For the greater part of 2015, both the FBI and the U.S. Secret Service have issued warnings that 2015 could be the year of Spear Phishing. Recently, the U.S. Secret Service issued a new bulletin, warning again that they are seeing a “significant increase in the frequency, sophistication, and fraud losses” associated with these new attacks.
The spear phishing concern is directly related to Business E-mail Compromises, or BEC scams. These scams are nothing new, and many have tried to protect against these attacks through both e-mail filtering mechanisms and SPF, or Sender Policy Framework. Both strengthen e-mail authentication, but more must be done in the face of increasingly sophisticated attacks.
Improving email security becomes more important as attackers have begun to use other methods, leveraging social media and professional networking sites such as LinkedIn, to identify those insiders that are to become targets.
The latest Secret Service bulletin highlights two BEC scams that are growing in popularity. The first scam only requires the simple spoofing of an email address. The second requires an attacker to take control of a bank’s entire email system (through malware infection), which is a complicated process and typically requires significant time and resources on behalf of the attacker. One scam typically leads to the next, so if you can stop the initial, simpler scam, you reduce your likelihood of attack from either kind.
Attackers are always going to look for the easiest point of entry, so by cutting off their ability to spoof your email address, you reduce their ability to conduct either scam, and improve the likelihood that they will move on to another victim.
An example of this first kind of scam is to fake correspondence from the CEO to the CFO, in order to have a fake invoice approved. These types of correspondence are common, and often get delegated down to others for processing unknowingly. By the time the CFO realizes the CEO did not send the invoice, the processor has already made payment per the instructions provided in the fake e-mail. Often these e-mails will link to a file share or other document storage to view the invoice in order to deposit malicious payloads, which can then be used to infiltrate the email system, initiate data exfiltration, or conduct other harmful acts.
One emerging standard that is proving highly effective against spear phishing is adding Domain-based Message Authentication, Reporting, and Conformance (DMARC) to your e-mail delivery systems.
The DMARC standard is designed to help with spear phishing by identifying and blocking, based on policy, the treatment of these types of e-mails that appear to be from trusted and even internal e-mail delivery domains. The most valuable aspect of DMARC is the feedback and the visibility it provides into both your authorized e-mail systems as well as all the failure reports generated by those campaigns initiating and trying to deliver spoofed e-mails. With this knowledge, you can improve your understanding and subsequent blocking of spoofed emails, reducing the chance of their success.
Hackers continue to raise the bar on the sophistication of their attacks, and their ability to leverage simple attacks to lead to more complicated ones. By closing the door to simple spoofing attacks, organizations can protect themselves not just from those attacks, but from the more complex ones that can arise from them. It’s time for organizations to raise their bar as well.