Ice Phishing, Whaling, and Social Engineering

Introduction

According to the 1960’s song, “It’s the Most Wonderful Time of the Year”. But it’s also the time to be on the lookout for a cyber-attack posing as an email with the best wishes of corporate executives. In 2016, a fake phishing email sent by JPMorgan was able to dupe 20% of its staff into opening and clicking on a simulated malware link.

There She Blows!

The latest attacks are based on “whaling”—a refined kind of phishing attack in which hackers use spoofed or similar-sounding domain names to make it look like the emails they send are from your CFO or CEO. In fact, Whaling is becoming a big enough issue that it’s landed on the radar of the FBI.

Trawling the Network

Whaling hasn’t quite overshadowed regular old phishing, though. A 2016 report by PhishMe states that over 93% of phishing emails are now ransomware. And almost half of those surveyed by endpoint protection company SentinelOne state that their organization has suffered a ransomware attack in the last 12 months. If it’s not ransomware, it’s hackers looking to put other types of malicious code on corporate or public networks or to gain access to passwords belonging to employees or other users. Alarming new types of ransomware, such as Samas or Samsam, will toast your organization just by opening the email—no click required. The dangers are very, very real.

But while it may be impossible to prevent employees from opening phishing emails or clicking on a link, there are ways to create an inoculated environment filled with cyber-hygiene to mitigate the effects of an attack.

Don’t Get Caught

As levels of sophistication of the cyber attacks continue to increase, vigilance is key. Here are a few best practices to keep in mind:

  • Take offline backups of critical information for recovery from ransomware. While “snap copying” live volumes is trendy, you could be snapping ransomware-encrypted files.
  • Implement the security protocol of “least privilege” for all users to minimize access to critical systems and data. Be sure to collect and correlate user entitlements to enforce least privilege.
  • Limit the use of “mapped” drives, which can be encrypted by ransomware. Use secure systems designed for file sharing
  • Implement multi-factor authentication in case user credentials are compromised without forgetting to include strong authentication for your  mainframe systems.
  • Speaking of mainframes, often the locale of some of the most sensitive data in the corporation, ensure that the terminal emulator being used:
    • Is certified on whatever desktop operating system is in use
    • Implements the latest security standards
    • Is configured so that macros can only be run from trusted locations and cannot be used as a point of attack.
  • Ensure that you have a single point of control for all of your identity, access, and security settings, but don’t forget to monitor the people who manage it.
  • If employees use intelligent personal devices such as smartphones and tablets, think about implementing an endpoint management system, which can be remotely disabled (and the device wiped), in case it is lost or compromised.

Conclusion

Good corporate governance and awareness can help prevent  users from clicking on phishing emails, but a more robust approach needs to ensure that IT  can mitigate the risks if they do.

The helpful hints above should hopefully serve to get you through the holidays and provide even a sensible resolution for 2017.

Ron LaPedis
Share this post:
Tweet about this on TwitterShare on FacebookShare on LinkedInGoogle+

Leave a Reply

Your email address will not be published. Required fields are marked *