One of the big trends this year is spear phishing. These are phish attacks that are frequently (though not always) against high profile users. The purpose of these attacks is to steal sensitive data or get elevation of privilege inside the service by exploiting a software vulnerability within the user’s computer that transmits usernames and passwords back to the phisher.
Because of the frequency that they have occurred this year, I am sometimes asked what we do to defend against them. I am repurposing some internal documentation that some folks inside of Microsoft have written and adding my own spin on it.
Spear phishes are more difficult to repel using spam filtering because they are not a large campaign aimed at many users (like most spam campaigns), but instead are targeted at you specifically, using information gathered from Facebook, LinkedIn and other places you have left personal information. They look like they come from a personal contact, friend or other trusted party. Because they are small, targeted attacks, they do not show up on the radar of spam filters; they don’t come from compromised IPs (or if they do, they haven’t been used to spam yet), they contain zero-day malware or zero-day links to malware, and the language is designed to evade a content filter.
While a filter does help, users need to recognize these because a filter must not be the only line of defense against a spear phish. Some warning signs in spear phishes:
- They directly ask you for data ("please send me your password") by impersonating an official such as your IT department.
- They trick you into clicking a link which compromises your machine ("It's your roommate, click here to look at these pictures I took this weekend").
What can you do to combat this? Here are some common sense things you can do to protect yourself and your company:
- Never give credentials to anyone. Your IT department will never ask you for your username and password in an email (if they do, don’t give it to them). Social networking sites and web mail services won’t, either. In fact, the only ones who ever will ask you for your username and password in an email message are phishers.
- Do not read confidential email from a machine that is not patched regularly. An unpatched vulnerability in the operating system or the browser could be exploited to steal your credentials.
- Make sure that the software you are running on your system is up-to-date. While your IT department takes care of this for most organizations, make sure you do it at home. Are you still running Internet Explorer 6? Windows XP SP1? You shouldn’t be, you should be running IE9 and Windows 7 (or whatever the most up-to-date browser and OS is that you are running).
- Never execute scripts (or other executable content) on behalf of anyone unless you see independent evidence that the proper process (ops requests, approvals, etc.) has been followed. If you get a file from someone, did you expect to receive it? Is this normal?
- Use widely different passwords for personal and business applications. That way, if your personal credentials are stolen, you will not put your business at risk at the same time.
- Check your mail forwarding and delegation settings regularly to ensure your mailbox and its contents have nothing weird set up. For example, attackers could add forwarding rules to get your mail; your awesome ideas could all be sent to a hacker in China.
- When sending sensitive information by email, check the SMTP addresses of who you are sending to, not just their display names. Sometimes the autocomplete sends mail to people with similar names if a hacker has uploaded content into your address book.
- If in doubt, change your password.
No security system is perfect. But you should be make it as difficult as possible for anyone to attack you and your organization.