Spearphishing and defending against it

[ZenTree]

Afternoon all!

We have a client who has recently had a couple of spearphishing attempts similar to those detailed in :

http://krebsonsecurity.com/2015/03/spoofing-the-boss-turns-thieves-a-tidy-profit/

Both times the finance department twigged before even responding but each time they have asked us if there is anything they can do to block it. The company has a meet the team page on their website and the employee is listed as the finance person. She is the only one getting these emails so it looks to be targeted at her specifically.

The emails were both purporting to be from the boss but they were one letter out, with the reply email address going to a completely different domain. So not that sophisticated but I'm thinking for every problem there should be an opportunity.

We do offer a spam solution (max mail) but this client currently goes through google for their email. I am far from 100% certain that such a targeted attack would be flagged up though by a standard spam filter. As it stands we have mirrored the advice at the end of the article I linked to but for a larger client with a large volume of daily financial requests I could see this being too burdensome.

Does anyone else have experience with this and what would you recommend?

 

[nlinecomputers]

Stop using gmail. Get a real email system based on Microsoft Exchange (Office 365) and get an SSL certificate. Digitally sign all email. If not digitally signed then it can't be from a real employee.

 

[nlinecomputers]

And require by company policy to encrypt all email that has any financial instructions in it.

 

[Erick]

This is the point where over time digital solutions have a diminishing value. You can encrypt, you can move to Exchange, you can implement any and all new features as they come out and are available, but eventually someone is going to figure out a way around it.

The best defense is simply having the users perform due diligence; making sure that email addresses are correct and aren't a letter off or are from a .net or .org when it should be a .com. Asking for multi-step verification through both voice and text message. Mandating that payments be submitted using official company documents.

These are simple things but they're aspects that hackers just can't engineer.

We do as best we can for our customers, but at some point in time we need for them to assume some level of responsibility. And before anyone says different, that's not a new trend. We did it when they put locks on cars, when we implemented passwords for workstations, codes for ATM's and lock screens on cell phones.

 

[YeOldeStonecat]

End user education.
Even if you use Exchange or Office 365....the CEO Fraud e-mails still slip through.
We have lots of clients that occasionally get it...and these fraudsters really do their homework. They'll find out staff names of the business and really sound casual in the e-mail. The one thing I notice..for the clients that have fancy signatures filled with graphics (like from CodeTwo or transport rules)...the fraudsters have a hard time copying those exactly. That quick glance at the signature can give it away.

 

[ZenTree]

Thanks for the input guys. The client is an awkward one where there are two directors with different views on IT requirements. We manage some aspects of some of the workstations (monitoring, backup etc) but then the other director will insist on using his "guy" for his stuff. We tried selling them on O365 before but they insisted on gmail. We will go down the education route for now, I was just after ideas if this came up for another client.

Appreciate the feedback.

 

[nlinecomputers]

This is the point where over time digital solutions have a diminishing value. You can encrypt, you can move to Exchange, you can implement any and all new features as they come out and are available, but eventually someone is going to figure out a way around it.

The best defense is simply having the users perform due diligence; making sure that email addresses are correct and aren't a letter off or are from a .net or .org when it should be a .com. Asking for multi-step verification through both voice and text message. Mandating that payments be submitted using official company documents.

These are simple things but they're aspects that hackers just can't engineer.

We do as best we can for our customers, but at some point in time we need for them to assume some level of responsibility. And before anyone says different, that's not a new trend. We did it when they put locks on cars, when we implemented passwords for workstations, codes for ATM's and lock screens on cell phones.

Sorry but you're not going to see someone fake a digital signature. That really is not mathematically possible. The big problem with certs is that they are a pain to use and people get lazy. That goes on to your last half of your post which I agree with. They have to be responsible and use it properly or it will fail on them.

 

[Erick]

Sorry but you're not going to see someone fake a digital signature.

The world of IT is filled with incidents and innovations that were the result of the unthinkable and impossible becoming real and possible.

The good news is that it keeps us in a job.

The bad news is that there will always be those moments when, despite our best efforts to make something both secure and idiot proof, things will have changed and they are no longer as secure as they once were or the world has managed to present to us a bigger idiot than we had encountered before.

 

[nlinecomputers]

The world of IT is filled with incidents and innovations that were the result of the unthinkable and impossible becoming real and possible.

The good news is that it keeps us in a job.

The bad news is that there will always be those moments when, despite our best efforts to make something both secure and idiot proof, things will have changed and they are no longer as secure as they once were or the world has managed to present to us a bigger idiot than we had encountered before.

Spoken like someone that has no comprehension just how difficult a task that is. The NSA can do it but they can spend a couple of billion dollars to build one machine able to work continually on factoring one prime number. The average joe simply doesn't have the resources to do it, ever. How hackers get around that is because people do stupid stuff like putting their private key on a public dropbox. If you can brute force the password to the private key you can gain access. But the idea that someone, for a phishing attempt is going to manage to crack your digital signature is laughable.

 

[Erick]

Spoken like someone that has no comprehension just how difficult a task that is.

Well, I can't say I've personally attempted to do it, so you've got me there. But I've been in the business long enough to know that what is acceptable for security changes pretty quickly. "Security" is never a set in stone standard. And to add to that over time we get to find the things we thought were bulletproof aren't always as such.

Security is an illusion perpetuated by those that have something to lose. Our job in relation to security is always about making it as difficult as possible. We live in a world where what we thought was impossible is happening every day. Faster CPU's? More memory? Distributed computing? The difference between "impossible" and "reality" is simply time.

The average joe simply doesn't have the resources to do it, ever.

I love that word. "Ever." It sounds so final and comforting, doesn't it? If I had to sell something to someone that's the word I'd want to be using to convince them to buy. It leaves no room for doubt or interpretation; something is going to happen and it will never ever cease to not be what we want or need it to be.

The scenario that was put forward illustrates what happens when both technological and social provisions are not properly put into place and maintained. Our best bet as professionals is to not put all of our eggs into one of those two baskets, nor do we think that each basket is infallible on its own. The best results come from constant review and testing of policies and procedures for both.