Spear Phishing Increasingly Hard to Detect

“Spear Phishing”  is a scam that is targeting small and medium sized businesses with highly personalized messsages. Attackers garner information on accountants and executives from public sources to determine corporate structure and then write personalized emails that look like they are from a trusted source. They research potential targets and connections using information gleaned from publicly available websites, such as:

  • The company website in the “About Us,” “Our History,” and “Meet the Team” sections
  • LinkedIn
  • Facebook
  • Twitter
  • Instagram

Spear Phishing is a targeted version of phishing emails that trick the recipient into divulging personal or confidential information.

They accomplish this by “Domain Spoofing.” Domain spoofing started in 1982 with Simple Mail Transfer Protocol (SMTP) and was last updated in 2008.  Simply stated, spoofing makes an email appear to come from a valid and trusted source when it is not. A significant weakness in the SMTP protocol is the lack of authentication in email headers.  After doing their research on a company, attackers will create a fake email address that is similar to the company they are targeting.  This email address typically looks like one of the following:

ALastname@company.com

Firstname.Lastname@company.com

Firstname@company.com

When the target receives an email, there are two notable fields that can be spoofed (faked): MAIL FROM and RCPT TO.  These fields can be manipulated to fool the recipient into believing the email comes from a trusted associate.  The target will get a new email in their inbox that looks to be from someone trustworthy, with a recognizable email address.  Typically, this email is alarmist, offers excuses for replying only by email and not by phone or in person, and is purposefully vague.  The attacker wants the target to establish contact through a response email.

Here is one example where Jane is the CFO and John is the CEO of the company:

 

Hi Jane,

How are you doing today?, I have a financial task that I need you to process this morning. Kindly let me know when you’ll be available to do this. And what details are required?.

I await your quick response,

Thank you,

John

 

Indicators that the email is a spear phishing attack:

  • Unusual formality
  • Local vernacular is suspect
  • Use of poor, inaccurate grammar or punctuation

Look for these indicators and pay close attention to the domain the email was sent from.  Two methods that are used to combat phishing attacks from domain spoofing are Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM). Many email providers already support these methods for stepping up the security of your email, they just need to be configured by an experienced I.T. professional.

Also, with tax season upon us, attackers are increasing their efforts to gain financial information from more businesses.  People can be easily confused during tax time, as they are especially concerned with the financials of the business.  If you aren’t sure if you have received a spear phishing email or not, go talk to the person that the email claims to be from, and ask them if they need the information requested.  Chances are, it is a fake email.

If your gut tells you it is suspicious, it probably is – don’t reply and don’t click the link!