User Tools

Site Tools


Phishing, Spear Phishing, and Whaling

In recent years, the volume of attacks designed to goad users into revealing their credentials and other sensitive information or making a financial transaction have risen to new heights. CDS has configured Proofpoint to prevent many different types of these attacks, but it is still important for users to understand and be able to spot them should the malicious messages make it through our defenses.

Types of Phishing

There are three main types of phishing attacks each described below.

Phishing

Merriam-Webster defines phishing as “a scam by which an email user is duped into revealing personal or confidential information which the scammer can use illicitly.” There are many ways a scammer or attacker can achieve this goal.

The basic phishing attempt is usually not targeted at any specific individual or organization. They are “casting a wide net” like when actually fishing.

An email purporting to be from your bank telling you that your account has been locked is a good example. It will include a link that may appear to be legitimate but actually goes to a specially crafted web site designed to look like your bank. Once you have entered your username and password at their site, they have achieved their goal and can begin transferring money away from your bank account and into an untraceable, offshore account of their own.

For instance, this link may appear to take you to Bank of America, but it actually leads to the CDS home page. This is easily verified by simply hovering the mouse pointer over the link and checking the browser's status bar to see where it actually goes. In Outlook, hovering over the link should produce a tooltip with the real destination.

https://www.bankofamerica.com

Spear Phishing

Spear Phishing, as the name implies, is targeted at specific individuals or organizations. Attackers may gather data from Facebook, LinkedIn, and other social media sites to create a target profile. They may know you bank with Chase Bank, went to Ohio State University, and know you have a clumsy cat named Oscar. Using this and other data, they can craft special emails designed to trick you, and only you, into clicking a link or giving up credentials.

Attackers at this point are going to go the extra mile to ensnare their victim. If they build a sufficient profile of you, they may know you regularly visit the OSU Alumni Association newsletter page. One arm of the attacker group could work to infect the OSU site with a virus that will infect your computer when you next visit it. They could then send an email purporting to be from OSU informing you that a very important news item has been posted that you should read right away.

They could alternatively send an email to you that appears to come from your sister who they know from your Facebook profile. They found out your sister has two children that you like to keep tabs on, so they include a specially crafted .zip file that infects your computer with a keylogger when opened. The email looks like it came from her Yahoo! Mail address (analysis of the header data will show otherwise), and the .zip file might be named something like “Kids' School Picnic Photos”.

At work, they may know you work with the accounts payable department and could send you a fake invoice from a known vendor. Maybe you're in human resources, and they spoof an email from ADP hoping to get access to employee information such as their Social Security numbers.

Whaling

Whaling is the targeting of individuals who are capable of providing large payouts. Anyone who can send a wire transfer is likely to be a target of these attacks. These attacks are built to appear as if they came from a CEO or other high-ranking executive and usually stress the urgency of the matter at hand.

For instance, Umberto Rodriguez works in the accounting and finance department of Example Agency. He receives an email that appears to come from the CEO, Joel Prince, asking if he is available to process a quick wire transfer. Umberto replies that yes, he is available. “Joel” sends the routing information and asks to process ASAP.

In thise case, the attacker was very clever. Instead of coming from jprince@example-agency.com, the message is coming from jprince@exarnple-agency.com. (Notice the “r n” instead of “m”.) The scammer had registered a look-alike domain for the specific purpose of this attack.

Mitigations to Phishing Attacks

Basic Security

The first line of defense against phishing attacks is having a basic security infrastructure in place. Your organization should have proper policies for allowing wire transfers, encourage users not to use their work email for personal items, require regular password changes, and employ client and server anti-virus software.

Proofpoint

In Proofpoint, CDS has configured multiple defensive layers against phishing attacks.

Anti-Spoofing

Your domain is immune from true spoofing attacks to internal users. Only Proofpoint is authorized to send as your domain name by default. All other providers (e.g. Salesforce, MailChimp, and SAI Global) must have their IP ranges specifically whitelisted in Proofpoint.

This does not prevent your domain from being spoofed outside of your organization, however. Proper use of SPF, DKIM, and DMARC will help with this, but it is not a silver bullet.

Attachment Management

CDS has configured Proofpoint to block the most used malicious file types. Legitimate file types are still scanned for the presence of macro viruses and other malicious content such as the use of .zip file buffer overflow vulnerabilities.

Spam Scanning

Each tenant is configured to use at least a moderate level of spam scanning. Proofpoint's scan engine detects most of the broad phishing attempts and rejects, bounces, or quarantines them depending on each tenant's individual settings.

Content Examination

CDS Messaging continues to work with the CDS SOC to determine patterns in the attacks we see. When a pattern is found, we create a content examination policy to trigger an alert to the SOC when an email matching that pattern is received. For instance, any email containing “wire transfer” coming from domains hosted at a particular ISP.

User Education

Users should be trained on following company policies in regards to wire transfers, proper use of social media, not to open or execute unexpected attachments, how to verify links in email, and to always check the email address carefully when something looks suspect.