You come home from a long day at work, thinking it’s finally over and everything has been submitted. You’re exhausted, having been up for the last 28 hours. As you head to bed, you check your email one last time and you see an email urging you to change your password as you might have been hacked. Better be safe and just change it, you think; clicking on the link provided and filling out the form. Suddenly, you have just become a victim of a phish.
You may be the most security conscious individual when it comes to emails and messages but sometimes, all it takes is just a slight lapse in judgement for you to become a victim. In fact, Symantec reported that 1 in 33 users were exposed to a phishing attempt by the end of 2018. With how common social engineering attempts are nowadays (especially targeted ones) , it does not hurt to be more careful.
What’s a targeted attack?
A targeted attack in information security is any type of attack where the target(s) is specified. To ensure the greatest chance of success, target attacks are usually engineered around the characteristics or peculiarities of the target(s).
What exactly constitutes a targeted attack? For the purpose of this article, we will refer to the definition given by Symantec in their annual report on the cybersecurity landscape (ISTR) that a targeted attack is “an attack directed at a specific target or targets as opposed to widescale indiscriminate campaigns.”
The report elaborates that attacks are only considered targeted if they’re carried out by an organized group to undermine and/or infiltrate a specific organization. For example, the case where a UK Teen hacked the chief of CIA is not considered a targeted attack since it’s carried out by an individual.
How are targeted attacks carried out?
In the past, attackers have typically resorted to exploiting vulnerabilities in the software itself. To combat the threat, software vendors have continuously invested in efforts to upgrade their security policies and improve how they identify and fix critical vulnerabilities during development.
These investments have paid off as there are fewer critical zero-day vulnerabilities found in software being released. According to Volume 22 of Symantec’s Internet Security Threat Report (ISTR), only 9% of vulnerabilities discovered were considered critical in 2016. This percentage has further decayed to the point of insignificance and was not reported in ISTR Volume 23.
With fewer ways to exploit the software directly, attackers have turned to other attack vectors—which are defined as the method used by which attackers gain access to an otherwise inaccessible system. Symantec reports in ISTR Volume 23 that only 27% of known targeted attack groups have been observed to have used zero-day vulnerabilities.
For targeted attack groups, social engineering has been swiftly gaining popularity as the preferred attack vector. Characterized by exploiting the gullibility of some users, social engineering aims to either extract confidential and sensitive information or to influence the user to perform certain actions that they would not normally perform. Some examples of information stolen would be user credentials, credit card numbers or banking details etc.
Symante’s ISTR (Volume 23) report ranks spear-phishing emails (71%) and watering hole websites (24%) as the top two favored social engineering techniques by known groups. In the next few sections, we’ll discuss the most popular technique—spear-phishing emails—and how to identify them.
How to spot these attacks?
Reeling you in: What is Phishing?
Phishing is a type of social engineering technique in which hackers disguise themselves as a credible entity in order to trick victims into divulging confidential information about themselves or their company. Also known as email spoofing, this is typically carried out by sending victims an email that appears authentic, with the contents usually asking the victims to reveal sensitive information.
Choice of Bait: Spear-Phishing
Unlike ordinary bulk phishing, spear-phishing is directed at a target—usually a specific individual or company. There are several reasons that targeted attack groups prefer the use of spear-phishing over other methods.
First, they can guarantee that the target has been exposed to the attack. Unlike other social engineering methods like watering hole websites, hackers do not need to rely on the victim visiting a malicious website and can send the phish directly to the target. In addition, there is also less risk of collateral damage when spear-phishing is used, which decreases the chances of the attack being discovered.
Second, attackers can gather information about the target to create a more personalized phish, thus improving the chances of success. A variant on spear-phishing is known as whaling, where the target of the attack is a senior executive such as the CEO or other high value targets.
Finally, spear-phishing does not rely on any critical bugs that are still present in the software used nor does it require sophisticated technical knowledge.
Hook, line, and sinker: What happens when you have been phished?
With phishing emails becoming increasingly convincing, here are some examples of what can happen if you fall prey to an attack:
- Austria’s FACC: A financial controller of the company was tricked into transferring €52.8 million by a spoofed email claiming to be from the CEO. This resulted in the immediate termination of aforementioned CEO as well as a share price drop of 38 percent.
- DNC Hack: Russian hackers were able to gain access to confidential emails within the US Political party DNC which eventually resulted in the email leaks being published by WikiLeaks in 2016.
- Ransomware Attack: Phishing emails containing a word document with a VBS macro that would download ransomware software onto the infected system.
Not taking the bait: What can you do?
There are various measures you can take as an individual or an organization to combat the threat of phishing.
1) Educate your users
As the targets of phishing, educating your users on how to spot a phishing attempt can be an effective prevention strategy. The image below is an example of a phishing email along with various ‘mistakes’ that can be used to identify it.
2) Use Multi-factor authentication (MFA)
Multi-factor authentication (MFA) requires the user to present multiple factors in order to gain access to the system. These factors are usually broken down into three main categories (along with some examples):
- What the user knows: Username/Password, Credit card information
- Who the user is: Biometrics
- What the user has: Authentication token, ID card
When information such as user credentials or credit card information is stolen by a phish, the use of MFA will prevent hackers from being able to use it. This is due to the fact that they only have access to one of the above mentioned category and will be unable to provide a method from the other two categories. In addition, if multiple failed attempts to provide the other factors have been detected, users may also be prompted to change their password to further improve security.
3) Using a respectable software vendor
Using software from a respectable vendor can be beneficial to a business not just in terms of cost and productivity but also in terms of security. Since the vendor is usually in charge of providing and maintaining the software solution, they will typically be more experienced in terms of security due to their specialization in delivering that particular digital solution. As a result, the vendor can directly address some of the potential threats and consequences of phishing.
As you’ve seen in previous sections, the consequence is greater when target attacks are used against high ranking individuals within an organization, such as board members, executives, and their administrative staff. That means board meeting software play an important role in safeguarding sensitive information and protecting your privacy. Given that spear-phishing emails and watering hole websites are the two most commonly used attack vectors by targeted attack groups, and the targets and effects of watering hole websites are largely similar to that of phishing, we will take a look at how board meeting software can help if you have been a victim to these attacks.
Case Study: Using a Board Meeting Software
Let’s say someone from your company is a victim of a phish and has now been compromised. If user credentials have been stolen, there are several measures that can be used by board meeting software to prevent unauthorized access.
One measure is a feature called device registration, where access will only be granted on devices that have been previously registered as trusted. Without such a device, the hacker will not have access despite having possession of the stolen credentials.
Another measure commonly supported by board meeting software is the use of two-factor authentication (2FA) as an authentication method. In addition to user credentials, 2FA requires the user to provide a second method of authentication, such as an ID card or some other method.
Most board meeting applications employ some form of encryption when storing files and documents. Encryption protects against Trojans aimed at stealing data by preventing hackers from reading confidential files and documents as they will not have the means to decrypt it.
Board meeting software also help mitigate the worst effects of ransomware by providing a secure online portal where users can upload documents in an encrypted format. This means that they will still have access to their files and documents on another workstation if their existing workstation is rendered unusable by ransomware.
To conclude, targeted attacks are on the rise, but with sufficient education, the right security policies, and appropriate software, you can mitigate the risks of this new form of cyberattack.
Ahmed is a cybersecurity analyst at Convene. He is well-versed and has experience creating information security and contingency plans to protect against attacks. Ahmed also provides useful vulnerability and threat analysis, while recommending viable software solutions.