Security Experts:

Spear Phishing: Beyond the Common Sense Defense

The recent theft of millions of names and email addresses from Epsilon, a major email marketing services provider, along with the theft of 77 million names, email addresses and other personally identifiable information from Sony, has highlighted two needs: better user education, and new and improved technological solutions for online phishing attacks.

Spear Phishing AttacksEpsilon sends 40 billion emails every year, on behalf of 2,500 major corporate clients. The company disclosed in late March that its systems had been compromised, and that customer data belonging to about 50 of its clients had been stolen. The breach exposed the mailing lists of such companies as Capital One, JPMorgan, Citibank, and dozens of other large, reputable brands in the financial services and retail sectors. Sony’s gaming network hosts more than 75 million accounts, every one of which was compromised. Popular games, such as Everquest, are played by users over the Internet using their PCs. They require personally identifiable information and in some cases, credit card data.

As a result, criminals now have enough information to construct highly targeted phishing runs aimed at known customers of the affected companies. They can also address their potential victims by name. Many savvy net users have learned to be suspicious of emails beginning with "Dear Customer" or other vague salutations, but these targeted "spear phishing" attacks can look a lot more convincing. If you already have a business relationship with a company and you receive a realistic-looking email purportedly from that company, you're a little more likely to believe the phisher's overtures are genuine if they address you by name.

So, how can you mitigate the risk of falling victim to spear-phishing attacks? If you're worried about the Epsilon or Sony breaches specifically, the 100% effective solution would be to create and use a new email address. For the vast majority of people, however, this will be impractical. In any event, changing email addresses will not prevent future phishing attacks unrelated to the Epsilon or Sony data theft.

The standard defenses to phishing, as expounded in many media articles since the breaches were reported, all involve user education -- the "common sense" defense. Phishing, and to a greater extent “spear phishing,” are merely 21st century technological versions of age-old confidence tricks. The more cautious and street-smart the mark, the less likely they are to become a victim. But, I would argue that there are also great opportunities for more advanced technological solutions to be developed, building on the foundations already laid by the security industry.

Today, it has become increasingly difficult for security software to detect all the various pieces of malware that attackers attempt to distribute. Malware is too plentiful and changes too rapidly for any vendor to reasonably provide absolute coverage. When it comes to phishing, the industry has taken small steps towards creating phishing-detection tools that can, in some cases, alert users before they do something foolhardy. The latest version of the Firefox browser, for example, takes a data feed from the StopBadware coalition that allows it to alert users before they visit a site shown to be hosting malware. In addition, some consumer and enterprise security clients have phishing detection built-in, which can offer varying degrees of protection.

Unfortunately, the best advice today remains user education. There are many ways phishing, even spear-phishing, can be detected by educated users.

Look Before You Click

Attackers may register domain names such as we11sfargo.com in an attempt to visually confuse the victim; they may incorporate the names of well-known brands into longer domain names such as citibank-online-bank-account.com. They may use third-level domains, such as bankofamerica.example.com, to imply an association with the real company. Usually they will also attempt to mask the URL in their email using HTML tags. In most browsers and email clients, hovering over the link with your mouse will show the destination URL in the application's status bar, so it is possible to verify an address before you click. Any URL leading to a domain name you're not familiar with should be viewed with suspicion. If in doubt, type a domain you trust into your browser rather than clicking, or use a search engine to find the site you need.

Never Give Out Sensitive Data

Treat any request for information, such as credit card, bank account or social security numbers, with the height of skepticism. Reputable banks will never ask for this information via email, and they often maintain policies, easily found on their websites, explaining precisely what kind of email communications they engage in, often with sample images of phishing emails. If you do not trust yourself to spot a fraudulent URL, make it a personal policy to never give sensitive information to any website if it's been requested via email.

Be Wary of Attachments

Not all phishing attacks attempt to persuade the victim to visit a malicious website. Over a decade after the "I Love You" worm hit mailboxes worldwide, it's broadly well-understood that unexpected email attachments should are suspect. But do not underestimate the potential for momentary lapses of judgment, forgetfulness or complacency. Never click on an unexpected attachment, even one that appears to be from a trusted source. If it appears to be an executable file, it's likely malware. However, other file types, such as PDFs or HTML, have increasingly been found to carry malicious payloads or forms that communicate directly with the attacker.

Use the Phone

If you've received an email that appears to be from a company you have a relationship with, but notice a suspicious payload or link, call them to ask if the email is legitimate. If your bank really has accidentally lost your sensitive information and requires you to re-enter it into their website, the bank's customer support employees will know. Call them and ask for confirmation using a well-publicized number, not the number in the email, before taking any action.

Many of these recommendations may appear to be basic, but it is surprising how often they go unheeded, even in large enterprises. Recently, court documents revealed that the publisher Condé Nast handed more than $8 million over the course of several months to a fraudster posing as a regular supplier. An employee was on the receiving end of an extremely targeted spear-phishing attack. A simple phone call to the supplier, who was well known to the company, could have exposed the fraud immediately.

Knowing that it is impossible to ensure all users are alert to the phishing problem, perhaps it’s time to look to the security industry to beef up technological solutions. With spam filtering, malware detection tools, reputation systems and nascent anti-phishing services, we may already have the basis of a much better system than simple user education. With more investment, analysis and experimentation, technology could soon make a bigger dent in the phishing problem.

view counter
Ram Mohan is the Executive Vice President and Chief Technology Officer at Afilias, a global provider of Internet infrastructure services including domain name registry and DNS solutions. Ram also serves as the Security & Stability Advisory Committee's liaison to ICANN’s Board of Directors and has helped direct and write numerous policies effecting domain name registration and DNS security.