Your IT department has no doubt warned you not to click on suspicious links in e-mails, even when the missive promises a hilarious video or comes from a seemingly trustworthy source. If the link looks suspect: Do. Not. Click.
That's because these emails are often phishing scams designed to trick you into clicking on a malicious attachment or visiting a malicious web site. In the latter case, the web site may appear to be a legitimate bank site or email site designed to trick the user into disclosing sensitive information---such as a username and password or bank account information---or may simply surreptitiously download malware onto the victim's computer.
Just ask the White House employee who apparently clicked on a phishing email purporting to come from the State Department and allowed hackers into several government networks.
Spear-phishing is a more targeted form of phishing. Whereas ordinary phishing involves malicious emails sent to any random email account, spear-phishing emails are designed to appear to come from someone the recipient knows and trusts---such as a colleague, business manager or human resources department---and can include a subject line or content that is specifically tailored to the victim's known interests or industry. For really valuable victims, attackers may study their Facebook, LinkedIn and other social networking accounts to gain intelligence about a victim and choose the names of trusted people in their circle to impersonate or a topic of interest to lure the victim and gain their trust.
An estimated 91-percent of hacking attacks begin with a phishing or spear-phishing email. Although firewalls and other security products on the perimeter of a company's network may help prevent other kinds of malicious traffic from entering the network---for example through vulnerable ports---email is generally considered legitimate and trusted traffic and is therefore allowed into the network. Email filtering systems can catch some phishing attempts, but they don't catch all of them. Phishing attacks are so successful because employees click on them at an alarming rate, even when emails are obviously suspicious.
One of the most famous examples of a spear-phishing attack that succeeded despite its suspicious nature targeted the RSA Security firm in 2011.
The attackers sent two different targeted phishing emails to four workers at RSA's parent company EMC. The emails contained a malicious attachment with the file name “2011 Recruitment plan.xls,” which contained a zero-day exploit.
When one of the four recipients clicked on the attachment, the exploit attacked a vulnerability in Adobe Flash to install a backdoor onto the victim's computer.
“The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file,” RSA wrote in a blog post about the attack.
The backdoor gave the attackers a foothold from which to conduct reconnaissance and map a way to more valuable systems on the company's network. They eventually succeeded in stealing information related to the company’s SecurID two-factor authentication products. The attack was surprising because everyone assumed that a top security firm like RSA would have trained employees who know better than to open suspicious emails. Yet one of its employees not only opened one of the suspicious emails but retrieved it from his junk folder---after his email filter had deemed it suspicious---in order to open it.
Another surprising victim of a spear-phishing attack was the Oak Ridge National Laboratory in Tennessee. The lab, also hacked in 2011, got hit with a phishing email that appeared to come from the human resources department and included a link to a web page where malware downloaded to victims' machines. The attackers sent the email to 530 of the lab's 5,000 workers, and fifty seven people clicked on the malicious link in the email. Only two machines got infected with the malware, but this was enough to get the attackers onto the network. They were discovered only after administrators noticed megabytes of data being siphoned from the lab's network.
The hack was so surprising because the high-security federal lab conducts classified energy and national security work for the government, including work on nuclear nonproliferation and isotope production. But the lab, ironically, also does cybersecurity research---work that focuses on, among other things, researching phishing attacks.
