How-to

Posted 11 December, 2015 by Kristin Antin

Don’t be a Phish: How to protect your team from a spear phishing attack

Sad fish

Sad fish (Credit: Norman Oliver)

We’re all familiar with phishing attacks. I hope that by now when you get an email from a friend who has lost their wallet in Spain, you don’t send them 2,000 Euro by Western Union! But what about an email from someone you think is a friend or peer at another organization who is asking for your help? Would you think twice before clicking on that goo.gl link? What would your colleagues do in this situation?

It’s scary to think about, but spear phishing (the kind of targeted phishing attack in the scenario above) is a real and serious threat to social change organizations. Social change organizations have many adversaries who want to disrupt their work; stealing information and intercepting communication via phishing is an often effective approach to take. In one documented case from 2014, a staff member of the Electronic Frontier Foundation in Vietnam received an email inviting him/her to attend an Oxfam conference. The email contained malicious links and attachments, that contained malware. And here’s an article on Citizen’s Lab’s recent research that finds hackers targeting dissidents and journalists in South America with spying malware that was implanted onto their devices using spear phishing tactics.

This blog post is a collection of mitigation techniques that an organization may want to consider when developing their approach to protect their team from spear phishing attacks. The techniques are organized by two types:

  1. build awareness among staff of the threat, and
  2. give staff the tools to detect and avoid these attacks.

Build awareness among staff of the threat

The first step to strengthening your organization’s ability to defend itself against spear phishing attacks, is to help your team understand this threat and its potential impact.

The threat: spear phishing

Spear phishing is a targeted and often sophisticated attack on an individual in which the phisher poses as someone you know and/or trust in order to gain clandestine access to the individual’s account(s) and/or device. The phisher will either:

  • gain access to an account(s) by obtaining the individual’s password, and/or
  • gain access to the device by installing malware that the phisher will use to access devices, networks and accounts.

With this access, phishers can:

  • intercept communications,
  • access financial, planning, contractual information, etc,
  • pose as the individual in communications,
  • install devastating viruses on the individual’s machine and/or other machines via the organization’s network,
  • delete information,
  • and other negative consequences.

Communicating the potential impact of spear phishing

A successful spear phishing attack can result in a range of harmful impacts to the organization, including:

  • financial theft could cripple the organization,
  • loss of critical information could impact the organization’s ability to reach goals,
  • interception of communications and access to private information could damage the organization’s reputation if made public, and
  • communications that appear to come from the organization could damage important relationships and reputation.

This information about the threat and potential impact of spear phishing needs to be communicated carefully. Solutions must always be presented with threats. Communicating the threats and impact without solutions will leave your staff feeling overwhelmed, confused, and scared. And in order for your organization to effectively mitigate the risk of a spear phishing attack, your staff need to feel confident and empowered.

Give real-world and realistic examples to build awareness

What does spear phishing look like? Make this threat more concrete by showing your staff examples.

Citizen Lab’s report titled Communities at Risk: Targeted Digital Threats against Civil Society includes an Appendix with real-world examples of spear phishing emails sent to human rights defenders.

You may want to also consider developing likely spear phishing emails for your own context.

In addition to simply sharing examples, you may want to use a technique that is more engaging for your team: quizzes and games! We found one existing quiz from Mcafee, and this one from OpenDNS (Cisco). We also came across this collection of phishing training modules from Wombat (originally developed by Carnegie Mellon CY Lab) You might also be able to get some help in making your own quiz or game that speaks more directly to your colleagues at-risk.

Some organizations use tests; they send periodic phishing emails to their staff. This approach must be taken with great care because it may negatively impact morale, trust, and your staff’s digital security confidence (what’s the point of following these rules when I can obviously be tricked by my own organization?). It may make sense for a security consultant from outside of your organization to carry out an activity that can get at the same goal – building awareness and making this threat concrete – but in a way that is clearly focused on improving security and empowering staff.

Give staff the tools to detect and avoid these attacks

There are two kinds of spear phishing attacks to be aware of and each require different mitigation tactics:

  1. Attacks aimed at getting your credentials. The attacker might ask you to send it in an email, or send you to a phishing site that will ask you to log-in, at which point your password will be stolen.
  2. Attacks aimed at installing malware onto your computer. The attacker can install malware via a malicious link or downloading an attachment to     an email.

Techniques to reduce vulnerability to attacks aimed at getting your passwords

  • Never, ever, ever send passwords in email. (This could be an organizational policy.)
  • To visit URLs shared in emails from others, always type out URLs instead of just clicking through or copying / pasting.
  • Manually go to the site that appears to have sent you the email to investigate its veracity.
  • Inspect the email headers if you’re suspicious. You may find more information about the sender’s actual email address. (see page 3 of this appendix for an example)
  • View your email in plaintext only to see more information about the links that are hiding behind your HTML email.
  • When investigating URLs sent to you in emails, be cautious of these signs:

–> lack of SSL certification (that’s the “s” in “https://”)

–> weird URL upon scrutiny (additional, unexpected letters and punctuations, strange domain extensions, etc)

url

–> short URLs can hide suspicious URLs. Manually go to the site that appears to have sent you the email to investigate its voracity. You can also use http://www.longurl.org/ or http://www.checkshorturl.com/ to decipher what the link is leading to without actually visiting the site

–> You know something is wrong when a link in an email brings you to a page that asks to sign-in to a website that you are already logged-into!

  • Never share shortened URLs. If your team knows that their colleagues wouldn’t share a shortened URL, they won’t be tricked into a phishing attack that looks like an email with a link from their colleague. (This could be an organizational policy.)

Techniques to reduce vulnerability to attacks aimed at installing malware

Attacks aimed at installing malware onto your computer requires that your staff doesn’t open or download files. This could be in the form of a link to a download, in which case you can reduce this risk by reviewing the tools and tactics above. To reduce the likelihood that your staff download files that carry malware, SumofUs may want to develop policies such as:

  • For internal emails, use your organization’s shared file system to share files (give the URL or share the path) instead of using attachments.
  • Make a system available to staff where they can create a private upload or download point (i.e. Peerio, SpiderOak) to share/receive files. Then have your mail system strip out all attachments before they end up in your staff’s email box.

These techniques aren’t fool-proof, so put additional barriers in place

Even with all of these techniques put into place, it’s still possible (and potentially likely) that a phisher will still be able to obtain a password. But you can put additional barriers in place to prevent malicious access to your staffs’ accounts.

App-based two-factor authentication will prohibit a phisher from accessing an account, even with the password because it adds an additional barrier. However, this approach is strongest when staff use unique passphrases per website/service to ensure the attacker cannot get access to other services/sites if they are able to access one passphrase.

Frontline Defenders and Tactical Tech’s Security-in-a-box chapter on malware explains how to maintain your software and use tools like Avast, Spybot and Comodo Firewall to protect your computer against malware infection and hacker attacks.

Additional Resources:

Many of these tips came from others in the dig sec community, including Michael Carbone and Eleanor Saitta. Thank you for sharing your knowledge on this topic!

We’ll continue to learn and document spear phishing mitigation techniques. If you have any tips, ideas or questions to share – please add a comment below!

Related articles