Lateral Spear Phishing
Phishing emails traditionally depended on sending out a massive volume of emails in the knowledge that if you throw enough mud at a wall some of it will stick. If the message relates to delivery of a parcel from a well-known carrier; then sending the spoof delivery information to a large enough pool of recipients should hit a small percentage who are expecting a delivery from that carrier. Of those some may click onto the false link and unleash the payload of the malicious email; job done.
The success rate for the effort expended is very low but most of that effort is done by computers allowing huge numbers of accounts to be targeted. The emails and account details will be harvested but the ‘quality’ of that data to the ambitious criminal is low.
Spear phishing comprises targeted attacks that can compromise high value accounts who will lead to attractive financial awards to the criminal. They still depend on some degree of cooperation from the recipient to fall for the attack and unleash the payload. The chance of success is greatly improved through a lateral attack. First accounts within an organisation are compromised and then these are used to send emails to colleagues within that organisation or others that they routinely deal with. As the criminal will now have access to the address book and recent emails of the compromised account suitable ‘marks’ can be easily identified. The new target will probably recognise the sender. If the content of the message also bears some relation to their daily business they will be far more likely to interact with it than to some random message.
Business email account names are relatively easy to acquire, either by scraping websites, buying lists from unscrupulous data providers or as a result of data breaches. The exposure of emails to breaches can be checked online.
Although a breach may date back several years it is unlikely that a business email address will have been changed. Passwords are more likely to have been altered but if a user always uses a similar format of password an attacker can use a dictionary attack based on the likely new combinations to reveal the current password.
A 2-factor authentication system that requires telephone authorisation if an existing email account is set up on a new computer will help prevent criminal use of an account but will not guarantee security. The related phone details might also be compromised or the attacker may have gained remote access to a ‘trusted’ work machine and use the email client already installed.
With control of a ‘trusted’ account the criminal can use software to send automated spear phishing attacks or craft emails by hand, removing all traces from the sent and deleted items folder. This is a lot more work for the criminal as everything depends on the recipient falling for the attack. On the upside a personalised message, relating to work and sent during working hours is far more likely to be acted upon.
From a security viewpoint the damage has already been done before the lateral spear phishing attacks have been launched. The account of the alleged sender has been compromised. If the phishing message is crafted well enough the new target may unleash the payload without any knowledge of having done harm, leaving the organisation open to further attacks. The aim of the criminal is to increase the severity of their breach; working up from email access to file and system accounts with the information held within. Alternatively it could be a means to launch a ransomware attack with the hope of rich financial awards. The new target may be asked to open a document from the trusted sender or to directed to a ‘secure’ file sharing site with alleged company files. Any account names and passwords used to access these documents will be harvested by the original attacker.
The criminal relies upon the existing password and security procedures of an organisation to gain access to those keys. No matter how secure a system is there will need to be some way to allow access to it. Many systems depend on a shared access system where a single account will gain access to multiple systems. The level of security granted will vary and the criminal is aiming to worm through the organisation hoping to hit an ‘admin’ combination. While a different account for every system might be desirable it is almost unworkable in a corporate environment. If some sort of password vault is used to manage multiple unique passwords; access to that vault gives the criminal the keys to the castle.
A data classification system can reduce the chance of documents with malicious payloads being acted upon. This can be a software implementation or a simple set of working practices. Documents are classified according to their security risk and only divulged to those who need access. This system will reduce the number of incidents of users accessing data and hence the opportunities for criminals to spoof the system. For short and low risk documents it is better to embed the text within the email rather than add an attachment. There is no danger from attached malware and the recipient is not going to ignore the message because it appears to be harmful.
The best defence against spear phishing is the same as that in all security issues; vigilance. Ideally lateral spear phishing attacks need to be stopped before an initial account is compromised but all users need to be aware that they might be subsequent targets. Look at the language and content of the message. Does it make sense? Does it relate to the company’s business model? Witty or clever emails should never be circulated in company email accounts no matter how harmless or attractive they might seem. Always check the email and web addresses included in an email by hovering a mouse over them to see the real not apparent address. Even if these look genuine they might be compromised and should not be seen as proof that they can be trusted.