The Russian-speaking TA505 hacker group has been infamous since 2014 for launching multiple attacks against US retailers and financial institutions using banking malware, exploit kits, and ransomware attacks as their main tools.
However, the TA505’s April campaign to target a financial services organisation in the US grabbed eyeballs due to the complexity of the spear-phishing attack. (Spear-phishing typically is a social engineering attack that involves targeting specific individuals or enterprises with tools such as email messages.)
While a typical malware tries to gain entry whenever feasible, the tools used in this particular spear-phishing attack collected information on the target machine and sent data to a remote server over a period of time.
“The hackers know who you are and are tracking everything about you. They usually reconnaissance and stay for a very long time. These are called advanced persistent threats,” explains Sandip Kumar Panda, CEO and co-founder of Bengaluru’s InstaSafe, a cloud-based Security-as-a-Service provider.
Panda also pointed out how the recent attack on multinational software company Citrix, which showed that some of their systems had apparently been compromised for over six months, could be a case of gaining entry through spear-phishing.
Similarly, software giant Wipro reported in April that they had been targeted by an advanced phishing attack. Cybersecurity website KrebsOnSecurity, which first broke the story, said that Wipro was “dealing with a multi-month intrusion from an assumed state-sponsored attacker”.
Perhaps what’s common to both Citrix and Wipro is how the hackers were able to reside in the system for a long duration, and slowly gained access to more sensitive data.
High on volume and complexity
Rajpreet Kaur, principal analyst for infrastructure protection at IT research and advisory company Gartner, says that that spear-phishing has been the most sophisticated and widespread attack of recent times.
And for good reason -- a study by cybersecurity firm Symantec in 2018 showed that 71.4% of targeted attacks start with spear-phishing emails. Hence, not only is spear-phishing sophisticated and complex but also has its footprint in a high percentage of attacks.
“They target impersonation or business email compromise (BEC) type of attacks. Before generating an attack, the hackers are using several methods to study and analyse the users and the organisations,” said Kaur.
The hackers spend a considerable amount of time examining social media profiles of the victim or organisation, and go as far as using machine learning techniques to identify keywords that are being used by that particular enterprise or individual.
“Once they understand the subject, they make the attacks more targeted not only to the recipient but more towards the subject matter too,” added Kaur.
Hence, spear-phishing could be the cybersecurity team’s worst nightmare, for it is big on volume, big on sophistication, and the nature of the attack is such that it tends to persist in camouflage for a long time.
Attacks not confined to large enterprises
Spear-phishers target small businesses and start-ups.
“The attack depends on how global or how visible the organisation is and not necessarily a large company. Many midsized and manufacturing organisations have also been targeted,” said Kaur.
Kaur added that there were increased attacks in the manufacturing space as hackers were targeting the blueprints of the industrial machinery, which is in great demand in the black market.
InstaSafe’s Panda added that data that is hot in the black market. “There is a black market for financial information, data security and medical records; millions are being siphoned away just by using email spear-phishing,” Panda said.
While a Symantec report back in 2015 stated that 91% of all cyber-attacks started with a spear-phishing email, today the growth of social media has led to many other mediums through which hackers gain traction.
“People use mockups of maybe an Amazon gift card or a Microsoft Office 365 notification. They can grab your credentials using simulation of websites and URLs,” said Hatem Naguib, operations chief of Barracuda Networks, a provider of network security solutions headquartered in the US.
Malicious links could also be shared on WhatsApp, Instagram or other social media sites. The malware is then installed and begins observing patterns of the user.
How can organisations counter spear-phishing?
While a few years ago companies relied heavily on perimeter security, the advent of upgrades in technology have led to the rise of distributed enterprises where the data does not reside in one large datacentre but in multiple silos.
“The perimeter is now everywhere, whether on the cloud or on-premises,” says Barracuda’s Naguib.
Hence, the modern security protocol to counter spear-phishing and all other aspects of security needs to include application security, endpoint security, collaboration security and other components of a holistic security package, in order to keep up with increasing complexity of trends.
However, cybersecurity firm Cyberbit India managing director Rakesh Kharwal says that advanced technology can only do so much. The company is a provider of cyber ranges for cybersecurity training and simulation.
“Spear-phishing is closely knit with social engineering, but the key is education and awareness, how can we educate the users on malicious sites, on what are the key signs to look out for?”
“We all agree that in cybersecurity the people are the weakest link and there needs to be awareness,” he adds.
Kharwal also said that there was a misconception that the responsibility of cybersecurity rested solely with the cybersecurity professionals.
“Enterprises need to bring in a culture which reflects cybersecurity as everybody’s business,” says Kharwal.
What are the other precautions that can be taken? According to Gartner’s Kaur, there are a few other simple necessary steps.
Secure email gateways need to be upgraded to the latest versions. Firms need to work closely with vendors for the latest configuration audit that ensures all advanced phishing protection is enabled.
“Some organisations have been using a secure email gateway for five years and still come under attack, but when we ask them if they have upgraded their gateways, they have no idea,” says Kaur.
Barracuda’s Naguib also pointed out that there was a huge shortage of human resources who are cybersecurity-trained, hence newer solutions need to be built that are easy to use and deploy.
“The same tools we are using for digital transformation are being used by the criminals to automate and orchestrate widespread attacks,” he said.
Hence, the need of the hour is a simple IT policy and ultra-basic counterattack methodologies such as resetting the password once in 90 days or using two-factor authentication. “Just because you buy sophisticated software from a sophisticated provider does not solve problems,” says InstaSafe’s Panda.
“If you are really aware of the basic security protocols, take it further and invest in zero-trust security technologies and advanced software-defined perimeters,” adds Panda.