By Rod Rasmussen, IID President and Chief Technology Officer
The numbers are truly staggering. More than 100 million people’s names, home addresses, email addresses, dates of birth, phone numbers and more were stolen at Sony, while tens of millions of additional email addresses were stolen during a data breach at marketer Epsilon. And what is even scarier, these breaches occurred over just the last few months!
While Sony is a household name, Epsilon might not be. Yet the brands represented by this email marketer, like Best Buy, Citibank and the Walt Disney Company, are probably very familiar, and most likely someone you’ve done business with.
What is worrisome about all of this personal information floating around out there is the fact that it gives cyber criminals all they need to launch highly targeted spear phishing campaigns — attacks that are often successful because they are so targeted.
What is spear phishing?
Simply put, spear phishing scammers come after specific individuals directly armed with insight into their spending habits and other personal information that only those close to an individual or a company they do business with would know. The lure is an unwanted communication that looks and “feels” very real, and may just disappear into a spam filter. But at worst, spear phishing contains malicious software or malware, or has enough validity to fool people into exposing private information like account and credit card data, social security numbers and more. And because the spear phishers add those personal details, even people who are familiar with run-of-the-mill spam or even generic phishing attacks often fall for the ruse.
In Sony, Epsilon, and many others’ breach cases, hackers now have just the details on potential victims they need. The fact that attackers will now know which vendors people do business with, and thereby expect to receive email from, is a big deal. Instead of sending out generic emails that hope to trick a handful of customers, the scammers now have an exact list of people who are already customers and are likely to open and interact with emails. The phishing has now become a targeted spear.
More than a personal threat
These anticipated spear phishing campaigns pose a huge threat to organizations worldwide, resulting in everything from corporate espionage to a hijacked website. That’s because if an employee is lured to a malicious site, they run the risk of getting malicious software loaded onto their computer. This malware can take over a computer and literally access every piece of information on it or network it connects to, without a user even knowing. The possibilities are endless — everything from emails to partners, business plans, large bank transactions and more can be captured — resulting in corporate espionage, millions of dollars in redirected funds and even the hijacking of an entire Web presence.
For example, in April of this year, the Oak Ridge National Laboratory in Tennessee suffered a spear phishing attack that led to malware being downloaded. After the federal facility was hacked, it was forced to disconnect Internet access for its entire staff as administrators discovered data being siphoned from a server.
Now let’s consider the risk. The lab, which conducts classified and unclassified energy and national security work for the federal government, is funded by the U.S. Department of Energy. Its science and technology research includes work on nuclear nonproliferation and isotope production. The lab, ironically, also does cyber security research focusing on, among other things, researching malware and vulnerabilities in software and hardware as well as phishing attacks. All told, the data being housed there is highly classified and, in the wrong hands, could lead to considerable trouble.
Experts believe other highly publicized successful hacking attacks this year, including those against security giant RSA and the massive defense contractor Lockheed Martin, have been pulled off, in part, via spear phishing attacks. So this isn’t a theoretical exercise, it’s happening today and with devastating results.
Time for a new approach
Traditionally, enterprises have protected themselves against outside threats with a border approach, like firewalls, to protect the inside from attackers “out there” ever reaching an employee. However, firewalls have little if any effectiveness against spear phishing since those attacks APPEAR to be coming from a trusted source. Inevitably, an employee will fall for such a scam and access a malicious Internet location, putting an enterprise’s vital information and its Web presence at risk.
What is needed is a new approach concentrating from the outside in — one that resolves employee traffic requests and transmissions, including access to various websites, receiving email and more. By using a service monitoring what’s happening outside an organization’s walls and how your organization interacts, you are quite literally doubling your security.
The phishing stops here
Chances are, given the extent of recent data breaches, you or someone you know has personal information in the hands of cyber schemers. And taken a step further, those cyber schemers will hook someone at your organization into clicking on a bad link with a spear fishing assault. But since we know these attacks are coming, shouldn’t your enterprise be prepared? Never more than now is the old saying appropriate: “Fool me once, shame on you, fool me twice, shame on me.” Don’t get schooled by spear phishing.
Rod Rasmussen is President and chief technology officer at IID.
IID (Internet Identity) has been providing technology and services that secure the Internet presence for an organization and its extended enterprise since the company was founded in 1996. It recently started delivering the industry’s first and only solution for detecting, diagnosing and mitigating domain name system (DNS) and border gateway protocol (BGP) security and configuration issues for an organization and its extended enterprise. IID also provides anti-phishing, malicious software (malware) and brand security solutions for many of today’s leading financial services firms, and e-commerce, social networking and ISP companies, and more. The company is working hard to deliver solutions that help keep the Internet safe and trusted for businesses. IID is headquartered in Tacoma, Washington. More information can be found at www.internetidentity.com.