Recently, a form of identity theft known as spear phishing has been making headlines. While the method isn’t new, thieves are using it more and more to break into networks and steal data.
Spear-phishing is a highly targeted, fraudulent attempt to enter into a network by gaining unauthorized access to secure information. The purpose of a spear-phishing attack is typically to gain entrance to military or industry secrets, or for financial gain.
In some cases, it can be used to wreak havoc by merely gaining access to network controls. Taking its name from the practice of literal spear fishing, the direct attack of a single fish, this type of network attack goes after individual users in order to move up the chain of command.
The purpose of a spear-phishing attack, therefore, is to gain entrance to a specific organization for which the criminal has a motive to enter.
Recently, spear-phishing made headlines when the Syrian Electronic Army (SEA) used the method to break into the “New York Times” website. As former Entrust CEO Bill Conner outlined in a USA Today interview, the SEA relied on spear-phishing to break in and shut the network down for a considerable length of time. As Conner explained, the attack was made possible by assuming the identity of an administrator from an Indian ISP whose company was at the tail end of a chain that managed Internet traffic control for the “New York Times.”
In Times’ case, once the identity was taken from a company that was distantly connected through a service it provided, the foothold was used to move up the chain and gain entrance into the “New York Times” website. In other words, it was a spear-phishing attack that emanated not from the Times itself, but from a registrar, Melbourne IT.
“It’s very possible that user name and password goes all the way up through the registrar, and that’s what people are sorting through right now,” Conner told USA Today.
A typical spear-phishing attack will start when someone attempts to impersonate a trustworthy source, such as a high-ranking employee in a bank. An email will then be sent asking to click a link to a fake website, or to submit personal information — hence the name “phishing.”
Once a person clicks on a triggered link, malware can be downloaded onto a computer and it will often evade any sort of detection. Malware, however, is not always necessary. Oftentimes, links will also direct users to a separate login page where credentials can be captured unknowingly on behalf of those inputting information — without the use of malware.
These credentials can then be used to whatever ends that the attackers desire. Once an identity is acquired, a thief will typically try to infect a person’s network with as many false links as possible in hopes of reaching a target identity at a certain level.
As of right now, one of the only ways of stopping these attacks is to increase education about not clicking on links from unknown sources. As more people become aware of phishing techniques, there will be a greater sense of awareness when these strategies surface.
Unfortunately, though, education only goes so far. A practical solution to this problem should involve taking a layered, identity-based approach to network security. By securing individual identities, a hacker may be able to enter into a network but will have a very difficult time gaining access to useful information.