Phishing and Spear Phishing: Modern Methods Applied to Age-Old Social Engineering
It may surprise many who have observed the recent media attention of data breaches to learn that in the world of Cybersecurity, sometimes it’s the oldest attacks that find new life when they are applied in new ways. Phishing attacks, a form of social engineering where hackers try to trick their victims into revealing confidential information by impersonating as something legitimate, has been around for years. Fictional movies more than 20 years old depicted forms of phishing that are still in use today: The 1983 movie “Wargames” portrayed the fictional teenage hacker David Lightman deeply researching the original developer of the WOPR supercomputer to determine his back-door password “Joshua.” Today, the same type of spear phishing attacks used the movie, those that are directed towards a specific target through in-depth research of the individual’s background, are on the rise. While fortunately few attacks are likely to threaten a global thermonuclear war, it can be difficult to recover a company’s stability or an individual’s identity for victims of these attacks.
Phishing spreads a wide net typically through mass mailing emails that appear to be from reputable sources but actually contain links to bogus websites or that include attachments that contain viruses. Other forms use interactive voice systems to lure victims into divulging confidential information by insisting there is a problem with some ambiguous account or with the promise of saving the victim money. These attacks are easier and cheaper than ever before: it costs an attacker next to nothing to send out emails to or to have an auto-dialer call millions of unsuspecting potential victims. Only a small percentage need to fall prey for the perpetrator to cash in on the rewards: some reports put the value of an identity on the black market at $5-$16/for identity.
Unlike phishing attacks, spear phishing doesn’t rely on volume. Instead, it relies on targeting specific, high profile targets in an effort to steal their personal information. Celebrities had their compromising photos revealed stored on Apple’s iCloud service not by attacking the technology (although Apple’s password practices at the time were a contributing cause), but by using the celebrities fame and publicity to guess their weak passwords. And it’s not just celebrities – executives in companies with more that 2,500 employees have a 1 in 2.3 chance of becoming the target of a spear phishing attack. RSA, a security company, was victim to such an attack in 2011 that targeted just a mere four individuals at the company.
While an attacker is likely to obtain more valuable information through spear phishing in the form of a company’s intellectual property or higher value bank accounts when they attack a corporate executive, spear phishing does involve a bit more leg work for the attacker to research their target. The cost of a spear phishing attack is 20 times that of a phishing attack, but the average return is over 40 times. But unlike Mr. Lightman in Wargames, today’s attacker doesn’t have to scour old videos and newspaper articles. All it takes to research somebody today is a few taps of the keyboard, a few clicks of the mouse, and a leisurely stroll through the target’s social media accounts. As people put more information out on social media for the world to see, the cost of a spear phishing attack is likely to drop even further.
Traditional technology measures, such as firewalls and installing and using anti-virus software are only minimally useful to thwart a phishing or spear phishing attack. After all, the weakness is not in the technology, but in the person. While businesses should not give up their technological measures, they should also ensure that all of their employees (especially their executives) are adequately trained to avoid high-risk cyber activities and to be suspicious of unexpected emails that contain links or attachments in them and of callers that ask for their password or other personal information. Some organizations have considered staging their own phishing training exercises on their users to help reinforce annual Cybersecurity training.