Spear Phishing: The New Trend in Social Engineering That Took Down an Entire Country’s Power Source
A decade ago, hackers were able to infiltrate systems using buffer overflows, ping overflows, and certain router and server exploits. Hardware and software vendors took action and greatly improved their defenses. This left hackers forced to use other options to gain entry into an internal network. Social engineering continues to be a popular way for hackers to gain access to private systems, and employees are giving them keys to the kingdom.
What is Spear Phishing?
Spear phishing is a much more targeted attack than general phishing. It’s a form of social engineering, but it also incorporates standard phishing attacks.
When attackers send phishing emails, they obtain a large number of email addresses and send them to a list of recipients. They don’t know who they are sending the attacks to. They just hope that several people will fall for the attack. In some cases, attackers send phishing emails to a list of company addresses. For instance, an attacker might obtain a list of Microsoft email addresses and send phishing emails to these recipients. They hope that the recipient employees will fall for the attack, so they can gain access to the software giant’s system.
With mass emails, most company email servers will detect the cyber attack and filter out the messages. Once email server defenses detect the attack, the recipients usually don’t receive any emails at all, which makes the attack completely worthless to the attacker. The other issue for the attacker is that most corporate employees have low-level access to data. The hacker can’t obtain any valuable information using standard employee credentials.
Spear phishing is much more targeted and bypasses hacker obstacles implemented through email servers. Instead of sending hundreds of phishing emails to random corporate recipients, the attacker takes the time to obtain specific key personnel emails. The biggest targets are financial executives. Instead of sending hundreds of emails that get filtered by the email server, the attacker sends only a few to key individuals with high-level access to sensitive data. Financial executives are targets because they have access to financial data, private documents, and even social security numbers for company employees.
These phishing emails usually include executables that run keyloggers on the executive’s computer, or they take the employees to a malicious site that captures data. The website asks the executive to enter user names and passwords that later give the attacker access to the internal network. Using the executive’s credentials, the attacker can log in to a system without sending alerts to security administrators, and they can obtain much more valuable information.
What Happened in the Ukraine?
Most announcements regarding attacks are for private organizations affected by an exploit. As hackers become more political and countries continue to war over technology, government entities are increasingly at risk. Even more concerning, hackers have turned to attacking utility infrastructures. This is the case with an attack in January 2016 when hackers were able to use a spear phishing attack to bring down Ukraine’s power supply plant. The outage left 80,000 Ukrainians without power for several hours.
The attack brings to light the importance of protecting critical networks that support thousands of users. Power, sewage, and even food suppliers should be on alert for any suspicious activity.
Ukraine’s power supply plant suffered from a spear phishing attack when hackers sent an infected Word document to key personnel. Once the file was opened, the malware ran on the system undetected and installed malware called BlackEnergy. BlackEnergy gives attackers remote control of a system. With this kind of control, the attackers could perform any number of malicious tasks directly on the computer using employee credentials.
Most utility infrastructure systems are antiquated, and the technology is outdated and vulnerable. Outdated hardware and software are vulnerable to newer attacks since they don’t have the updated technology to protect from innovative, current threats. Hardware and software vendors discontinue support of older technology once it’s extremely outdated, which makes these systems more vulnerable. For instance, Microsoft no longer supports Windows XP and doesn’t provide any security updates for the operating system. This makes it vulnerable to newer attacks. Any network that still uses Windows XP is at risk.
How You Can Protect Your Own Company Network
Whether you support 10 or 10,000 users, you’re a target for hackers. Hackers attack systems for numerous reasons including financial gain, corporate espionage, and even pure sport. Security should be a main factor in engineering both hardware and software.
Phishing and social engineering are especially difficult for security personnel, because protection relies mainly on the end user. The best defense is security awareness. Awareness can be intranet sites that teach users the signs of phishing emails or on-site training classes. All employees including executives should be included in the training. Security awareness training has shown to reduce risk within the organization. Users are more aware of phishing red flags, and they feel more comfortable reporting suspicious behavior.
Social engineering involves more than just phishing. Some hackers call key personnel pretending to work for the internal IT department. They ask for user names and passwords, and many users fall victim to this type of attack. An even more brazen social engineering attack is piggybacking. Piggybacking happens when an attacker follows a legitimate employee into the office after the employee uses a badge to gain security access to the premises. Some hackers pretend to be employees and ask a legitimate staff member to open the door.
While many social engineering attacks require user training and awareness, security administrators can also take precautions. Always filter out executable files as attachments. Any other attachments should be scanned for malware on the email server. Emails with suspicious attachments can either be filtered or a warning message appended to the message.
Antivirus should always be updated. Some companies even run dual antivirus programs to ensure that any zero-day viruses are caught. Dual antivirus programs can be difficult to maintain, but using two of them in parallel greatly reduce the risk of new threats in the wild. When one antivirus program lets malware pass, the other identifies it as malicious.
If you have any hardware or software that no longer has support from the vendor, it’s time to upgrade the system. You shouldn’t have any discontinued products from vendors that no longer send security patches for recent threats.
You can’t completely protect your corporate network from threats, but you can greatly reduce risk by training users and updating system software and hardware. The Ukraine attack shows that poor security can severely affect thousands of users and damage critical infrastructure.