Thursday, 29. January 2015

Breaches call attention to risk of spear phishing

Last year was dubbed as the year of the breach, and taking into account the number of malicious intrusions that took place, it’s easy to see why. Now that the dust has settled on many of these and investigations into just how the breaches took place begin yielding results, white hats are discovering many of these attacks involved spear phishing techniques.

According to Trend Micro, spear phishing can be defined as “highly targeted phishing aimed at specific individuals or groups within an organization.” In this way, hackers leverage personal information about a person or group of individuals that is typically readily available online – through, for example, someone’s social media profile or corporate bio on a company website. With these details, cybercriminals can tailor specific messages to the victim or victims, that trick them into sharing more valuable data.

For instance, a spear phishing attack might involve the use of a legitimate-looking email that includes the target’s full name, making it appear even more realistic. The message may ask the person to confirm their username and password, thus baiting the individual to provide information that the hackers never had in the first place.

Recently, such attack strategies have grabbed the limelight, particularly since they’ve been leveraged in more high-profile breaches.

JPMorgan Chase: A spear phishing victim
Whenever a large organization like a bank is breached, it’s hard to keep the news of such an event quiet. Last year, major banking firm JPMorgan Chase made headlines when it was revealed the company had been the victim of an attack. While the instance is still being investigated, experts suspect the breach came as the direct result of a spear phishing campaign aimed at the organization and its customers.

Shortly after the breach became public, Avivah Litan, financial fraud expert and Gartner analyst, told Bank Info Security that it was likely that an employee compromised sensitive data after being victimized by a spear phishing attack. Furthermore, just before the breach was announced, a security firm found evidence of an extensive and sophisticated phishing plot targeting JPMorgan Chase customers. The security company discovered that several clients had been sent phishing messages, which redirected them to a malicious webpage featuring an exploit kit. When these individuals entered their authentication credentials on the fraudulent page, they were asked to download an update for Java. However, instead of upgrading the program, the fake notification contained malware.

While the exact cause of the breach has yet to be determined, security expert John LaCour noted that a JPMorgan Chase employee could have easily been tricked by the spear phishing message, just as customers were.

Litan noted that JPMorgan Chase’s case should serve as example for the banking industry, spurring organizations to make protection a priority.

“This should serve as a loud wake-up call for bank boards to elevate security to the top of their agenda, and to make sure their security staff, e.g., the CISOs, are doing every