The rise of social media has paralleled the emergence of phishing as a serious security threat to the enterprise. The two trends are also connected. We are all working in an era of unprecedented online sharing, social connectivity and collaboration. It’s thrilling, fun and dangerous.
Spear phishing, in particular, benefits from the new socially networked world. The attacks target employees in order to steal log in credentials and gain access to internal systems and data. However, unlike the generic, “Dear Sirs and Madams. I am a pour Nigerian Prince” type of phishing emails, spear phishing involves precise targeting and the use of real identities.
For instance, if Bob knows Joe, the spear phisher might pose as Joe to get Bob to tell him the password to the personnel database or click on a malware link.
Using Social Media to Establish a Fraudulent Connection
Here are some of the ways that “fake Joe” can learn enough about both the real Joe and Bob on social media to send him a convincing spear phishing message:
- Bulk harvesting – Hackers can “scrape” social networks and learn who knows whom. By creating a database of social connections, a spear phisher can learn which of Bob’s friends would be best to impersonate.
- API breach – The application programming interfaces (APIs) that connect back end systems to mobile devices and websites can be a weak link in the security perimeter. For example, vulnerabilities have been discovered in the Facebook API, potentially enabling hackers to access vast numbers of “social graphs” of Facebook members.
- Impersonation through account hijacking – In some cases, the hacker posing as Joe will take over Joe’s actual social network account. This is known as “account hijacking.” With this approach, the hacker is nearly indistinguishable from Joe. He’s logging into Joe’s account and using it in place of Joe.
The Delayed Message Technique
Sometimes, the spear phishing attack does not happen right away. Unlike a mass phishing attack that depends on getting people to click on malware links within a few hours of launch, spear phishing attackers may exchange several “clean” emails with the victim before striking… possibly by causally asking for login credentials or other sensitive data.
Consequences of Social Media-based Spear Phishing
When a phishing attack succeeds against one of your employees, your organization could suffer from having your entire network compromised or from a theft of data and intellectual property. The business impacts include loss of valuation and direct financial losses related to theft, settlement of legal liability and regulatory penalties.
Your brand can also suffer, especially when the phishing attacker is savvy in social media and feeling malicious. Social media can virally amplify the kind of reputation damage inflicted by phishing. Consider the following hypothetical, but entirely possible example:
A health insurance executive is successfully phished and both their corporate access and their personal social media credentials are compromised. The phisher accesses the insurance company’s records and learns that a famous celebrity has a deadly disease. Then, by hijacking the executive’s social media account, the attacker makes it look as if the executive themselves are leaking the secret about the sick celebrity.
Social, legal, and financial pandemonium ensues with millions of people actively discussing how the company appears to be careless with confidential information and that its own people are breaking the rules! An incident of this type could result in irreversible brand damage and substantial costs even if the real culprit was eventually unmasked.
Defending Against the Spear Phishing Threat
Email is the preferred primary vector of attack even when the spear phishing is abetted by social media. The problem is that most standard anti-spam email filtering software won’t catch a spear phishing email that comes from an online “friend.” Vade anti-phishing solution offers a defense. It is a unique countermeasure that can be layered on top of existing anti-spam solutions to provide better overall email protection.
Vade uses Heuristic Email Filtering, artificial intelligence that’s been taught to spot phishing threats by monitoring hundreds of millions of email boxes for 10 years. Proprietary processes spot one-off spear phishing attacks by matching the style and technical indicators of the claimed sender of any given email with known information about the actual sender. The software also looks at each URL included in an email, safely exploring it in a remote sandboxed environment to see if it contains any malware, honeypots or malicious code. This happens the instant an employee clicks on the link. It avoids the problem of phishers sending clean links that they later point to malicious URLs.
Give us a call at 415-745-3630 or contact us, if you want to discuss how you can quickly add anti-phishing measures to your current email setup.
