Spear-Phishing Emails Are Favoured Tactic, Says Trend Micro

Malware continues to present a persistent threat, but advanced attacks usually have one thing in common – spear-phishing.

According to a new paper from Trend Micro entitled ‘Spear Phishing Email: Most Favoured APT Attack Bait‘, 91 percent of the targeted attacks it collected data on between February and September 2012 involved spear phish tactics that dupe a victim to open malicious file or Website.

Social Engineering

In a typical spear-phishing attack, an email is sent to specific individuals at an organisation being targeted. The email will use social engineering focused on those particular individuals receiving the email as part of a ruse in order to get them to open a malicious file or visit a malicious site. For example, an email to a chief financial officer may include malware disguised as a financial report as opposed to something they would be less likely to click on or open.

“APT (Advanced Persistent Threat) campaigns frequently make use of spear-phishing tactics because these are essential to get high-ranking targets to open phishing emails,” according to Trend Micro’s report. “These targets may either be sufficiently aware of security best practices to avoid ordinary phishing emails or may not have the time to read generic-sounding messages. Spear phishing significantly raises the chances that targets will read a message that will allow attackers to compromise their networks.”

The most commonly used and shared file types were: .RTF (38 percent), .XLS (15 percent) and .ZIP (13 percent). Executable files (.exe) were not as popular, most likely because emails with those files were detected and blocked by security tools, the report speculated.

Crafting the right lure for a spear phish starts with research, and attackers do not have to look far to find the information they need.

“The methods criminals use to gather information for spear phishing emails are surprisingly simple,” said Scott Gréaux, who is vice president of product management and services at PhishMe, which specialises in training organisations to deal with phishing attacks. “The amount of free information available to the public over the Internet is staggering and a few simple searches through Google, Facebook, LinkedIn, etc. can reveal enough information to craft a well-disguised spear phishing email.”

For example, a company’s LinkedIn page will provide the names of employees and one of those individual’s publicly-available LinkedIn page may reveal his or her corporate email address. The person’s Facebook profile may include details about their personal life. From there, it isn’t difficult for a criminal to create a personalised spear phish with enough information to appear genuine, Gréaux said.

Staff Training

“For executives looking to implement spear phishing awareness training programs, immersing your employees in the experience of being spear phished by sending out mock spear phishing emails is the most effective measure,” he said. “Simulated phishing emails that re-use content from real phishes provide a memorable and highly relevant experience to your employees and train them to properly react when a spear phish arrives in their inbox.”

According to Jon Clay, security technology expert at Trend Micro, organisations should do reviews of social media policies with employees to ensure they are not publishing sensitive data. Companies should also review their messaging attachment policies to identify ways to mitigate spear-phishing emails utilising attachments and examine out-of-office message policies to make sure criminals cannot use them to verify information about the organization.

Overall, fighting phishing, he said, takes vigilance.

“Education and heightened awareness among employees is needed now more than ever,” Clay said.

Are you an IT security pro? Try our quiz!

Originally published on eWeek.