Spear phishing: It’s a term we hear a great deal when it comes to cybersecurity—or rather, lack thereof. But what is it, really? And why has it been so successful? The majority involve a phishing email; what can we do about it?
What is Phishing?
Phishing-related attacks have been a favorite of the hackers’ toolkit for years, and their popularity is growing. In its most basic definition, phishing is an attempt to illicitly obtain account credentials, such as usernames and passwords, from a victim by disguising communication as coming from a trustworthy entity.
That means you could get an email purportedly from your boss, the bank, or even your best friend, but it’s not really from them. It’s from a hacker who is counting on your willingness to let your guard down and follow instructions in the message, which usually tell you to click on a weblink or open a document, both of which will lead to installation of malware that will compromise your security.
Phishing comes in many different varieties, the most common being a “random spraying” of email boxes with generic-type messages. Hackers will send the same message to millions of users with a request to fill in personal details. Any details obtained are then used by the phishers for their illegal activities. Most people are too cyber-aware to fall for that one, but there are always exceptions to the rule, which is why hackers continue to use that method.
A more sophisticated phishing method, called “content injection,” involves changing a component of a reliable website. An individual will receive a legitimate-looking message advertising a sale or some other item of interest, and invite them to click to get to the appropriate web page. Visitors who engage with the compromised feature are taken to a page outside the site where they’re instructed to fill in credentials.
Then there’s “spear phishing.” While traditional phishing uses the “spray and pray” approach via the mass sending of emails to as many people as possible, spear phishing is a targeted attack. Messages are tailored to the potential victim to convince them that the communication is legit. This usually means hackers have collected at least basic information on their target, such as their place of employment, names of friends and associates and sites they frequent, helping to make the scam more believable.
One particularly devious form of phishing targets leading company officials. A “whaling” attack is when fraudsters try to harpoon an executive whose credentials grant special access privileges to the organization’s network.
A Growing Threat
Phishing attacks have grown significantly recently. According to research published recently by Kaspersky Labs, phishing attacks doubled in 2018. Attacks are also evolving as hackers produce new techniques to perfect their phishing campaigns. For example, researchers at Akamai identified a scheme in which hackers used a fake Google Translate URL to disguise a malicious site. That closely followed the much-publicized Apple phishing scam, in which criminals carefully designed messages that mimicked those from Apple’s App Store.
Hackers don’t just target individuals in their spear phishing campaigns; very often, the victim is an entire corporation. In 2013, hackers managed to penetrate the systems of U.S. retail giant Target after a successful phishing attack on a third-party vendor that had trusted access to Target’s servers. The infamous shutdown of the Ukrainian national power grid in 2015 is another stark example. According to expert investigations into the incident, hackers were able to penetrate the grid with powerful malware by targeting Ukrainian grid workers with a phishing campaign.
Considering the threat posed by phishing, it’s no wonder administrators are scrambling to find answers to this highly dangerous social engineering scheme. The problem is that traditional solutions to secure networks from phishing are all providing a Band-Aid approach. Most experts suggest various methods for employees to identify fraudulent emails. Some have presented complex solutions, such as applying artificial intelligence to flag suspicious communications.
No Credentials = Nothing to Phish
All of these solutions fall short for one simple reason: They don’t address the basic vulnerability every phishing campaign capitalizes on—the password. The whole point of phishing is to somehow fool victims into giving up their username and password, which can then be used to raid all sorts of accounts—banks, social media, email, work servers, etc. If there were no passwords, if authentication did not rely on username/password logins, then phishing would largely disappear because there would be nothing for cybercriminals to fool out of victims.
What should we use instead of passwords? There are numerous alternative authentication methods that could be used, from biometrics (thumbprints, etc.) to text messages (receiving an SMS with a code), tokens and more. All of these have their benefits and drawbacks, but they are certainly more secure than passwords. The key is to replace the traditional credential combination of username/password with high assurance, out-of-band authentication. The very existence of passwords means there will always be a target for phishers. But removing passwords from the picture means eliminating the threat of phishing at its root.