The term phishing is a variant of fishing (literally "fish" in English) and alludes to the use of increasingly sophisticated techniques to "fish" sensitive data of a user.
Phishing is one of the most current and feared threats along with ransomware and, as evidenced by the latest "Cyber security threat trends" report by Cisco Umbrella, it is responsible for 90% of data breaches, with a specification that it is not a typo.
Phishing in recent years has rapidly evolved into thespear phishing, that is, targeted on the victim, and the pandemic has further accelerated its dangerousness: for this reason it is an increasingly subtle threat from which it is more difficult to protect oneself effectively. On the other hand, the phrase "when something is free, the product is you" is now famous: this is the principle on which the revenue model of the Internet is based, that is, we think we access content for free but in reality we pay with our data, a precious commodity that has a much higher value than the content we receive.
The issue of tracking services is extremely topical and very often it is seen only as a privacy problem, but in reality it is a security flaw.
What is spear phishing?
It is a scam perpetrated through electronic communications addressed to a company or even to a person and has two different objectives, namely to steal sensitive data to be reused fraudulently or to spread malware and the two things, in many cases, can coincide.
In the most classic case, the recipient receives an e-mail apparently sent from a trusted source, usually a person or a company he knows and has no way of deeming dangerous. By following the links contained in the text of the email, the victim finds himself browsing a website that spreads malware. A technique that puts anyone at risk and in any context, even government representatives or people at the top of companies of any size can fall into the trap.
As mentioned, it is not a new threat and those who resort to it do not exclude the most subtle dissemination techniques. In 2013, a spear phishing campaign caught the attention of potential victims by sending emails that looked like they really came from the National Center for Missing and Exploited Children, a nonprofit that deals with child protection.
These attacks are usually carried out by hacktivists and cyber criminals, the latter more interested in reselling the confidential data they manage to get hold of or seizing data useful for penetrating corporate networks.
The Barracuda Report
The security company Barracuda photographed the phenomenon during 2022: 50% of the companies in the sample examined were subject to a spear phishing attack and, half of these, suffered the compromise of at least one email account.
Beyond the numbers, the outline is evocative, so much so that many companies struggle to defend themselves from these attacks precisely because of their nature. These are not offensives made to a corporate network, a database or one or more servers, it is an extremely customizable offensive, which can reach any employee of an organization.
The report has, first of all, revealed a certain and unprecedented spread of spear phishing, claiming that 50% of the 1,350 companies in the sample examined were subject to it receiving an average of five e-mails a day.
Attacks that have a high success rate so much so that spear phishing accounts for a small part of attacks carried out via e-mail but cause two-thirds of breaches.
The impact, according to the report, mainly causes:
Machines infected with viruses or malware (55%),
Theft of sensitive data (49%),
Theft of login credentials (48%),
Direct economic damage (39%).
Companies spend an average of nearly 100 hours remedying spear phishing, according to the report, spending 43 hours on detection and 56 hours for response and remediation. In addition, organizations in which smart working is practiced report an average higher number of suspicious e-mails, up to 12 per day.
How marketing is leveraged
Marketing has become increasingly pervasive, and the value of data is growing exponentially: Facebook in 2013 earned $ 19 a year per American user in advertising sales, in 2020 as much as $ 164.
For this reason, global profiling services (web trackers and session replay scripts) are several tens of thousands and, every day, new ones are born. Attackers know this well, so much so that every two years 29.6% of these services suffer a data breach according to research by the Ponemon Institute.
Tracking services collect a huge amount of data that, taken individually, have no relevance, but correctly combined provide very precise information creating a perfect digital identity.
We are all more or less aware of the data collected about our interests:
Pages visited;
Browsing history;
Frequency and hours of visit;
Language used;
But the enormous amount of "accessory" data collected is often underestimated, such as:
Battery charge;
Geolocation;
Internet Service Provider;
Timezone;
Browser used with its installed version;
And much more;
Understanding how to protect yourself from spear phishing
Since it is a personalized attack, that is, it is very often addressed to individuals, the defense can become more cumbersome. Fabio Sammartino, Head of Pre-Sales at Kaspersky explains in detail that:
"Spear phishing falls into the category of targeted attacks and is characterized by the careful profiling of the subject to be attacked, which has been the subject of a study in terms of work area, context, type of emails usually received and suppliers with whom it is in contact. Unlike generic phishing attacks, which are now easily recognizable by the quality of the text of the communications conveyed or by some distinctive characters, spear phishing attacks are extremely verticalized and for this reason more difficult to identify".
There is a fundamental mistake to avoid, namely believing that protecting email servers is enough to prevent spear phishing that uses email as the main vehicle: "In the general defense strategy you should not leave anything out because you do not know where the attack will come from and what the vulnerable point will be. In the case of spear phishing, traditional analysis will hardly be able to detect a targeted message, because the attacker has designed an attack aimed at evading traditional security systems that generally asks the user to take some action to activate it. The e-mail server is a first element of defense and allows you to directly check the text of the message, attachments, inserted links. In addition, different email traffic analysis technologies, such as sandboxes or advanced spam and phishing detection tools, can be connected, but they are not enough," explains Sammartino.
The entire perimeter must be protected, Sammartino points out: "Of course, endpoint protection is also important and in the case of spear phishing it plays an even more important role than email. When the user runs a file, clicks a link, or triggers a script unintentionally on the endpoint, the elements of the device's security systems should take over. In some cases, these attacks are so well thought out that, even the endpoint can be evaded or circumvented, it is not uncommon for the attacker to ask the victim to turn off the antivirus during the phone call".
"It's important to use an endpoint and email server protection solution with anti-phishing capabilities to reduce the chances of infection through an email. Also, if you use the Microsoft 365 cloud service, it must also be secured. The advice is to implement a solution that has dedicated antispam and anti-phishing, as well as protection for SharePoint, Teams and OneDrive apps for secure business communications", is the advice of the Kaspersky analyst.
In addition, as reported in previous articles, user training is essential to ensure the best possible safety. In addition to training, you need technology that focuses on email security. For example, a company can organize cyber security hygiene training, to teach users how to identify these threats and conduct a simulated phishing attack to make sure employees can distinguish phishing emails from legitimate ones", concludes Fabio Sammartino.
We as a KnowBe4 partner can provide you with many tools to simulate phishing emails and through targeted courses teach you how to recognize and avoid them, but not only this much more, available for further information.
Sources
Your opinion matters
What do you think of this article?
If you have reached this point let us know what you think of the article by leaving a comment.