The Cybersecurity and Infrastructure Security Agency recently issued an alert regarding the potential for a cyber response from Iran after U.S. military strikes. The alert acts as a primer for protecting critical infrastructure, complete with recommended actions — mainly heightened awareness, vigilance and processes — as well as proactive technical recommendations to reduce vulnerability and mitigate cyberattacks.
The alert goes on to list patterns of publicly known Iranian advanced persistent threat techniques. Two of the techniques mentioned involve spear phishing, where attempts are made by email, short-message service (texting) or other messaging platforms to steal passwords or credentials for specific, targeted users. Usually, these are going to be users that have privileged access to sensitive data or critical systems.
So how do these cyberattackers know who to target and how to do so in the most successful way? Often, the answer lies in using publicly available information on social media against their victims. Here’s how.
Phishing Vs. Spear Phishing
Most people by now are aware of phishing in which an email is typically sent to thousands of people attempting to get the recipients to click on a link that looks legitimate.
With spear phishing, the attack is more targeted with the intent of getting passwords or credentials from someone who has something the attacker specifically wants. For consumers, this might be targeting a wealthy person who they know has accounts at a specific investment firm, for example. In the business-to-business space, this often means targeting the CEO or users on IT teams who have privileged access.
In many cyberattacks, the initial breach is actually accomplished easily. An estimated 80% of data breaches exploit compromised credentials, according to Verizon. Cyberattackers no longer “hack” in; they simply log in.
However, if a privileged user has good password hygiene and knows basic phishing techniques, then a spear phishing attack might be launched against them. But how do the attackers know who to target, how to get their attention and how to get them to fall for the scheme?
Social Engineering In Three Easy Steps
A spear phishing campaign usually starts with basic research using social media to find out who is most likely to have the “keys to the kingdom” at an organization. By going to the company’s LinkedIn profile, one can easily see who works there, their job titles, how long they’ve worked there, etc. A more sophisticated hacker might also go on the dark web to buy lists of user credentials, often for a reasonable price if there’s a potentially lucrative ultimate result.
That’s how a target is identified: find someone with a job title like “Database Administrator,” “Information Security and Compliance Manager” or “System Administrator.” These people are the most likely to have privileged access to some/all of the sensitive infrastructure and data that can be exploited.
Next, the attacker will use information that’s frequently available on social media to learn about the target — everything from family and kids, hometown, education, what kind of car they drive, interests outside of work, etc. This is how the attacker is able to establish trust, often in the form of an urgent email from the CEO where the knowledge of something personal can be used to put the recipient at ease. It can be as simple as something like: “Hey, Mark! Wow, great win by the Chiefs last night! You must be really excited.”
Then, it’s time to make the ask. Typically a recipient will be asked to click on a link or open an attachment. Using the example above, after the personal reference has established trust, the attacker will move on to the urgent request: “I need your help. I can’t log into this part of our webpage, and I need it now. Can you try logging in and seeing if it works?” Or “I need to access this file ASAP, but I’m locked out. Are you able to open it?” It may sound silly, but this is successful more times than you’d think.
Five Ways To Avoid Being A Victim
Nobody wants to be the person who lets the bad guys into their organization. So what can you do? Here are five easy things that could help you avoid becoming the next spear phishing victim.
• Practice Good Password Hygiene: Weak passwords are always the easiest way in. Make them stronger, and don’t reuse passwords on multiple accounts. You can even use a password manager to create, store and manage complex passwords — then you don’t even have to remember your passwords at all.
• Be Alert: Don’t just click on something because you’re asked. Make sure the sender’s email is legitimate. Hover over links, and confirm they link to recognized and relevant URLs.
• Get Cybersecurity Training: Your company should offer you periodic cybersecurity training. If it doesn’t, ask if there are trainings available to attend. If not, LinkedIn Learning has some great tutorials.
• Trust No One: If something doesn’t smell right, don’t trust it. Even if the email you received has a personal touch to it, does it come with an abnormal request? Would your CEO really ask you for your password? Pick up the phone and call to verify the request. No CEO is going to yell at you for that.
• Use MFA Everywhere Possible: Many companies now use multifactor authentication to verify users beyond just usernames and passwords. This is typically a one-time code by text, a push notification to a smartphone, or a biometric fingerprint scan on your computer. A lot of consumer sites are offering MFA now, too, including most Google-owned accounts. It only takes five seconds and is very hard for bad actors to bypass.
2020 kicks off an exciting new decade sure to be filled with life-changing innovations, but it also will undoubtedly bring new threats and risks as well. Imminent retaliatory attacks from a familiar foe now press the issue. Don’t let a social engineering spear phishing attempt put you or your company at risk.