Avoid the Pointy End of Executive Spear Phishing Attacks
Organized crime is targeting large and medium-sized companies using a well-honed attack that can penetrate the defenses of most companies. Called “spear phishing,” it involves targeting one or two people within the company and then sending them a well-crafted email with links or attachments that then drop malware into the company. The number of attacks is increasing dramatically.
In March, MessageLabs Ltd. said it had intercepted 716 messages out of 249 attacks last month that targeted 216 customers. MessageLabs says this compares to two attacks per day on average last year and two attacks per week two years ago.
The attack method often uses MS Office documents, but may also involve links to fake websites that appear to be real. One attack focused on the new executive of a large company for whom a press release had been written.
The executive received an email purportedly from the company’s travel agency asking him to click on a link and log into the agency’s website where he would provide his personal profile for approval. The executive clicked on the link and found the website containing all sorts of personal information about him (which had been pulled from the internet). The executive then clicked a button to sync his Outlook email calendar with the travel agency. The executive was unaware that it was a website run by criminals and that malware had just been downloaded to his company.
Other attacks use realistic MS Office document attachments which, when opened, silently load malware into the company or, the computer crashes and when restarted, the malware sneaks into the company.
What can companies do to protect themselves and their executives from this form of attack? Use heuristic intrusion detection systems and train your executives.
Companies must use new software that does not rely on malware signatures for verification. This is how most common antivirus products work. They have a list of “bad guys” whose code is recognized as malware. The incoming code is then assigned to the list. If it’s not there, then the code is passed. This no longer works.
Criminals now change their code so fast that there can be thousands of variations in the malware produced daily. Therefore, heuristic technology has come into play that analyzes the effects that malware is trying to cause on business systems. Still in its infancy, this is the future for malware detection. But it doesn’t work all the time.
The challenge with relying solely on intrusion detection systems is that malware can often go undetected. Criminals are developing new malware every day that is designed to slip under the intrusion detection radar screen. This technology does not detect some types of rootkits and other attacks. So while companies should use this as the first line of defense, they shouldn’t rely on it 100%.
That’s where training comes in. 77% of malware attacks start when the user clicks on a link or opens an attachment in unexpected messages. By educating your executives not to click links in unexpected documents or open email attachments, even if the email appears to be coming from a fellow executive, then business risk can be mitigated.
This is what a new free 3-minute malware security training program, “Training in a Flash” has to offer. It can be played in over 90% of the world’s browsers using Adobe Flash. In just 3 minutes, users can quickly learn how to avoid phishing and pharming attacks.
Conclusion for companies:
1. Make sure to use an up-to-date intrusion detection system using heuristics.
2. Train your executives to “think before they click.”
If you don’t, you can end up on the pointy end of a successful spear phishing attack.