Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Encryption Blog

Spear-Phishing Test Nets a Catch

Created: 22 Oct 2009 • Updated: 05 Nov 2012 • 1 comment
Robin Witty's picture
0 0 Votes
Login to vote

Robin Witty-Senior Product Marketing Manager

When spear-phishing, cybercriminals try to get sensitive data for fraudulent purposes from a specific organization by masquerading as a trusted sender in an email. Email hygiene security products (a must have!) catch the vast majority of email threats, including spear-phishing attempts.

Kelly Jackson Higgins of DarkReading succinctly lays out one case where email security wasn’t triggered. Here’s a short excerpt:

“Joshua Perrymon, CEO of PacketFocus, sent a spoofed LinkedIn email to users in different organizations who had agreed to participate in his test. He was able to get his spoofed message through 100 percent of the time and across a wide variety of major email products and services, including smartphone email tools.

... "I tested [this on] six different enterprise networks using the latest email security technology from most of the major vendors, and not a single one picked up on the spoofed email," Perrymon says.”

... The problem is that most anti-phishing technology is built to catch large-scale phishing attacks, but not the insidious and dangerous small, targeted ones.”

Having encryption software with authentication capability on the recipient’s computer or smartphone would help to ensure that companies don’t get caught in a similar spear-phishing net. Data remains protected and email is authenticated For example, here’s what an encrypted email using PGP® software would look like on a BlackBerry® or Windows® Mobile smartphone. Jack_DefaultEmailCC

With the average cost of a data breach in the US at $6.6M per breach (per Ponemon Institute), preventative measures simply make good sense.

Comments 1 CommentJump to latest comment

ThreatSim's picture

A lot of people think that if they have spam filters it will address their phishing problem. It won't. Spam filters are great for blocking your average spammy email content that we all know too well. However if an attacker crafts an email that sounds perfectly personal and sends from a properly configured domain, there's not a spam filter in the world that will block it. And if it is sent to a small handful of recipients, no way. It pops in the target's inbox where the user must make the right call. 

Authenticatig the sender would work for some circumstances, however I could imagine an attack where the phisher just creates an email that looks like a PGP encrypted message and encourages the target to open the attachment, or click on a link to retrieve the message. At the end of the day so much of the risk comes down to the end user doing the right (or wrong) thing. 

There is no one single solution; but that doesn't mean that you can't try to defend yourself. 

Full disclosure: I'm the CTO at ThreatSim. We created a SaaS that allows customers to simulate phishing attacks. When the target user clicks on something that they shouldn't, they get sent to SpearTraining. Lots of customers ask if they should whitelist our IP address. We say that they should for the reasons stated above. Spam filters just don't work. 

Trevor Hawthorn

Login to vote