By Chris Matthews, HFMWeek
It is the most prevalent internet and email threat today. The phishing attack with its ‘spear’ and ‘vish- ing’ mutations has become the cyber-criminal’s weapon of choice and hedge funds are becoming increasingly concerned by this modern-day confidence trick.
On the surface it is a regular email scam. A message landing in inboxes with malicious links and virus-ridden attachments, but where the phishing attack differs from classic lottery scams and Nigerian princes offering inheritances, is in its apparent legitimacy.
As threats continue to mushroom in number and organisations ramp up security measures, attackers are now deploying more and more sophisticated methods to try and outwit their online targets.
“Phishing scams are dangerous and the main reason is because there is so many of them and they are getting better and better every day,” says Grigoriy Milis, CTO at financial security firm Richard Fleischman & Associates.
“The early phishing scams were easily recognised because the English was bad and it just looked ridiculous –you could spot them a mile away. But now, the language, the whole look of the email, the fake websites being used look pretty much like the real thing.”
Phishing, and other similar cyber-attacks, costs organisations on average $31,000 per attack according to a recent data breach survey by the Ponemon Institute, while more than 75% of CTOs questioned for HFMTechnology’s latest survey cited phishing as the greatest threat to security.
But while normal phishing emails can look potentially suspect, the spear-phishing variant is much harder to detect.
Milis, whose firm works with multiple hedge funds and financial institutions, says: “The big danger for this particular industry is coming from spear-phishing attacks.
“These attacks are very specifically targeted attacks and are not necessarily targeting a specific organisation but an individual inside that organisation.”
It was reportedly a spear-phishing attack that led to the release of nude images of more than 100 Hollywood celebrities in September and also the tactic used by Russian hackers, Sandworm, to spy on NATO’s correspondence earlier this year.
Like the dart-end of a harpoon, spear-phishers pin-point specific targets within an organisation and often arrive as messages from internal employees or associated third-parties.
Alongside the threat of spear-phishing, firms are being increasingly targeted by vishing – voice phishing – attacks.
“You might receive an email from your IT department saying they’ve detected some illegitimate activity on your PC and the company’s support department will contact you to investigate,” Milis says.
“You will receive a phone call from somebody pretending to be a support engineer and they will ask for remote access into your PC, meanwhile if you allow them to do this they will plant the malware – and this is one of the elements of social engineering that goes into spear-phishing.”
Gaining access to a firm’s network, even if only one em- ployee’s computer, can open the rest of the company up and lead to a myriad of other attacks such as Ransomware, Cryp- tolocker and APTs.
“The latest trend is using a cloud file-sharing site as a repository for the malware. Because it has become so popular for people to share files over the cloud, you don’t have to create some crazy URL that is easily recognisable and looks legitimate to plant the malware,” Milis says.
“Another reason why people use it is because it is typically an encrypted connection. A lot of filtering systems are unable to actually see what is inside the encrypted tunnel when you are downloading the file and it allows them to bypass detection on certain systems. It reminds people that you cannot be reliant on your perimeter defences alone.”
From malware and anti-virus software to specific data loss prevention functions and sender policy framework initiatives, there are a number of possible phishing defences, while employee education is seen as another key tool in combating the threat.
The CTO of a $3bn US hedge fund told HFMWeek: “Phishing in general is obviously a high priority for us. We do annual phishing exercises and we’ve incorporated the results of those exercises into our security awareness training programme. When we hire a new person they have to go through the whole process and then every year they have to re-certify and we bring in a third party to do an objective assessment.”
As regulators in the US and Europe approach cyber-security with increasing zeal, the majority of firms are clearly placing greater emphasis on security needs.
“Cyber security is something that is very much in discussion at the moment. We are aware of it being a key focus of the regulators both here and in the US,” Murtagh says. “We have just updated our cyber-security policies and we have internal procedures to update them at least every quarter, or more frequently if required. Because the technology is changing we need to be constantly aware of it and incorporate these changes.”
Undoubtedly a phishing attack could cause significant financial and reputational damage to a firm, but with specific policies and education in place the phishing threat and its various guises can be reeled in.
As Murtagh concludes: “The technologies, however, will only work so far – really it is down to staff training, strict internal policies, common sense and being cautious. These attacks are only going to become more subtle and sophisticated, requiring firms to remain even more vigilant.”
Excerpted from “Gone Phishing” (HFMWeek, October 2014)