FBI Warns of Spear-Phishing AttacksMobility Linked to Uptick in Targeted E-mails
And the uptick is at least partially linked to increasing use of mobile devices for e-mail access and online browsing, say financial fraud experts. Mobile communication poses new challenges for authentication and subsequent fraud prevention, says Aite consultant Shirley Inscoe.
"Out of band authentication is very effective," Inscoe says. "But as more people are using smart devices to initiate transactions, the device is no longer out-of-band to authenticate the customer. In other words, if I initiate a transfer from my iPhone, calling my iPhone is in-band, not out-of-band, to authenticate the transaction. This is an issue bankers are really struggling with currently."
In its latest warning, the FBI's Internet Crime Complaint Center points out that incidents of spear phishing - targeted phishing attacks - are increasingly taking aim at employees with administrative rights and access to access critical systems. This is a trend BankInfoSecurity confirms in preliminary results collected for its 2013 Faces of Fraud Survey. When asked how the number of phishing attacks aimed at employees had changed in the past 12 months, 45 percent of respondents note the attacks have increased.
In its release, the FBI points out that these attacks also are targeting consumers, by relying on personal information collected about these users from public posts on social media sites and blogs, as well as with data collected from other breaches, to make the fraudulent e-mails appear legitimate. They ultimately convince consumers to click links that take them to spoofed sites containing malware or to provide logins and passwords that allow the attackers to compromise online banking accounts, the FBI warns.
Experts say the best protection includes layers of security and the adoption of e-mail authentication strategies, such as DMARC - the Domain-based Message Authentication, Reporting and Conformance initiative. But even with these protections, the sophistication of these attacks, coupled with increased mobile usage, puts organizations in a position to assume that at some point their brands will be used for malicious purposes, such as spear phishing.
"In reality, any company with significant intangible assets - software code, very well followed Twitter accounts, financial services companies, etc. - is vulnerable to this type of attack," says Bob Pratt, vice president of product management for online security provider Agari.
The FBI's IC3 says spear-phishing attacks are targeting multiple industries, and that the end goal is to steal IP or compromise banking credentials. "Cyber-criminals target victims because of their involvement in an industry or organization they wish to compromise," the IC3 states. "Recent attacks have convinced victims that software or credentials they use to access specific websites need to be updated. The e-mail contains a link for completing the update."
Jenny Shearer, an FBI spokeswoman, says this latest warning is just one in a series of public notices the IC3 has issued in recent months about the increasing sophistication of spear-phishing attacks. "The FBI has become aware of new variations of spear-phishing attacks and has seen a slight increase in these particular schemes in the past 12 months," she says.
These increases have been noted by the FBI through the number of complaints it receives as well as from information collected during cyber-attack investigations, Shearer adds.
The FBI advises consumers that they will never be asked by their banking institution or merchant to provide usernames and passwords via e-mail, and that if there is doubt about the legitimacy of an e-mail, consumers should directly contact the company purportedly sending the e-mail. The FBI also suggests consumers update their anti-virus software and firewalls, and ensure their Internet browsers have built-in phishing filters as an additional layer of protection.
Spear Phishing: A Challenge to Detect
Online threat researcher Daniel Cohen, who works for security firm RSA, says most spear-phishing e-mails are successfully getting past conventional anti-malware and signature-based tools. "User education to spot potential spear-phishing e-mails can help," he says. "Still, education only goes so far, which is where rapid detection and response plays a very important role."
This is why security teams are more often fighting spear phishing with a combination of techniques and solutions that help to detect anomalous activity, he adds. "Threat intelligence feeds can help security teams with situational awareness of emerging malware or threat activity seen recently in the wild."
Real-time analysis, through the review of big data streams from multiple sources, such as network forensics and endpoint identification tools, can detect anomalies, even if they are faint, Cohen says. Those anomalies often reveal network intrusions that can be traced back to spear phishing, he adds.
Advice for Banks, Others
Security experts say individual adoption of security measures can only go so far. Most professionals and consumers alike are not well advised about their spear-phishing risks, which is why e-mail security initiatives such as DMARC are a better solution, says Agari's Pratt.
Pratt says DMARC adoption has stopped more than 85 percent of the phishing attacks hitting U.S. consumers and 60 percent of these attacks worldwide.
DMARC has made it more difficult for fraudsters to craft phishing e-mails that look legitimate, he says. "You're more likely to fall for a phishing message claiming to come from chase.com than one from jpmorganchaseemail.tv," Pratt says.
But other online security experts have been critical of DMARC. In order to be truly effective, all e-mail providers and hosting companies have to adopt it, says RSA's Cohen. And while many web-based e-mail providers such as Gmail have embraced DMARC, most corporate e-mail accounts using Microsoft Outlook have not, he says. This chasm in DMARC adoption leaves security holes for phishers, Cohen adds.
"Spear phishing is a tactic that is only part of the larger attack which is usually focused on obtaining credentials to gain access to private networks and sensitive information," he explains. "DMARC does not address this, mainly because of limited adoption and deployment on corporate e-mail servers."
This is why, Cohen says, more analytics are needed, to leverage different security and network device data streams. "These attacks are mostly going after corporate credentials in an attempt to get into the organization in order to steal valuable data that can somehow be copied and/or monetized," Cohen says. "Therefore, industries that are rich in sensitive and valuable information such as manufacturing, pharma, technology, healthcare, energy, government and defense are major targets."
Inscoe echoes that point, noting that the best protections, regardless of the industry, include complex device identification with proxy piercing, to address increased mobile-browsing, behavioral analytics, and out-of band authentication.
"Solutions that protect a browser session cannot be penetrated by the malware, and, thus, sessions cannot be taken over by the bad guys," she says. "Behavioral analytics are also highly effective unless the bad guys are very patient and keep activity within the norm for the accountholder they are stealing from."