• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Industry News   »   Hackers get more targeted with recent spear phishing campaigns

Hackers get more targeted with recent spear phishing campaigns

  • Posted on:April 20, 2016
  • Posted in:Industry News
  • Posted by:Christopher Budd (Global Threat Communications)
0
Spear phishing is becoming a big problem.

Most people have heard of attacks where some faraway prince promises millions of dollars in exchange for the victim's banking information. These phishing scams have relied on the numbers game in the past, sending out thousands of emails in the hopes that at least one person will fall for it. However, it would appear that hackers have begun to leverage a more targeted approach with spear phishing.

This kind of scheme is where the cyber criminal learns as much as she can about her target, researching his name, email address and even his place of employment. Once the hacker has all this information, she sends an email that looks like it's from someone in the victim's life. Perhaps the message is meant to resemble correspondence from this person's boss, or perhaps it's from an employee from the hospital he visited a few weeks ago. Regardless, the criminal uses this research to convince the victim that she is who she says she is, prompting the target to give up privileged data. 

With the amount of personal information the average person puts online, beginning a spear phishing campaign is becoming easier every day. What's more, a successful attack can allow a hacker the ability to gain even more data about a person, thereby allowing them to potentially ensnare other people in this victim's life. 

No sector is safe

The problem with this kind of attack is that it can come from anywhere, at any time. Tidewater Community College in Norfolk, Virginia, learned this the hard way recently when a cyber criminal directed a spear phishing campaign at the school. The problem was discovered when the IRS told multiple workers at the school that their tax return had already been claimed by another party who used their personal information.

The problem with the current tax return filing system is that all a cyber criminal needs to file a fraudulent claim is a person's Social Security number. This was the case with TCC, where an employee gave away personal information to an email account that seemed to have originated from within the school. As it turns out, the account was owned by a hacker. TCC believes that 3,000 current and former employees might have been compromised.

Although this was certainly a large breach of information, it pales in comparison to the attack that befell Sprouts Farmers Market. A worker involved in payroll received an email from an account that appeared to be controlled by an executive within the company. This message asked the worker to send over 2015 W-2 documents, which contain quite a lot of information pertaining to employee finances.

Sadly, the payroll worker fell for this, which resulted in 21,000 employees having their tax information leaked. While this is obviously a major problem for all the people who now must live in fear of identity theft, becoming the victim of such an attack can be hard to avoid. Even Snapchat, a company quite literally built on a technological platform, has also fallen victim to spear phishing.

The fact that such a business can be hit by this type of attack shows just how dangerous spear phishing can be. All it takes is the hacker finding enough information about the right target for this campaign to bypass even the most advanced cyber security systems in the world.

Organizations just aren't ready

The reason that so many organizations from different sectors have been affected by this kind of attack is that current cyber security measures can't do anything to stop human error. In fact, even heads of state have fallen victim to spear phishing. Graham Templeton from ExtremeTech reported that the NSA most likely used this technique in order to spy on Chancellor of Germany Angela Merkel. 

This naivety about these kinds of scams is prominent throughout the business world. A survey conducted by Cloudmark and referenced by Templeton found that 97 percent of organizations had employees fail to recognize a phishing campaign. Thankfully, these emails were sent out as a test, but such a high rate of failure shows that quite a lot of people simply don't know about phishing.

That said, there's a lot more than pride on the line here. The Cloudmark study also found that the average financial loss associated with a phishing attack was roughly $1.6 million. That's a substantial amount of money to lose to a simple mistake, especially one that can't be prevented by any current cyber security software.

Don't be baited by phishing

What all of this equates to is that employers need to take responsibility for the actions of their employees. If staff members working under the Chancellor of Germany can fall for this kind of scam, anyone can. As such, administrators need to focus on employee education.

Regardless of industry or department, workers need to know what is expected of them in terms of personal cyber security. This means they should be double and triple checking the email addresses that they're sending private company data to, as well as talking with a supervisor if an unknown account is requesting information it otherwise wouldn't need.

What's more, employees should also be careful about what kind of personal data they post online. This doesn't mean workers shouldn't discuss their families on social media sites. Rather, they should realize that just because an email's sender knows their daughter's name doesn't mean the message is from a legitimate source. It's important to remember just how much a hacker can learn about a target through social media and other online information, and be vigilant in these regards.

Related posts:

  1. Spear Phishing and Advanced Targeted Attacks
  2. Spear phishing emails: What they are and how to avoid them
  3. Anatomy of a spear phishing attack
  4. Breaches call attention to risk of spear phishing

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Advanced Cloud-Native Container Security Added to Trend Micro's Cloud One Services Platform
  • Trend Micro Goes Global to Find Entrepreneurs Set to Unlock the Smart Connected World
  • Winners of Trend Micro Global Capture the Flag Demonstrate Excellence in Cybersecurity
  • Companies Leveraging AWS Well-Architected Reviews Now Benefit from Security Innovations from Trend Micro
  • Trend Micro Announces World's First Cloud-Native File Storage Security
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.