Spear-phishing attack hits high level execs with ransomware

By Graham Templeton 

Ransomware developers are getting lot more sophisticated in their attempts to hold computers hostage, a symptom of the increasing monetary incentive to withhold people’s most sensitive data. From cheating spouses to hospital emergency rooms, everyone needs to keep their data (or at least keep their data under wraps) and the ransomware “community” is exploiting that fact with increasing talent. Their attack of choice encrypts all or some selection of a victim’s files, then charge the victim for the right to decrypt those files.
Now, ransomware developers are turning to a much more sophisticated form of attack. Known as spear-phishing, the technique can make virtually anyone vulnerable to cyber attack, and it has always been one of the most effective tools available to security agencies. A recent surge in attacks seems to be focused on CEOs and other high-ranking corporate employees, but it still shows that high-level cyber attacks are making their way, slowly, toward the masses. Security firm ProofPoint put together a report on the attack, which they call TA530, claiming that it has been deployed against more than 300,000 individuals. This makes it enormous by the standards of spear-phishing attacks.

TA530 infection rates, by industry.

Phishing is simply any attempt to get a victim to click on an infected link or file attachment, and it’s usually fairly easy to spot — Nigerian princes, lost dogs, that sort of thing. But spear-phishing involves using specific information about the target to make the infected link seem as innocuous as possible. It might look like an email from your parents, or a new invoice from work. If you work at a large institution, filtering out emails that look only mostly right is much harder. Spear-phishing is almost certainly how NSA got access to Angela Merkel’s communications, for instance, and may even have played a role in injection of military viruses like Stuxnet into Iranian military networks.

The only real downside of this sort of attack is that it requires extra knowledge about the target, usually on some sort of human level, and that means investing time and money, which hackers hate to do. This is why spear phishing has always been a fairly elite form of hacking, since it often required quite a bit of recon, figuring out the name, numbers, contact info, and personal details of the target. In extreme cases, where agents are deployed around the country, it can include physical visits to watch the target’s schedule, go through their garbage, or even casually question their friends.

Spear-phishing has historically been the purview of highly funded security agencies.

Now, hackers have figured out that a) it’s possible to automatically mine and reformat public personal information into a spear-phishing attack with little effort and, b) sometimes ransomware targets are worth enough to make the extra sleuthing worth the effort. One report found that the average spear-phishing attack was worth over $1.5 million, though that figure will be coming down as targets become less elite.

At the end of the day, it doesn’t matter how strong your cyber-defenses are, if your psychological defenses are low. And with the success of spear-phishing schemes, hackers are increasingly showing us our defenses are very low indeed. While spear-phishing doesn’t lend itself well to dragnet surveillance, if a hacker is willing to invest time in a particular target, it’s still probably the most effective overall method of attack.

Even if you don’t have any files you’d be willing to pay for, you should be worried about the proliferation of that level of attack to the point that it can be used against hundreds of thousands of victims at once.