New tech can help catch spearphishing attacks

New approaches that look for more subtle patterns can help reduce highly-targeted spearphishing attacks

1 2 3 Page 3
Page 3 of 3

Basic email hygiene also helps

One of the common elements of many of the spearphishing scams is that the identity of the sender of the email is fraudulent.

And there are some basic things that companies can do to guard against some of these attacks.

Most attacks, in the end, are common attacks, by unsophisticated attackers, said Oliver Muenchow, founder and CEO at Lucy Phishing GmbH, who gets paid to spearphish companies to test their security processes.

"But the really structured ones, targeted against the company, those are really hard to defend against," he added. But folks without technical skills and those looking for lowest-hanging fruit will be deterred.

For example companies should check that they are using SPF, DKIM and DMARC effectively. These are common approaches to verifying the authenticity of email messages.

"In an ideal world, everyone would use DMARC," said Bill Leddy, chief architect at ZapFraud. "But not all senders use DMARC and not all receivers use DMARC."

ZapFraud's fraud-detecting firewall product uses DMARC among other indicators to catch fraudulent emails.

DMARC ensures that an email that pretends to be from, say, your company CEO is actually from your company CEO, and that the email from the bank is actually from the bank.

"It solves the problem of fake domains where the sender and receiver both use DMARC," he said. "I've seen that Microsoft and Gmail are going to be raising the bar, and if something isn't signed by DMARC, they will indicate it."

[ MORE SCAMS: From start to finish, inside a PayPal Phishing scam ]

It won't catch the email from a fake Gmail account, because it is, in fact, from Gmail, and there are many other blind spots as well.

But it's a first step.

"You'll be surprised how many people don't deploy it," said Ryan MacDougall, senior penetration tester at Coalfire Labs.

In addition, if the email servers aren't configured correctly, scammers can create email messages that look like they came from those very servers.

"It's rare that people actually block emails based on SPF records, and DKIM signing is the same thing," he said. "People are afraid to block legitimate email and don't take the time to properly test it. And if legitimate emails get blocked they just wind up turning it off. But the ones who do have the time to set it up are a little bit safer than the rest."

Another basic technique is to check for new domain registrations, which will not only help companies spot potential spearphishing attacks, but also helps guard against cybersquatting and malicious emails targeting outside users.

This is a common service offered by brand protection firms, said MacDougall.

"It's worth it for companies to look for these new domain registrations because it's hard to users to recognize them," he said. "Minor changes can be almost invisible to the end users."

For example, he said, "M" can be switched for "RN" -- in lower case, the two look almost identical.

When hired to do a penetration test, that's one of the first things he does, he said.

"We'll either try to get company.co or company.us, because most companies don't register those top-level domains," he said. "When we can't do that, we'll throw in mixed letters."

Another step that companies can take when they notice a spoofed domain is to spend a little time investigating who set it up, and what else they're doing, said DomainTools' Helming.

Once an attacker has picked a target, they might keep coming back with new approaches.

"If you block off all of their domains, not just the first one, you can protect yourself from future attacks," he said.

He also recommended that companies record the forensic data of spearphishing emails.

[ ANOTHER PHISHING ATTACK: Inside a phishing attack ]

"You can unlock a tremendous amount of information that you can use to protect yourself or share with investigators," he said.

Meanwhile, basic security measures such as anti-malware and document loss prevention technologies can also help reduce the overall risk of successful spearphishing scams.

Removing unnecessary privileges also helps, said Joseph Opacki, vice president of threat research at PhishLabs.

"If those accounts or computers are compromised, then they are not going to have as large an impact on your organization," he said.

But at the end of the day, no solution is going to catch all attempts to scam company employees.

"We believe it's a people, process, technology issue," he said.

This story, "New tech can help catch spearphishing attacks" was originally published by CSO.

1 2 3 Page 3
Page 3 of 3
ITWorld DealPost: The best in tech deals and discounts.
  
Shop Tech Products at Amazon