Essay on Defense against Spear Phishing Attacks
Abstract: There has been a swift and dramatic shift from scattershot and broad attacks on computer systems and their data to advanced targeted attacks that have resulted in dire consequences for victim individuals and organizations. Some of the most famous advanced attacks, for instance, Operation Aurora and attacks on RSA have been credited to the spear phishing. The rampant use of phishing is attributed to its ability to work successfully, since conventional defenses are not capable of stopping such attacks. This paper provides a detailed analysis regarding the use of spear phishing in advanced targeted attacks. With an in-depth literature review detailing an overview of spear phishing, features and notables attacks, this paper explains how and why people fall for spear phishing attacks and also looks at the key capabilities that individuals and organization need to have in order to effectively combat the security threat posed by spear phishing.
Keywords: phishing, spear phishing, attacks, emails, individuals, organizations
Phishing refers to the social engineering attack whereby criminals utilize spoofed emails in tricking people into installing malware on their computers or sharing sensitive information. These attacks create virtual doors or windows of opportunity for further infiltration into the networks of individuals and organizations. It is imperative to note that phishing involves both technical trickery and social engineering to deceive victims into opening files that are in the form of emails, clicking on embedded links and in the process revealing their sensitive information.
Spear phishing refers to a more targeted version of phishing attacks that incorporates discordant tactics such as email personalization, victim segmentation and sender impersonation among other techniques so as to bypass email filters and deceive victims into opening an attachment or clicking a link displayed in the emails. While a phishing attack may result into blanketing of a whole system or database of email addresses, spear phishing normally is known for targeting specific people within an organization or a specific organization. Spear phishing records high success rates because through its process of mining social networks, for instance, through impersonation and personalization, the spear phishing emails are often extremely compelling and accurate . Victims create a foothold in their networks when they open the attached files or click on a link in the email that enables spear phishers to continue with their sophisticated attacks.
It is vital that spear phishing attacks are viewed or perceived in the context of advanced targeted attacks which are also known as advanced persistent threat (APT) attacks . This is because cybercriminals carry out APT attacks through the use of sustained multi-vector or multi-stage attacks, as well as, advanced malware to attain specific objectives such as acquiring long-term access to people’s or organizations’ sensitive networks. In this regard, the aim of this research paper was to analyze the discordant ways through which spear phishing is utilized by cybercriminals to conduct specific, advanced attacks on individuals and organizations and its impact on the privacy of victims’ sensitive information. This research also explored specific solutions that are ideal for combating the security threat posed by spear phishing. A good example of a suitable solution to the security threat of spear phishing is preventing spear phishing attacks from reaching end users by blocking fake sites, filtering phishing emails and destroying fake sites. Coupled with better interfaces, this solution protects the end-users from exposure to spear phishing emails and the resultant pilfering of their sensitive information brought about by falling for spear phishing attacks.
- LITERATURE Review-essay on Defense against Spear Phishing Attacks
The increase in advanced targeted attacks cannot be labeled as an anomaly. These attacks represent a vivid shift in the approach of cybercriminals to target specific individuals and organizations. Evidently, cybercriminals are shifting from massive phishing attacks to spear phishing on a more contained and more targeted scale since this approach has proven to be effective as a security threat. A study conducted by Kaplan indicated that between the year 2010 and the year 2011, the annual returns emanating from mass email-based attacks declined from $1.1 billion to $500 million while spam volume decreased from 300 billion messages in a day to 40 billion in the same period . The study further evinced the increase in spear phishing attacks by a factor of three between 2010 and 2011 with spear phishing emails registering an open rate of seventy percent compared to the open rate of just three percent registered by mass spam emails .Essay on Defense against Spear Phishing Attacks
Spear phishing attacks normally take the form of three phases, that is, prospective victims getting a phish, victims opening emails, attached files or clicking on an embedded site or link that results in the installation of malware or exposure of sensitive information and criminals using the loopholes to obtain and monetize the stolen sensitive information. The success of the first phase of spear phishing is contingent on its ability to entice potential victims to fall for the trick. As such, most phishing emails utilize social methods rather than technical tricks such as conveying fake phishing emails as urgent so as to misdirect the attention of people and organizations. A good example is a system administrator warning individuals of novel and imminent attacks and exhorting them to install the attached malware. Other examples include filling out a survey form for a company in exchange for money, notifying people of failed logins for their accounts and their urgent need to verify their accounts to prevent unauthorized access, as well as, relief agencies requesting for help with a natural recent disaster. Spear phishing attacks utilize specific knowledge about people and organizations, for instance, an attack on a soldier may entail an invitation to a captain’s retirement party that requires the military personnel to confirm his or her attendance by clicking on the link provided. Such kind of personal approaches such as fake emails from existing contacts are what Jagatic et al describe as the effectiveness of the spear phishing in enticing people or misdirecting their attention to fall for the tricks . A good example is the fake subpoena sent by several CEOs in 2008 that resulted in the installation of malware as Markoff reports .
In order for the second phase of spear phishing to be successful, potential victims must open emails, attached files or clicking on an embedded site or link. It is through these fake sites that are hosted through registration of a novel domain, a compromised machine or free web space that cybercriminals collect personal information as Moore and Clayton state . In order to eliminate doubt from the victims’ minds when clicking on the fake sites, cybercriminals employ techniques such as using similar names to the sites they are impersonating, for example, ebay-login.com or bankofaamerica.com or putting the domain name at the front of the fake site, for instance, skrill.com.spearphishsite.com. By clicking on these fake sites, malicious malware are installed on the victims’ machines and cybercriminals find a way of obtaining personal and sensitive information. Countermeasures such as takedowns and blacklisting of fake sites have only led to cybercriminals using other innovative techniques such as large pools of domain names and proxies to disguise the true location of a spear phish.
Once the sensitive and personal information belonging to individuals and organizations is obtained by cybercriminals through opening emails, attached files or clicking on an embedded site or link, the stolen information is monetized. This is the last phase of spear phishing and while there are different ways of monetizing stolen information, Herley and Florencio are of the opinion that criminals sell stolen credentials or information on open IRC channels . It is important to note that such kind of a transaction is illicit and many individuals or cybercriminals have been indicted for trading stolen information obtained through spear phishing as Krastev indicates . Famous cases include Operation Aurora in 2009 that used malware and spear phishing to target specific organizations and the attacks on RSA, that is, the security division of EMC Corp in 2011 . However, there are certain solutions that can be employed to combat the security threat posed by spear phishing.
- PROPOSED Solution-essay on Defense against Spear Phishing Attacks
The research methodology involved collection of data from surveys and interviews with individuals and organizations regarding the most suitable and viable defense mechanism against spear phishing. The most critical line of defense to prevent spear phishing attacks is making the attacks invisible to end-users by blocking fake sites, filtering phishing emails and destroying fake sites. Individual and organizations can detect phishing sites through manually verified blacklists and utilizing heuristics that analyze HTML, URL and server features to classify websites. Once they have identifies these phishing sites, they can block the sites from appearing on their machines or accessing their personal information. There are also numerous anti-phishing blacklists operated by Google, Microsoft and PhishTank.com, as well as, commercial browser add-ons for blocking phish sites.
When it comes to filtering phishing emails, Fette et al came up with an email phishing filter that identifies key features that are indicative of spear phishing such as URLs that utilize distinct domain names . Alternatively, authentication and verification technologies such as Sender Policy Framework (SPF) and DomainKeys Identified Maim (DKIM) filter and reject forged email addresses and verify the DNS domain of the sender of the email, as well as, the message integrity respectively. Another effective technique of ensuring invisibility of spear phishing attacks is destroying phishing sites. There are companies that identify and destroy phishing sites and private mailing lists that share information about fake sites. The evidence of destruction of phishing sites is usually in the form of a “page not found” message displayed by the browser. Invisibility of spear phishing attacks is best achieved when there are better interfaces and individuals and organizations are trained.
Training is a critical part of computer security even though it is arguably the least employed approach due to the fact that is not an assurance of complete protection and there are inherent challenges in encouraging people to secure their machines . Numerous websites offer valuable information on how to identify phishing sites that can help users identify fake websites, but people rarely take time to read this information. An effective way of training people and organizations on security is through micro games. These games teach users about domain names, address bars and phishing pages followed by a test to certify their grasp of the knowledge.Essay on Defense against Spear Phishing Attacks
Micro games and information on manuals and websites teach people about phishing in general. However, embedded training teaches people on spear phishing by addressing the specific contexts in which individuals and organizations would normally be attacked. A good example involves sending a simulated spear phishing email to people. If the individuals fall for one, then they get an intervention that teaches them about spear phishing and how to protect themselves from such attacks.
Interfaces involve support for properly identifying sites, warnings and authentication processes that are at the disposal of people and organizations to combat spear phishing. Often, people close security warnings as soon as they appear because they are unable to discern the contents of the problem or the warnings interrupt the task they are trying to accomplish. In other situations, the warnings are normally so meager or subtle that users are unable to see or detect them. Having active indicators instead of passive indicators is vital as the former ensures that users notice the warnings by interrupting their work compared to the latter. This is an example of better interfaces for combating spear phishing.
Web browsers also play a key role in combating the security threat posed by spear phishing with regard to the interfaces they have for identifying such a threat. While individuals or organizations using certain browsers may fail to get a warning before falling for a phishing attack, those using other browsers get these warnings in time before they can fall for a phishing trick. Thus, it is imperative that people and organizations utilize browsers with sufficient warning interfaces for detecting phishing sites.
An alternative to warning indicators for the detection or identification of phishing sites is authentication processes for signing into sites. A two-factor authentication process fortifies the authentication as it requires two divest ways to prove an individual’s identity. A good example of a two-factor authentication process is to have a number that changes periodically and is synchronized with the remote server. In order for users to login, they must use both their passwords and this number. This kind of authentication is essential to thwarting the security threat posed by spear phishing on people and organizations.
- Conclusion-essay on Defense against Spear Phishing Attacks
Throughout this research paper, the creativity of cybercriminals in today’s world has been emphasized, especially with regard to spear phishing. Spear phishing refers to a more targeted version of phishing attacks that incorporates discordant tactics such as email personalization, victim segmentation and sender impersonation among other techniques so as to bypass email filters and deceive victims into opening an attachment or clicking a link displayed in the emails. The three vital phases of spear phishing include prospective victims getting a phish, victims opening emails, attached files or clicking on an embedded site or link that results in the installation of malware or exposure of sensitive information and criminals using the loopholes to obtain and monetize the stolen sensitive information. However, spear phishing attacks can be prevented and thwarted by making the attacks invisible to end-users by blocking fake sites, filtering phishing emails and destroying fake sites. This is best achieved when there are better interfaces and individuals and organizations are trained on security measures. In as much as we know why cybercriminals practice spear phishing, it is still difficult to predict their behavior. Future research should focus on this area.
FireEye, Inc, “Spear Phishing Attacks” Why They are Successful and How to Stop Them: Combating the Attack of Choice for Cybercriminals”, Maxis360.com, 2012. [Online]. Available: http://maxis360.com/wp-content/uploads/fireeye-how-stop-spearphishing.pdf. [Accessed: 28- Nov- 2017]
T. Jagatic, N. Johnson, M. Jakobsson and F. Menczer, “Social phishing”, Communications of the ACM, vol. 50, no. 10, pp. 94-100, 2007.
D. Kaplan, “Crooks opt for spear phishing despite higher upfront cost”, SC Media US, 2011. [Online]. Available: https://www.scmagazine.com/crooks-opt-for-spear-phishing-despite-higher-upfront-cost/article/559082/. [Accessed: 28- Nov- 2017]
T. Moore and R. Clayton, “Examining the impact of website take-down on phishing”, The Anti-Phishing Working Groupâ€™s 2nd Annual eCrime Researchers Summit (ECRS 2007), 2007.
J. Markoff, “Larger Prey Are Targets of Phishing”, Nytimes.com, 2008. [Online]. Available: http://www.nytimes.com/2008/04/16/technology/16whale.html. [Accessed: 28- Nov- 2017]
C. Herley and D. Florencio, “A Profitless Endeavor: Phishing as a Tragedy of the Commons”, New Security Paradigms Workshop, 2008.
I. Fette, N. Sadeh and A. Tomasic, “Learning to Detect Phishing Emails”, Proceedings of the 16th International World Wide Web Conference, 2007.
N. Krastev, “U.S. Indicts Dozens From Eastern Europe In Internet Theft Scheme”, RadioFreeEurope/RadioLiberty, 2010. [Online]. Available: https://www.rferl.org/a/US_Indicts_Dozens_From_Eastern_Europe_In_Internet_Theft_Scheme/2173545.html. [Accessed: 28- Nov- 2017]
V. Rathore, and N. Gupta, “ANALYSIS OF ISSUES IN PHISHING ATTACKS AND DEVELOPMENT OF PREVENTION MECHANISM”, Journal of Global Research in Computer Science, vol. 5, no. 6, pp. 22-25, 2014.
Z. Benenson, F. Gassmann and R. Landwirth, “Unpacking Spear Phishing Susceptibility”, Targeted Attacks Workshop at Financial Cryptography and Data Security 2017. IFCA,