Something a bit Spearphishy

Blog by: Gareth Baron, Senior Account Manager - 10-Aug-2018

If you are reading this.... You are probably an avid user of Social Media? Let's face it, SM has become part of our lives for various reasons. Personally, I created my Facebook account in 2008 - after the brief success that Friends Reunited enjoyed, I saw my parents connecting with old friends via the Internet - and the nosey/curious part of me thought it would be worth a shot. 10 years later, I like many use the platform to keep in touch with people the way us 80's kids did with a landline. Overtime, you add photographs (gone are the days of a 35mm film, Max Spielmann and a cushioned leather photo album with paper inserts) and amass a library of your life.

Crimes back in the 80s/90s typically consisted of assaults, frauds and direct contact - you got mugged for your cash, or somebody broke in and stole something. Whilst this still happens - things have moved on. Cybercrime cost UK business £29 billion in 2016 - and that's not including personal attacks. Nowadays, the criminals are cunning and will get to you in a myriad of ways. One of the ways is what's known as a spearphish attack. 

I was at a meeting with a customer this week and invited a colleague along who specialises in cyber security. My colleague tells a story that illustrates how easy it is to fall victim to some modern-day practices designed to extort money from you. 

Find out more about Managed Security from Adept4

Once upon a time

So, my colleague’s son is studying GCSE IT at school, and asked for his Dad's help on a project. Innocently they Googled an executive at Apple, initially for some help with said project. My colleague finds him on LI, and then on Facebook. The LI profile is relatively private unless you know them. The Facebook profile, is however completely open. Although not updated for quite some time, the profile reveals some valuable information. They discovered where he went to school, pictures and names of friends, and even the name of his old headmaster at old high school. 

Something a bit Spearphishy

My colleague at this point explains the concept of a spearphish attack to his son. 

“Son - you could potentially now send an email to the Apple exec using his email address (that you got off here), pretending to be the proud headmaster from his former school inviting him to speak to the school about how he became so successful.

“Spoofing the email address will be easy. You could then include a link, advertised as a link to former alumni who have also come back to the school. However, this link doesn't refer to that - it's a link to a malicious website which will infect his computer with a ransomware virus, and potentially extract money in untraceable Bitcoin from the exec.”

By this point my colleague’s son completely understands a modern-day attack vector and how easy it is to do – and referenced it in his project. I hope he got an A*!!

This example was, of course, for educational purposes - and highlighted the security loops that we sometimes overlook or are simply not aware of.

Protecting yourself

Busy C Level execs make even easier targets, as you can find lots about them online. Indeed, some even have their own biographical websites written by their PR agency.

The question is what can you do to defend against this sort of attack? You can start by locking down the privacy settings on your Social Media - only show people what you want them to see. Facebook announced a new tool for privacy settings following the Cambridge Analytica scandal. I locked mine down a long time ago, but still following the scandal, looked at the many apps that have permissions to my information, and revoked a lot of them.

Another thing you can do is deploy a decent next generation firewall - like Fortinet's FortiGate. It has some fantastic features built in to its UTM package that will prevent spearphish attacks by opening any links in a secure virtual sandbox and 'detonating them' them before they affect you. Detonate?! Marketing speak for opening a file or link in a secure cloud based virtual environment to check the integrity of what is being sent to you. If it’s a nasty, you won’t get the email, but will be informed of the attempted attack. If legitimate and safe, the email and attachment or link will be passed through to you.

Although this is a personal post intended to inform, I take my work seriously - as do my colleagues. FortiGate is well worth looking into to protect you and your business against these attacks - and many others. If you want a chat about it, please get in touch.


Topics: Technology, IT trends, phishing

Sign up to our blog