Compliance Corner is a monthly column focused on addressing security trends and market changes that affect your regulatory compliance initiatives.  The topics discussed and questions answered in this column are intended to help guide the management of your compliance program and security risk management practices. If you would like to submit a compliance related question for consideration in next month’s newsletter, please email your question to marketing@perimeterusa.com .

By now you are probably very familiar with phishing scams, consisting of fraudulent email messages or fake web sites designed to steal your identity. Scammers "phish" as a bulk attempt to persuade millions of people to disclose sensitive information.  Usually the emails, written with poor grammar and spelling, come from a source you may or may not even do business with.  The emails try to persuade you to update your account settings by visiting a website that looks like the source but is in fact a malicious site.  Even more authentic phishing attempts pose as well-known web sites with broad membership bases, such as eBay or PayPal, with the goal of coaxing users into entering their account credentials.

Phishing, in its traditional form, has been around for a few years now and most people have learned to be suspicious of unexpected requests for confidential information.  Through training and awareness most have learned not to divulge personal data in response to random email messages or click on links in messages, but rather first verify the legitimacy of the source before proceeding.
 
Just when we thought it was safe to go back into the water, two new forms of scams have emerged, this time with even more clever names like Spear Phishing and Whaling.

SPEAR PHISHING

Spear phishing is a relatively new email spoofing fraud that describes a highly targeted phishing attempt. Unlike phishing attempts where random emails are sent in bulk, spear phishing attacks targets specific organizations with the goal of gaining unauthorized access to confidential data.  Spear phishing messages usually pretend to be a trusted source and appear genuine to all the employees or members within a certain company, government agency, or organization.  The success of any spear phishing attack hinge on the user believing:

1. The email was sent from a trusted individual
2. The information within the message supports its validity of the sender
3. The request seems to have a logical basis.
   

For example, a message might look like it came from your employer or from a colleague who might send an email message to everyone in the company, such as the head of human resources or a systems administrator and could include requests for confidential information.

Outlined below is how a typical spear phishing attack may be carried out:

1. The spear phisher searches for web sites of organizations that reveal contact information for employees and other relevant data about the company.
2. The spear phisher crafts an email message that seems authentic to the recipients based on information obtained in company specific web searches.
3. The email is spoofed to appear to come from an individual who might reasonably request confidential information, such as a network administrator.
4. The email requests user names and passwords or asks recipients to click on a link that will result in the user downloading spyware or other malicious programming.
   

Responding to this scam with a user name or password, clicking links or opening attachments will result in falling victim to identity theft or create vulnerabilities that place the entire organization at risk.
 
WHALING

Even more targeted than spear phishing has been a flood of attacks called whaling. Where spear phishing is targeting a particular company, organization, group or government agency, whaling is targeted attacks against groups of high-level executives within a single organization, or executive positions common to multiple organizations (e.g. the CEO, COO, CTO or CFO).

Names of top executives are usually easy to find in the news or posted all over company web sites.  Similar to spear phishing, detailed research is conducted on the executives and an email is crafted that directly relates to their role at the company in hopes that they will click on a link. Clicking the link will bring the executive to a site where malware is downloaded that tracks their keystrokes and records sensitive information.

In a whaling attack, since the phisher focuses upon a very small group of senior personnel within an organization they can invest more time in the attack and finely tune the message to achieve the highest likelihood of success.  The form of communication in these attacks is not always email. Some scams have relied upon regular postage systems to deliver infected media, such as a CD containing evaluation software from a known vendor, but also containing a hidden malware.

The stakes are high since executive typically have the most sensitive information on their systems.  It is important to train and inform senior executives proactively about these risks since the fear of potential embarrassment may delay the discovery of a problem.

Summary

The presence of these new attacks is alarming. However, the one element that all phishing attacks have in common is that proper training and awareness of what to do when faced with the situation is critical to beating the scams.  I leave you with a few anti-phishing tips and techniques provided by the SANS institute to avoid falling prey to these scams.

Anti-phishing tips

• Education: one of the best strategies to combat phishing is to educate your users of current attack methods and to teach them what to do in the event of a phishing email. Training should include:

1. Never reveal personal or financial information in a response to an email request, no matter who appears to have sent it.
   
2. If you receive an email message that appears suspicious, call the person or organization listed in the From line before you respond or open any attached files. 
3. Never click links in an emailmessage that requests personal or financial information. Enter the web address into your browser window instead. 
4. Report any email that you suspect might be a spear phishing campaign within your company.
   

• Where possible, use two factor authentication, which requires an additional mechanism (ID card or code-generating key fob) as well as a password.
• Avoid mass-mailing customers links to your website - doing so encourages them to accept such emails as normal.
• Use anti-phishing systems that identify phishing content in both e-mails and web sites through add-ins to your browser and email client. Systems include: NetCraft Toolbar, Google Safe browsing, eBay Toolbar, Earthlink Scamblocker, Geotrust Trustwatch, or McAfee SiteAdvisor.
• Report suspicious mails to your email administrator or ISP and alert the Anti-Phishing Working Group (APWG).
• Report all incidents where fraud occurs to the police.
  

Source: Sans Institute.