|
An old adage holds that "cheaters will always be one step ahead of the law." In areas such as cyber security, this means by the time security or IT professionals find a solution to one virus or hacking strategy, hackers have developed their next plan and may have already put it into action.
This explains the birth of "spear-phishing," an information-gathering strategy used by hackers. This method of masquerading as a trustworthy entity to gain valuable information such as passwords, credit card numbers or other sensitive information utilizes the "quantity over quality" method, sending enough emails so a suitable number of responses are generated.
"Every time we improve our response, they [hackers] change tactics," said Karen McDowell, PhD, information security analyst at the University of Virginia.
Business owners should be aware of this strategy and know how to prevent it.
The first spear phishing attempts were successful, Dr. McDowell said. "Nobody saw it coming. Even now, they're very tricky."
Spear phishing messages address recipients by their first name and appear to come from a trustworthy source, such as your human resources or IT department. "Spear phishers do their homework, and there is a lot of information about us on the Internet," Dr. McDowell said.
The rise of social media allows hackers to learn more about people than ever before. Spear phishers study public Web pages, research key names, and gather enough information to craft an email that mentions specific issues.
Typically, spear phishers target only two to three employees in a company, minimizing the likelihood that they will communicate with one another about it. They often send messages early Monday morning or late in the day on Friday - times when the average person's mind might not be fully focused on work.
Spear phishing is more subtle than its predecessor - phishing. "Phishing was more direct: 'Click now or your account will be disabled,'" Dr. McDowell said. "With spear phishing it will come from a name you might recognize and request a simple action that makes sense in the given context."
When recipients click on a spear phishing message, malware may be loaded into their computer. A key-logger, for example, records every keystroke made without the user's knowledge. This yields enough information to allow the spear phisher to establish a beachhead into the company. Once spear phishers establish this position, they can stage a broader attack on company information.
"The original message won't wipe out a company. It will just give the spear phisher room to operate within the company," said Dr. McDowell.
A simpler means of spear phishing is to disguise the email message as coming from a trusted, company IT professional. The message may ask for a person's username and password on the pretext that the IT department is updating its records. Login and password information should never be given out.
Last year, an employee at a company called RSA pulled an email message from his junk mail folder titled "2011 Recruitment Plan." The company was in the midst of routine personnel changes, making the email seem pertinent. As soon as the employee opened the email, hackers were able to compromise the most sophisticated security algorithm known in the United States. It was used by officials to log in remotely to very sensitive files, even at the Pentagon.
"RSA developed fobs or USB sticks with security software in them," explained Dr. McDowell. "When the user utilized these USB sticks, the security system generated a one-time password to allow the user to log into a highly secure site."
With one click or an email, the entire system was compromised.
These attacks pose a particular risk for small businesses, she cautioned. "They cannot recover their losses from a bank the way that an individual can."
Small business owners may believe that hackers are not interested in their operation. But hackers know that small businesses are more vulnerable so they go out of their way to target them.
"They usually can't afford the IT protection of a large corporation," Dr. McDowell pointed out.
The Zeus Banking Trojan, which has morphed into Zeus-SpyEye, particularly targets small businesses. This malware, created by a Ukrainian hacker, gets into a system via spear phishing email. "Zeus hackers target any small- to medium-sized business, she said. "They have been particularly active along the East Coast, but they strike anywhere and everywhere."
Once activated, the malware captures any banking transfer that a user within the system performs. Small businesses, including the Archdiocese of St. Louis, have been victimized by this particular method. Recently, the malware has been dropping into SmartPhones, thus Dr. McDowell recommends refusing any downloads when using your phone. "Follow up with your bank and ask whether they actually sent the download," she recommended.
The best steps a small business owner can take are training and education. "Spear phishing can be very subtle, are IT technicians are not always well versed in it," Dr. McDowell said.
Dr. McDowell advises owners on how to keep malware out of their systems. "It's difficult to get attention because people find the idea of spear phishing or banking trojans incredible, or they think it won't happen to them," she said. "We really want to get the word out about these problems."
Administrators also can restrict the rights or privileges of employees on company-owned computers. This strategy, the principle of least privilege, refuses to execute certain commands. Hackers are unable to access the network used by employees who log in under their credentials because they lack administrative access.
"People will generally balk at the idea of a restricted access account on their computer, but it is an effective means of security," said Dr. McDowell.
Another option is whitelisting, which allows only certain operations to run on a given computer.
Rob Senior is on staff at ADVANCE. He can be reached at RSenior@advanceweb.com.
|