In part 2 of our look at Phishing, we focus on a targeted form that often effects senior leadership in an organization: Spear Phishing.
Spear phishing is the targeted effort to trick a small group of employees into letting hackers gain access. Spear phishing efforts often involve one of the familiar tactics of tricking an employee to “verify” information that they may have never given out (voluntarily). Increasingly, IT department personnel are targeted due to the levels of access they normally have to do their legitimate job.
Spear phishing is a targeted act against a company’s network, focused on a select number of individuals that are believed to be able to provide access to an IT system. The techniques are highly dependent on the targeted persons, and how poorly they are trained to recognize spear phishing attempts.
One of the most unsuspecting ways a company can bring an attack on themselves is through online sites, blogs, and social networking sites. What may seem like an unrelated effort can many times provide a trail for hackers to follow. The following is an example based on a real-world incident.
A large equipment manufacturer was preparing to launch a new piece of machinery with several new, innovative features. The lead design engineer had a Linked In profile and used it to network with others in his industry. He began looking for a better job, and used Linked In to connect with a recruiter. The recruiter and the engineer began exchanging emails. One email contained an attachment with a hidden piece of malware. When the engineer opened the attached document, he allowed the malware to install a complex set of software that ultimately allowed Chinese hackers to gain access to his system at work, steal the design plans (intellectual property), and manufacture a copy for sale internationally without the original design team’s involvement, or lawful consent. The competitor company in China beat them to the release date. Because the environment was an international business climate, there was no available recourse for the original designers to recover their plans.
RELATED: The Verizon RISK report
The design engineer had been targeted by the Chinese hackers based on his position in the company and his involvement in a project that competitors wanted details about. While his efforts may not have been directly intended to compromise the company he worked for, the results were clear. He was deceived into making a series of mistakes that led to the loss of data, plans, and ultimately sales for the parent company.
First, the engineer used the work network and computers to communicate with an outside organization about something non-work related. This may seem harmless enough, as many people multi-task every day at their desk. By opening an attached document for the purpose of finding a new job, the engineer allowed malware to be activated and installed on his work computer.
Next, the malware created an access point that hackers used to compromise the network, search for files and plans, and identify the designs they wanted to steal.
Finally, the Chinese team made use of encryption and connections to remote servers to extract plans without triggering software that was supposed to protect against this very effort. All of this was made possible by the initial effort of tricking the design engineer to trust them. The spear phishing effort was successful because the targeted person was either uninformed of the risks he was taking, or he was unaware of how his actions could lead to a data breach.
Christoper Watson is an Information Technology professional with success in both public and private sector businesses. Technical and business experience is complimented with operational and strategic planning, international contracting work, leadership development and team building competency in challenging physical and political environments. Experience leverages strengths with technology services and providing timely and relevant information to senior executive leadership. Christopher is based out of the Oklahoma City office.