Advanced persistent threats may use different types of malware, but they do have one thing usually in common—spear-phishing.
According to a new paper from Trend Micro entitled "Spear-Phishing Email: Most Favored APT Attack Bait," 91 percent of the targeted attacks it collected data on between February and September 2012 involved spear-phishing tactics that dupe a victim to open a malicious file or Website.
In a typical spear-phishing attack, an email is sent to specific individuals at an organization being targeted. The email will use social engineering focused on those particular individuals receiving the email as part of a ruse to get them to open a malicious file or visit a malicious site. For example, an email to a chief financial officer may include malware disguised as a financial report as opposed to something they would be less likely to click on or open.
"APT [advanced persistent threat] campaigns frequently make use of spear-phishing tactics because these are essential to get high-ranking targets to open phishing emails," according to Trend Micro's report. "These targets may either be sufficiently aware of security best practices to avoid ordinary phishing emails or may not have the time to read generic-sounding messages. Spear-phishing significantly raises the chances that targets will read a message that will allow attackers to compromise their networks."
The most commonly used and shared file types were: .RTF (38 percent), .XLS (15 percent) and .ZIP (13 percent). Executable files (.exe) were not as popular, most likely because emails with those files were detected and blocked by security tools, the report speculated.
Crafting the right lure for a spear-phishing attack starts with research, and attackers do not have to look far to find the information they need.
“The methods criminals use to gather information for spear-phishing emails are surprisingly simple," said Scott Greaux, who is vice president of product management and services at PhishMe, which specializes in training organizations to deal with phishing attacks. "The amount of free information available to the public over the Internet is staggering and a few simple searches through Google, Facebook, LinkedIn, etc., can reveal enough information to craft a well-disguised spear-phishing email."
For example, a company’s LinkedIn page will provide the names of employees, and one of those individual's publicly-available LinkedIn page may reveal his or her corporate email address. The person's Facebook profile may include details about their personal life. From there, it isn't difficult for a criminal to create a personalized spear-phishing attack with enough information to appear genuine, Greaux said.
“For executives looking to implement spear-phishing awareness-training programs, immersing your employees in the experience of being spear-phished by sending out mock spear-phishing emails is the most effective measure," he said. "Simulated phishing emails that reuse content from real phishes provide a memorable and highly relevant experience to your employees and train them to properly react when a spear-phish arrives in their inbox."
According to Jon Clay, security technology expert at Trend Micro, organizations should do reviews of social media policies with employees to ensure they are not publishing sensitive data. Companies should also review their messaging attachment policies to identify ways to mitigate spear-phishing emails using attachments and examine out-of-office message policies to make sure criminals cannot use them to verify information about the organization.
Overall, fighting phishing, he said, takes vigilance.
"Education and heightened awareness among employees is needed now more than ever," Clay said.