FBI Warns of Spear-Phishing Attacks

Mobility Linked to Uptick in Targeted E-mails

By , July 2, 2013.
FBI Warns of Spear-Phishing Attacks

Spear-phishing attacks are up, and they are targeting individuals across all industries, according to a new warning issued by the U.S. Federal Bureau of Investigation.

See Also: Secure E-Banking: Consumer-Friendly Strong Authentication

And the uptick is at least partially linked to increasing use of mobile devices for e-mail access and online browsing, say financial fraud experts. Mobile communication poses new challenges for authentication and subsequent fraud prevention, says Aite consultant Shirley Inscoe.

"Out of band authentication is very effective," Inscoe says. "But as more people are using smart devices to initiate transactions, the device is no longer out-of-band to authenticate the customer. In other words, if I initiate a transfer from my iPhone, calling my iPhone is in-band, not out-of-band, to authenticate the transaction. This is an issue bankers are really struggling with currently."

In its latest warning, the FBI's Internet Crime Complaint Center points out that incidents of spear phishing - targeted phishing attacks - are increasingly taking aim at employees with administrative rights and access to access critical systems. This is a trend BankInfoSecurity confirms in preliminary results collected for its 2013 Faces of Fraud Survey. When asked how the number of phishing attacks aimed at employees had changed in the past 12 months, 45 percent of respondents note the attacks have increased.

In its release, the FBI points out that these attacks also are targeting consumers, by relying on personal information collected about these users from public posts on social media sites and blogs, as well as with data collected from other breaches, to make the fraudulent e-mails appear legitimate. They ultimately convince consumers to click links that take them to spoofed sites containing malware or to provide logins and passwords that allow the attackers to compromise online banking accounts, the FBI warns.

Experts say the best protection includes layers of security and the adoption of e-mail authentication strategies, such as DMARC - the Domain-based Message Authentication, Reporting and Conformance initiative. But even with these protections, the sophistication of these attacks, coupled with increased mobile usage, puts organizations in a position to assume that at some point their brands will be used for malicious purposes, such as spear phishing.

"In reality, any company with significant intangible assets - software code, very well followed Twitter accounts, financial services companies, etc. - is vulnerable to this type of attack," says Bob Pratt, vice president of product management for online security provider Agari.

FBI Warning

The FBI's IC3 says spear-phishing attacks are targeting multiple industries, and that the end goal is to steal IP or compromise banking credentials. "Cyber-criminals target victims because of their involvement in an industry or organization they wish to compromise," the IC3 states. "Recent attacks have convinced victims that software or credentials they use to access specific websites need to be updated. The e-mail contains a link for completing the update."

Jenny Shearer, an FBI spokeswoman, says this latest warning is just one in a series of public notices the IC3 has issued in recent months about the increasing sophistication of spear-phishing attacks. "The FBI has become aware of new variations of spear-phishing attacks and has seen a slight increase in these particular schemes in the past 12 months," she says.

These increases have been noted by the FBI through the number of complaints it receives as well as from information collected during cyber-attack investigations, Shearer adds.

The FBI advises consumers that they will never be asked by their banking institution or merchant to provide usernames and passwords via e-mail, and that if there is doubt about the legitimacy of an e-mail, consumers should directly contact the company purportedly sending the e-mail. The FBI also suggests consumers update their anti-virus software and firewalls, and ensure their Internet browsers have built-in phishing filters as an additional layer of protection.

Spear Phishing: A Challenge to Detect

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE RBS WorldPay Hacker Gets Hefty Sentence

A hacker involved in the RBS WorldPay network intrusion in 2008, which led to $9 million in...

Latest Tweets and Mentions

ARTICLE RBS WorldPay Hacker Gets Hefty Sentence

A hacker involved in the RBS WorldPay network intrusion in 2008, which led to $9 million in...

The ISMG Network