Training Needed to Halt 'Spear-Phishing' Attacks

Computerworld - So-called spear-phishing attacks—customized spoof e-mails that appear to come from trusted sources and ask recipients to part with confidential information—pose a dangerous and emerging threat to organizations.

There are no mature technical solutions to the problem, so IT must emphasize education, security experts said during a telephone briefing on the topic last week.

The briefing for federal and state security managers was organized by the SANS Institute, a security research company in Bethesda, Md.

"Phishing has become so sophisticated that it has become one of our top [security] concerns," said William Pelgrin, director of the New York State Office of Cyber Security and Critical Infrastructure Coordination (CSCIC) in Albany.

Spear-phishing attacks are similar to regular phishing scams in that they try to lure victims into sharing confidential data or downloading Trojan horse programs. However, spear phishing is far more targeted, and the e-mails are much more customized than regular phishing missives.

Firewall Killers

The volume of e-mail in a spear-fishing attack is much lower than it is in a regular phishing exploit, making spear-fishing scams more difficult to detect.

Alan Paller, director of research at the SANS Institute, described spear-fishing incidents as "firewall-killer attacks" that can be as effective as "unsecured wireless for going through the perimeter."

E-mail authentication technologies can help alleviate the problem, said Dave Jevans, chairman of the Anti-Phishing Working Group in Cambridge, Mass. But many relevant standards are immature, and available technologies can require large upgrades to e-mail infrastructures. Thus, user education and training are important, Pelgrin said.

In a mock phishing scenario conducted between March and May, the New York CSCIC sent spoofed e-mails to about 10,000 employees across five state agencies, trying to trick users into surrendering their passwords. More than 75% of the recipients opened the e-mail, 17% followed the link, and 15% attempted to enter their passwords, Pelgrin said.

In an exercise two months later—after users were educated about the technique—only 8% of respondents opened the e-mail, Pelgrin said.

The U.S. Military Academy at West Point has conducted similar phishing exercises over the past few years and has seen a decline in the number of users who fall for them.

At the same time, the number of recipients reporting incidents of suspicious e-mail has gradually risen, showing that more people are aware of the problem, said Aaron Ferguson, an assistant professor in West Point's department of electrical engineering and computer science.

Spear-Phishing Test

The New York CSCIC conducted a mock phishing exercise across five state agencies this spring. Of the nearly 10,000 e-mails that were sent, at least 75% of them were opened. 17% of the recipients followed the e-mail’s link, which took them to a false site. 15% of the e-mail recipients attempted to interact with a fake password form on the site. 3% of the e-mail recipients took the appropriate action by manually typing the Web address into their browsers. Source: New York CSCIC