an organization’s infrastructure, looking for vulnerabilities in hosts such as web servers, than gaining entry to the target’s resources. As organizations beefed up the security on their perimeter and secured those machines, attackers went other routes.
It is common knowledge among security professionals that the weakest link in security is the end user. The reasons for this fact are numerous. It is human nature to be helpful. End users are often not as well-trained or versed in security as technology people. And people make mistakes. Often security incidents are caused with no malicious intent on the part of the users.
The mode of attack was “spear phishing”. Phishing is an electronic mail based social engineering attack that lures victims to go to malicious web sites by clicking links in an e-mail or downloading attachments. Early phishing attacks enticed users to those sites in an attempt to get them to disclose log-in credentials, credit card numbers, PIN’s, etc.
Spear phishing attacks are similar in that they are e-mail based social engineering types of attacks that attempt to get users to click on links to malicious web sites. However, these attacks are more narrowly targeted, usually at employees of an organization. A successful spear phishing attack gives the malicious party a “door” into the network. If they are lucky, the victim will have some type of administrative privilege to a network resource, or better yet the network itself. Even if the victim does not, the attackers will attempt to escalate the privileges of the user account they compromise.
Once the attack successfully gains administrative privilege, they may harvest as much information as they can. Attackers can either focus the attack on a high-profile target such as trade secrets or a valuable database, or simply steal as much valuable information as possible.
These attacks are normally for financial gain. In the case of Sony, the online game networking was brought to its knees and a great deal of personal information was stolen (usernames, passwords). The International Monetary Fund (IMF) and Citigroup had a great deal of information compromised.
While these recent attacks attracted global publicity, attacks like these happen every day and go undetected, unreported, or worse…unknown. Is your organization safe from spear phishing attacks? Next up, the simple, affordable, best practices you need to know to keep your systems and organization safe from attacks.