Spear Phishing: A Bigger Concern in 2015Why Bank Employees Are Increasingly Targeted
Spear phishing has been linked to numerous cyber-attacks this year, including the spring breach that compromised a remote server at JPMorgan Chase, as well as the point-of-sale and bank account attacks waged by the Russian crime ring known as Anunak.
Now, hackers are increasingly focusing their phishing campaigns against bank employees, rather than bank customers, says Jay McLaughlin, chief security officer for Austin, Texas-based Q2ebanking, an online banking platform provider.
"Instead of going after thousands of customers, they are going after the bank itself," he says. "And they are finding that they are really successful."
Hackers are targeting banking institution employees with convincing e-mails that fool them into clicking on malicious links - which ultimately compromise their credentials or other sensitive information - or trick them into providing details about accountholders and their accounts. This information is often used by hackers to take over customers' accounts to perpetrate fraud.
These targeted e-mails can appear to be coming from other management or staff within the institution itself, asking the employee to provide urgent information about an account or a system. Or, sometimes they can appear to come from outside sources, such as a vendor or even a customer.
Employees Are Easy Targets
As banking institutions have enhanced authentication for online banking and mobile banking users, they've made these targets far less attractive to attackers. By comparison, institutions have invested relatively little to ensure the security of their employees' accounts.
"I don't think that companies have a way to really measure how at risk they are for spear phishing," McLaughlin says. "I think they do it once a year and they get a report. They have nothing to baseline it against, and there is no continuous model."
Adam Kujawa, head of malware intelligence at online security firm Malwarebytes, predicts spear phishing attacks in the months to come will target a broader range of bank employees who have access to desirable data, such as customer accounts. "The pool of spear phishing targets in 2015 will be larger and not just limited to a select few, like executives," he says.
Experts say enhanced e-mail authentication standards, including DMARC - Domain-based Message Authentication, Reporting and Conformance - can help organizations authenticate the source of e-mails and block spam. But they say the best way to ensure employees' credentials are not compromised is by preventing staff members from falling for the tactics used in these phishing campaigns. That's why employee education is becoming increasing critical.
Multifactor authentication for access to sensitive information, as well as critical systems and servers, also is essential to mitigate the impact of hackers stealing credentials, such as passwords.
The DMARC standard can play a critical role in identifying e-mail originating from fraudsters. DMARC uses standard identifiers, such as domain keys and a sender policy framework, that are designed to detect e-mail spoofing. When an e-mail comes in, these identifiers are used to measure certain criteria within the e-mail. If those criteria are not met, the e-mail is rejected.
"Today, eight in 10 consumers in the U.S. is protected by DMARC, and it's going up constantly," says Patrick Peterson, CEO of security firm Agari. "The banks are doing that on the backend, so the consumer doesn't see anything. And all major e-mail providers today support DMARC."
But DMARC has its limitations, Peterson says. That's because hackers are continually updating their techniques, figuring out ways to get around certain identifiers used to authenticate and filter e-mails.
"While DMARC is effective in ensuring no one can spoof the company's domain, one issue that DMARC doesn't solve is the fact that cybercriminals can create domain names that are similar to the target they are attempting to leverage in an attack, using so-called 'sister' or 'cousin' domains," says Dan Ingevaldson, chief technology officer at Easy Solutions.
In reviewing the activity of the Russian gang Anunak, which is believed to have targeted and attacked at least 16 U.S. retailers and more than 50 Russian banks over the course of the last 12 months, researchers found that spear phishing attacks were most often to blame for the gang's compromise of employees' credentials.
Researchers at security firms Group-IB and Fox-IT determined that all of Anunak's malware infections were spread through targeted spear-phishing campaigns.
Spear phishing "is still the easiest and most used method to break into companies and gain access to systems that are protected," says Chris Pierson, an attorney and chief security officer for business-to-business payments provider Viewpost.
As a result, Q2's McLaughlin says one area where banking institutions should focus their attention in 2015 is on employee education. Education should be geared toward helping employees know how to more readily identify socially engineered schemes, he says.
"Hackers use spear phishing because it works," McLaughlin says. "Employees open e-mails and click on links. These folks are easy targets."
Training or testing employees once per year is not enough, he stresses, noting that employee education has to become part of the institution's overall security strategy.
Additionally, all banking institutions should implement stronger authentication requirements for employee access to sensitive data and systems, McLauhglin notes. That way, if a bank employee does fall for a phishing scheme and his credentials are compromised, those credentials can't be used on their own by the hackers to access multiple files and accounts.
"The banks are doing dual authentication for the end-user to access an online bank account, but the employees aren't required to use the same restrictive controls," he says. "They can access systems with less authentication."