Spear Phishing: Dangers & Need for Education
In 2013 Nigerian email scams totaled $12.7 billion dollars in profit (Gat, 2014). These scams continue to persist and are relatively straight forward; one receives an email from a “deposed prince” asking for bank/credit card information, or a sum of money through a type of wire transaction with the promise of a much larger reward in the future. This is a simple email scam, and is considered a basic phishing attack. If phishing was limited to fraudulent schemes asking for money or account information, organizational response would be straight-forward and phishing attacks would eventually be prevented to a certain degree…But it isn’t that simple. In August of 2016, the country that popularized the basic email scam, graduated to much more advanced tactics. SecureWorks, a cybersecurity company, found that “a criminal syndicate in Nigeria is stealing millions of dollars from companies around the world by intercepting their emails and diverting bank transfers” (Kuchler, 2016). Instead of sending out mass emails with a generic scam, they instead “send emails claiming to be from a senior executive ordering wire transfers” (Kuchler, 2016) and then “intercept the existing transaction” (Kuchler, 2016). In the current scam, a specific individual is targeted, and once his/her email is compromised, the hackers monitor his/her email account to learn how he/she writes so that when they order a transfer it seems legitimate.
The shift of tactics in Nigeria from generic phishing to spear phishing (a targeted form of phishing) is indicative of the evolving dangers in a networked world. Generic scams have evolved into Advanced Persistent Threats (APTs). APTs “have a level of planning that sets them apart from other cyber threats. They are the work of a team that combines organization, intelligence, complexity and patience” (Singer & Friedman, 56). APTs can last for years, and potentially never be detected. This is not a paper about APTs (but it is necessary to understand the APT process to understand why spear-phishing is so important), but rather the dangers of spear phishing and why it is the most important topic on which an organizational cybersecurity education program should focus. It is necessary to understand the ecosystem in which spear-phishing occurs because it is normally part of an APT. “An estimated 91-percent of hacking attacks [APTs] begin with a phishing or spear-phishing email” (Zetter, 2015). Many people and organizations rely on different types of software to secure their network, but:
Although firewalls and other security products on the perimeter of a company’s network may help prevent other kinds of malicious traffic from entering the network—for example through vulnerable ports—email is generally considered legitimate and trusted traffic and is therefore allowed into the network. Email filtering systems can catch some phishing attempts, but they don’t catch all of them. Phishing attacks are so successful because employees click on them at an alarming rate, even when emails are obviously suspicious (Zetter, 2015).
Spear-phishing is a human problem and not a technology problem. In order to better understand the dangers of spear-phishing and why it should be the focus of a cybersecurity education program, it is necessary to understand the place of spear-phishing in the APT lifecycle. The author will then discuss the specifics of John Podesta’s email compromise, the importance of open source intelligence in spear phishing, and conclude with the factors that need to be taken into consideration to create an effective anti-spear phishing education program.
Advanced Persistent Threat
When APTs “are directed against a small group – because of how society now embraced technology – a staggering volume of information [becomes] available” (Grey, 256). APTs always start with a “specific target” (Singer & Friedman, 56) and the team planning an APT “knows who it wants and who it is going after to get it” (Singer & Friedman, 56). APTS are conducted by specialized teams and there are multiple methodologies as to what constitutes an APT lifecycle. Below is a depiction of the APT lifecycle (pay close attention to initial compromise because that is where forms of phishing and spear phishing are used roughly 91% of the time to penetrate a network):
Figure 1: APT Lifecycle (Image Credit: Mandiant)
APTs are often effective because they do not target the main source of the desired information, but rather “trusted outsiders, who often have lower levels of defense, or by targeting people in the network who have some access permissions to open the gate wider” (Singer & Friedman, 57). This example was most recently seen with John Podesta; the intended target of that particular APT was Hillary Clinton, but she was more accessible through Podesta whose communications did not receive the same level of scrutiny as a presidential candidate (this particular case will be discussed in more detail later).
APTs require tremendous amounts of research to understand how best to compromise a system, and to then navigate through the system in order to obtain the desired information. Proper research during an APT means that a spear phishing email sent with the intent to compromise a system can be so accurate (a digital happy birthday card from one’s mother, a reservation reminder for an upcoming dinner, a password update reminder, etc.) that one could be compromised without a hint of suspicion. APTs can exist in a system for days, months, and years depending on the type of information that is required. Because they are nearly impossible to detect once they are in an organizational system, the key is to prevent them before they occur with more targeted training against spear phishing attacks.
John Podesta Email Compromise
During the 2016 presidential campaign John Podesta served as the campaign chairman for Hillary Clinton. He became well known during the campaign because he was the victim of an infamous spear phishing attack that arguably influenced the results of the presidential election. It all began when Podesta received the following email (below displays both forms of the email):
Figure 2: Podesta Phishing Emails [Image Credit: The Smoking Gun]
At first glance, and especially from a mobile device, the email seems legitimate. But, if one knows how to properly analyze the sender and the link to which they are directing the user, one can, within seconds, determine that this is a phishing attack which is why it is so surprising that Podesta fell victim to this scheme. Podesta’s chief of staff, Sara Latham, forwarded the email to Charles Delavan, an information technology help desk manager, because the email seemed suspicious (Bastone, 2016). Delavan responded to Latham’s email and incredulously said that the email was “legitimate” (Bastone, 2016) and that “Podesta needed to change his password immediately and enable two-factor authorization of his Gmail account” (Bastone, 2016). In Delevan’s (partial) defense, he did provide the legitimate link to the Gmail site to change a password, but he did not warn against clicking on the link contained in the email. Based on the fact that Podesta’s email was compromised, it appears that “Podesta did not follow the password change link provided by Delevan, but instead clicked on the ‘Change Password’ button” (Bastone, 2016) that was in the original spear-phishing email. Below, is a more detailed analysis of the text contained in the email sent to John Podesta with some key things pointed out:
Figure 3. Podesta Text and Image Emails (Image Credit: The Smoking Gun)
It is evident that this email was a phishing attack because the email address was, after closer inspection, not from google.com but rather googlemail.com which is not a legitimate Google domain. It is possible one could miss that small error, but the link given to Podesta to change his account is an obvious redirection to another site. There is no reason an educated user should ever have clicked this link, especially in text form that doesn’t try and veil the threats in an image link. What is interesting is that “Podesta was not the only Clinton campaign staffer targeted” (Krieg & Topan, 2017), meaning that it was a massive spear-phishing campaign aimed at gaining access to Clinton’s network. The SecureWorks firm that conducted an investigation into the Podesta spear-phishing email found that “108 email addresses” (Krieg & Topan, 2017) were targeted and “20 of the links that were sent to those individuals were clicked” (Krieg & Topan, 2017). with two of those clicks being on John Podesta’s email (Krieg & Topan, 2017). It is not clear if those other 18 clicks resulted in compromised information (this means there could be one or many other email accounts compromised with potential leaks that could occur in the future), but the fact that roughly 20% of people on Hillary Clinton’s staff clicked on a malicious link sent from a malicious actor is a major cause for concern because these links were not even that targeted. Preventing spear phishing attacks, like the ones targeting Hillary Clinton, is becoming more and more difficult because of the vast quantities of public data that targets willingly make available.
Available Public Information
Espionage “has found a powerful ally in social networks” (Goodman, 129). A famous and expensive example of industrial espionage occurred when the Chinese stole computer source code from a Massachusetts wind-turbine firm named AMSC and turned it over to a state-owned company named Sinovel that had previously been buying wind-turbines from AMSC. Sinovel severed its ties with AMSC and cancelled almost one billion dollars in orders because the stolen source code afforded them the ability to make the turbines themselves instead of ordering them from another company.
The Chinese, when they decided to steal the source code, used LinkedIn to determine what employees were working at the firm, and then “completed a review of all employees and their positions” (Goodman, 129) to create a list of targets “likely to have best access to AMSC’s highly prized source code” (Goodman, 129). Their method of searching for a vulnerable employee resulted in Dejan Karabasevic being identified as a primary target which led to his recruitment:
The Chinese began monitoring Karabasevic across a variety of social media sites such as LinkedIn, Facebook, and Twitter. They learned he was going through a nasty divorce and had recently been demoted at work—the exact types of vulnerabilities any modern intelligence agency looks for when targeting potential recruits. Through his various postings, the Chinese were able to re-create Karabasevic’s “pattern of life”—plotting on a map his favorite coffee shops, gyms, and restaurants, his home and office, his travel times, and his daily routines. They also learned that he had a penchant for Asian women. Armed with all of this information, the Chinese began their recruitment process (Goodman, 129).
When Karabasevic was approached by the Chinese, they knew so much about him that they were able to offer him money and Asian women in exchange for the sensitive company source code to which he had access. The Chinese paid him $1.7 million dollars and helped accommodate “his companionship needs” (Goodman, 129) in exchange for the source code. The Chinese, in order to develop a mosaic on Karabasevic, required no human intelligence or surveillance and relied solely on publicly available information to develop their profile. The money at stake also afforded the Chinese leeway in how they dealt with their target; they could potentially save hundreds of millions of dollars if they secured the source code which meant the loss of $1.7 million dollars was hardly an issue.
Karabasevic was identified through social media, monitored through social media, and eventually accepted an offer that was based on information he willingly made public on social media. The information he made public created an opportunity which the Chinese exploited thus costing AMSC nearly a billion dollars. During this entire process, there was no hint that Karabasevic was being surveilled or researched (and thus no way for AMSC to have any warning of his betrayal or awareness of his contact with the Chinese) which meant that, after being approached, there was a much shorter time span surrounding his contact with the Chinese and almost no change for AMSC to know they would be compromised. This was an example of how the ubiquity of public information plays into the hands of those looking to conduct espionage and why spear phishing education is so important.
Spear Phishing Education
Spear phishing is the gateway into more advanced methods of attack, and should be the primary focus of organizational information assurance education. In the fight against cybercrime, the focus seems to be on technical solutions as opposed to educating humans. There is a problem with technical solutions in that when “we combine science, engineering, creativity, and careful testing, and often we succeed in solving the technical problem” (Karlan & Appel, 44) and then “instead of taking the same rigorous approach to adoption, we just put the solution out there and expect it to speak for itself” (Karlan & Appel, 44). The current encryption algorithms used to secure information are unbreakable (and most likely will be until quantum computing begins), Virtual Private Network (VPN) solutions exist to secure internet connections, and the majority of people have anti-virus programs on their computers…But, even though these technical solutions exist, companies are still vulnerable because of the specific nature of spear phishing. Technical solutions cannot and will not prevent spear phishing because attackers will continually adapt to technical defenses. One should never be confident that one has a technical defense against spear phishing, because that confidence will result in a false sense of security eventually resulting in one’s account or organization being compromised. Educating people is the only way organizations can prevent (and eventually deter) spear phishing.
Howard Gardner’s research makes it evident that “when an educational approach is well aligned with one’s stronger intelligences or aptitudes, understanding can come more easily and with greater enthusiasm” (Christensen, Horn, & Johnson, 27). In order to better shape a potential education program, one must first have an understanding of the eight intelligences in Gardner’s model. Below are Gardner’s eight intelligences and an example of someone who is representative of that type of intelligence:
- Linguistic – Ability to think in words and to use language to express complex meanings (Walt Whitman).
- Logical-Mathematical – Ability to calculate, quantify, consider propositions and hypotheses, and perform complex mathematical operations (Albert Einstein).
- Spatial – Ability to think in 3 dimensional ways; perceive external and internal imagery; re-create, transform, or modify images; navigate oneself and objects .through space; and produce or decode graphic information (Frank Lloyd Wright).
- Bodily kinesthetic – Ability to manipulate objects and fine tune physical skills (Michael Jordan).
- Musical – Ability to distinguish and create pitch, melody, rhythm, and tone (Motzart).
- Interpersonal – Ability to understand and interact effectively with others (Mother Theresa).
- Intrapersonal – Ability to construct an accurate self-perception and to use this knowledge in planning and directing one’s life (Freud).
- Naturalist – Ability to observe patterns in nature, identify and classify objects, and understand natural and human-made systems (Rachel Carson) (Christensen, Horn, & Johnson, 26).
Gardner’s research also shows that that “although most people have some capacity in each of the eight intelligences, most people excel in only two or three” (Christensen, Horn, & Johnson, 27) which means an organization needs to understand that effective spear phishing education programs cannot take the form of PowerPoint presentations to large audiences. Anyone with network access in an organization can potentially be a threat vector if their account/networked systems were compromised, which means that a spear phishing education program cannot ignore seven of the eight intelligences because it is easier to have an efficient linguistic-centered approach. To be clear, the author is not proposing sing-along approaches, or an impossible system that caters to everyone’s intelligence, but rather an approach centered around spear phishing that has delivery mechanisms rooted in the eight intelligences so that an organization can have a higher degree of confidence that their education program can be intellectually accessible. Spear phishing is the single greatest threat to an organization’s network and information, and thus should have an education program that its employees understand, embody, and continually access. There are no technical safeguards an organization can use to stop its employees from clicking on malicious emails, and thus the single biggest threat to an organization can only be deterred through an educated user.
There is a drawback to spear phishing defense, and that is that it can potentially slow down the speed of communications. The only way to absolutely prevent spear phishing is to never click on a link or an attachment on one’s email. Another method of spear phishing prevention is to verify every email attachment or link with the sender via text or telephone. There are a number of other spear phishing defense methods, but the key thing to understand is that effective spear phishing defense will slow down the speed of communications. The rate of technological progress has outpaced the ability to ensure it is secure, and if slowing down the rate of emails helps to secure an organization against cyber attacks, then that is an acceptable opportunity cost.
The increase in networked devices will result in more threat vectors for organizations. Employees that work on-the-move and can check their emails from their cell phone, computer, tablet, smart television, and smart home devices (this is not an all-inclusive list) ensure that phishing techniques will only get more advanced and harder to repel. If 91-percent of APTs start with a phishing or spear phishing attack, and APTs cause major financial/professional damage to organizations, then it would follow that organizations should develop the best education method possible so their employees are armed with the knowledge to avoid falling victim to this type of attack.
Organizational cyber education programs need to address spear phishing, and they need to take a human-centered approach. Organizations need to understand that they are most vulnerable not through their technical security measures, but rather through their employees’ online and email habits outside of the office. The proliferation of networked devices and social media/information sharing platforms will make employees even more vulnerable outside the office, and a pro-active education program that incorporates multiple intelligences into its delivery will go a long way in preventing, and eventually deterring spear phishing attacks.
Bastone, W. (2016, November 7). "Fishstickz" and the Phishing Of John Podesta. Retrieved from: http://www.thesmokinggun.com/documents/crime/podesta-and-fishstickz-298037
Christensen, C., Horn, Michael., & Johnson, C. (2012). Disrupting Class: How Disruptive Innovation Will Change the Way the World Learns. New York: Mcgraw Hill.
Fadilpašić, S. (2016, March 17). LinkedIn used as a 'front door' for phishing attacks. Retrieved from: http://www.itproportal.com/2016/03/17/linkedin-used-as-a-front-door-for-phishing-attacks/
Gat, A. (2016, July 21). Millions of victims lost $12.7B last year falling for Nigerian scams.Retrieved from: http://www.geektime.com/2014/07/21/millions-of-victims-lost-12-7b-last-year-falling-for-nigerian-scams/
Grey, S. (2015). The New Spymasters: Inside the Modern World of Espionage. New York: Macmillan Publishing.
Goodman, M. (2015). Future Crimes: Inside the Digital Underground and the Battle for Our Connected World. New York: Penguin Random House.
INFOSEC Institute (2013, March 26). Unit 61398: Chinese Cyber-Espionage and the Advanced Persistent Threat. Retrieved from http://resources.infosecinstitute.com/unit-61398-chinese-cyber-espionage-and-the-advanced-persistent-threat/
Karlan, K. & Appel, J. (2012). More Than Good Intentions: Improving the Ways the World's Poor Borrow, Save, Farm, Learn, and Stay Healthy. New York: Penguin Publishing.
Krieg, G. & Kopan, T. (2016, October 30). Is this the email that hacked John Podesta's account?Retrieved from: http://www.cnn.com/2016/10/28/politics/phishing-email-hack-john-podesta-hillary-clinton-wikileaks/
Kuchler, H. (2016, October 4). Nigerian Email Sting Leads to Thefts of Millions From Companies. Retrieved from https://www.ft.com/content/72efabc4-582e-11e6-8d05-4eaa66292c32
Murnane, K. (2016, October 21). How John Podesta’ Emails Were Hacked and How to Prevent it From Happening to You. Retrieved from: http://www.forbes.com/sites/kevinmurnane/2016/10/21/how-john-podestas-emails-were-hacked-and-how-to-prevent-it-from-happening-to-you/#6f99be65c028.
Singer, P.W. & Friedman. (2014) Cybersecurity and Cyberwar: What Everyone Needs to Know. New York: Oxford University Press.
Zetter, K. (2015, April 7). Hacker Lexicon: What are Phishing and Spear Phishing. Retrieved from: https://www.wired.com/2015/04/hacker-lexicon-spear-phishing/
About the Author(s)
The phishing attack(s) targeting me got mentioned in Estonian intelligence's annual report. (h/t @ViktorRantala)
Recorded Future @RecordedFuture
Threat intelligence should be at the foundation of your security operations center strategy:
Setting things straight …
Murray Apparently Lives in a Bubble
Sex Selective Abortion OK or Not? Feminists Can’t Decide
Guys Need to Cultivate Relationships
Moral Re-Armament: The Original “MRA”
As someone who deals with Russian hacking and the Russian dark side in Berlin.....DAILY.....
Every major Russian hack in the US recently and especialy in the US election was led by a phishing attack...and BTW worldwide as well especially against banks.....
All it takes is a single inflected computer and it is off to the races.....
If I recall my former government info security online computer training on phishing it had about 20 to 3o questions and if one read and immediately did the section you passed and that was about it for government wide enduser training.....
Sorry to say this BUT unless you pound the threat of phishing into the heads of the enduser and then keep repeating that pounding until it becomes second nature to the enduser....then and only then will we see an overall improvment in combatting phishing attacks....
The weakest link right now is in fact the.....enduser....
Simple set of statistics......for 2016.....
Number of attempted hacks of the overall German military network....
Number of hacks considered to be a possible threat
Actual serious hacking attempts and viewed as serious threats.....
Captain Torrence correctly identifies the perils posed by spearphishing. However, Vishwanath, et al. showed that email processing is predominately a habitual behavior which is not strongly influenced by knowledge or training. See, Vishwanath, et al. "Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model."
Spearphishing is a military deception operation in which the attacker leverages the email processing factors identified by Vishwanath (perceived relevance, urgency clues, habit).
My co author and I discussed spearphishing as a problem of military deception in "Improving Cybersecurity Through Human Systems Integration" at http://smallwarsjournal.com/jrnl/art/improving-cybersecurity-through-hu… In that article we proposed that tools be adopted which allow information assurance to provide email users with trust indicators as a countermeasure to military deception.