Spear phishing attack is a form of phishing attack which is aimed at targets with high authority and persons around them. By nature of their work, security procedures are disregarded or at least less respected in such circles, which can lead to significant security risks. Here is a quite realistic scenario for this attack.
The ShortInfosec Democorp CEO is away on business for the week. He has authorized his assistant to check his mail and handle responses as appropriate.
The ShortInfosec Personal Assistant reads an email from the chairman of the Democorp board to the CEO. The mail content is as follows:
The Personal Assistant sees that the mail is sent from the corporate e-mail address of Harry J and is formatted according to corporate standard. She knows that her boss will not read the e-mail for another 3 days.
So, she forwards the mail to marketing and sales, with the following text added:
Within 15 minutes of receiving the original message, the directors of sales and marketing would have delegated the task to their subordinates and would have sent their documents to a Gmail address to which an unknown has access.
Here is what really happened:
- The mail was originally fabricated by the attacker and sent from a open-relay SMTP, impersonating the President of the board
- The names and official contact information of all relevant persons are available from the annual reports of Shortinfosec Democorp. If not, corporate e-mail format is standard and can be extrapolated by posing as a customer and exchanging several e-mails with other persons within Shortinfosec Democorp
- The same method will be used to extrapolate the formatted signature at the end of the e-mail, as well as disclaimers or other standard corporate info contained in all e-mails.
- An official conference agenda listed the Shortinfosec Democorp CEO as one of the speakers, so the attacker knows when he will be unavailable.
- The WCI can be any relevant investment group, a name which can be identified from news clippings, or even invented - secretaries are not that much in the loop on large business decisions.
What should have happened
- The request to send confidential documents to a public email should have raised red flags.
- The Personal assistant should have called the President of the board to confirm the authenticity of the message.
- Also, she should have reported the mail as possible breach of procedures to the Information Security Officer and requested further instructions.
- Even if she disregarded all peculiarities of this email, the directors of sales and marketing and their subordinates should have reacted with a phonecall or alerted the Information Security Officer
In the real world, at the end of the day business comes first. So, the same material have gone to the Gmail account, but only after confirming that the president of the board requested it, and with maximum precautions
An unknown person now has highly confidential corporate documents in his hands, which he can sell to the competition, publish, or extract information from them which will assist him to further his attacks.
Here are the controls that should be implemented to minimize risks of spear phishing
- Implement e-mail digital signatures for all top management and key personnel, and set-up their laptops and PC's to automatically sign each sent message. Implement procedures that all unsigned messages received from these sources should be verified for authenticity
- Perform regular training of all assistants and advisers to top management on Phishing and Social Engineering.
- Perform regular but unannounced Social Engineering penetration testing on all assistants and advisers to top management, as well as all personnel handling highly confidential data
- Educate top management with presenting results of penetration attacks to top to help them understand that breaching of instituted procedures can lead to severe security breaches - make this an exercise, not a power-point presentation
- Advise all top management to accept and encourage the "when in doubt credibility of request, make a call" policy for their immediate subordinates, assistants and peers. Having a 1 minute phone call is much less fuss then a 100 page top secret report being leaked.
- In case of real necessity to send such documents to public e-mail, provide fallback security procedures, for example: Send data as a Password protected PDF with a random password, wrapped in a different password protected rar file. Both passwords being communicated via another channel - sms or phone call directly to the president of the board
Talkback and comments are most welcome