Spear phishing paves road for Advanced Persistent Threats

Cyber intrusions that remain undetected for long periods of time and leak information to hackers and online spooks are on the rise, spearheaded by an aptly-named form of spam called spearphishing.

Between 2010 and 2011, Advanced Persistent Threat (APT) attacks more than doubled, said Firmex, a provider of virtual data rooms. It also noted that 91 percent of APT attacks involved spearphishing.

Phishing and spearphishing are two distinct forms of spam. In fact, while conventional spam declines in favor among hackers, phishing and spearphishing continue to remain popular.

Phishing messages masquerade as communication from a trusted source -- a bank or credit card company, for example -- in order to obtain personal information, such as usernames, passwords or credit card numbers.

Spearphishers want that kind of information, too, and much more. However, their messages pretend to be from very trusted sources -- a employee's manager, the head of company's IT department, a friend from Facebook or a headhunter someone's done business with -- making the recipient of them very likely to do what the message instructs them to do.

"Spearphishing is by far the most prevalent way that target systems are compromised by APTs," said Paul Ferguson, vice president for threat intelligence at Internet Identity.

"It's because it's not that hard to social engineer their victims into clicking on the wrong link or opening the wrong attachment by masquerading as someone they know or something they're expecting," he told CSO.

Spearphishing is typically a key element in the first stage of an APT attack, said JD Sherry, director of public technology and solutions for Trend Micro. "It's used to gain a foothold in the attack environment," he said in an interview. "It's what miscreants use to start the attack sequence."

If the attackers can establish that beachhead in a network, they can become very difficult to dislodge. "It's very hard to stop an initial infection," said Jack Marsal, marketing director for ForeScout Technologies.

[See also:Ã'Â Advanced persistent threats can be beaten, says expert]

"Enterprises have trying to do this for 15 or 20 years," he said, "but IT security managers know they can't be 100 percent successful."

"Over the last three or four years the situation has gotten worse because the new breed of attackers are using spear phishing techniques and zero-day exploits," he said.

Firmex said the United States leads the world as a source for spear phishing, with 20.8 percent of the attacks originating from American soil, followed by Russia (19.1 percent) and China (16.3 percent).

No industry is spared from the attacks, either. "It's a case of equal opportunity victimization," IID's Ferguson said, "though there does seem to be some industries targeted more than others."

The top industry for APT attacks is defense and aerospace, garnering about 17 percent of the attacks, according to Firmex, followed by energy, oil and gas (14 percent) and finance (11 percent).

As potent as spearphishing has been in delivering APT payloads, its monopoly of the task may be challenged in the future.

"Over time, we're still going to see spearphishing being a key factor, but it's not going to be the sole first weapon used in an attack," Trend Micro's Sherry said. "It could be much more focused on social engineering and social media attacks."

Those attacks could deploy fake LinkedIn profiles or Facebook Pages to gain the trust of targets, he added.

"Spearphishing is usually in the form of email direct campaigns," Sherry said. "This would circumvent that and go directly to social media, which is becoming more popular to connect with people and find out pertinent information within your subject or industry."

Read more about social engineering in CSOonline's Social Engineering section.

Join the CSO newsletter!

Error: Please check your email address.

Tags spearphishingadvanced persistent threatapplicationsData Protection | Social EngineeringsoftwareFirmexdata protectionFacebookAPT

More about APTCSOFacebookForeScout TechnologiesTrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts