Think for a minute about “targeted attacks.”
When you think about them, who do you see as the targets of these kinds of attacks?
Maybe you think of agencies of major world governments like the United States Defense Department.
Or maybe your first thought is of major international financial powerhouses like JP Morgan.
Odds are you’re not thinking about a small or medium-sized business being the target of these more sophisticated types of attacks.
You should be though.
Because in our latest research report “Predator Pain and Limitless,” Trend Micro’s researchers show how cybercriminals are taking the targeted attack tools that have been honed and refined against major world governments and international financial corporations and now using them on small and medium businesses.
Using a combination of relatively cheap, off-the-shelf malware and publicly available information, attackers are now using the same kinds of spear phishing techniques to target people in these smaller, less sophisticated, less well protected organizations.
As market forces make targeted attacks cheaper and easier to carry out, cybercriminals are expanding the pool of potential victims. An attacker doesn’t need to score millions of dollars off a successful attack against one target to see a good return on his or her investment now: making a few thousand dollars off a number of smaller targets works just as well now.
Small and medium organizations are at additional disadvantages. First many of them are still running Windows XP, even though Microsoft ended security support for it over seven months ago. With each passing day, Windows XP becomes more vulnerable, more attackable, and an easier target for successful attacks like these. Second, these kinds of organizations typically lack specialized in-house security knowledge or expertise.
The message from this research is that advancements in malware and tactics have reached a point where targeted attack techniques are joining spam and phishing as part and parcel of the attacker’s toolbox.
If you’re a small or medium sized business, you can’t count on not being noticed to protect you from these kinds of attacks. In addition to ensuring security training for employees, small and medium organizations should look to a combination of messaging security and endpoint. As this research shows, these steps for better security is increasingly critical for everyone, not just for the classic “too big to fail” organizations out there.
Please add your thoughts in the comments below or follow us on Twitter; @TrendMicro.