The effectiveness of spearphishing, the use of highly targeted email to compromise systems and data, depends upon the miscreant’s ability to craft an email that is enticing to the recipient.  This presents the phisher with two problems — identifying the target and determining what would entice the target.

After years of clandestine efforts, secret operatives of the United States were able to kill bin Laden.  Running this operation was a CIA employee whose identity is a closely guarded national secret.   The Observer reports that his cover was blown using Flickr.  The White House published a photo from the Situation Room which, although it did now show the CIA employee’s face, did show his yellow tie.  Also, it appeared that he was tall.  This photo allowed John Young of Cryptome.org, an intelligence blog dedicated to exposing government secrets, to get started.  The White House posted several other photos from that day and the using the clues of the necktie and height, Young was able to find a photo of the man’s face.  Within a day, Young was able to determine the CIA employee’s name, where he went to school, his college GPA, where he lived, the sports his kids played and his wife’s activities.   The Observer dubbed him “CIA John” to protect his identity.  This is CIA John.

Armed with this data, a spearphishing attack could be mounted against CIA John.

What if the spearphisher doesn’t have White House photographs to find the victims?  Finding targets is as easy as taking pictures of employees in the parking lot.  Carnegie Mellon University researchers led by Alessandro Acquisti  took photographs of student volunteers.  Using facial recognition software on social networking sites, the researchers were able to identify 31% of the students by name.  In another experiment, the Carnegie Mellon team was able to identify 10% of people who had posted their photos on public dating sites. The researcher’s have posted their research online, Faces of Facebook: Privacy in the Age of Augmented Reality. The researchers report that they have been able to use profile photos and facial-recognition software to get details such as birthdate and social security number predictions.

Social media provides a powerful source of data for spearphishers to identify and and target individuals.

Last weekend the world’s largest hacking convention, Defcon, was held in Las Vegas.   Reuters reported on the conference:

[H]ackers taking part in the competition on Friday and Saturday found it ridiculously easy in some cases to trick employees at some of the largest U.S. companies to reveal information that can be used in planning cyber attacks against them.

This was the second year that Defcon included a contest in “social engineering,” in which the hackers tried to deceive people into disclosing information or taking ill-advised actions, such as opening an infected attachment, downloading malware or visiting a malicious website.   The most frequently used social engineering hack is spearphishing, in which the hacker impersonates a friend, colleague or other convincing sender (one such hack involved the impersonation of President Obama).  In the successful spearphishing attack, the impersonation and its call to action deceive the recipient into disclosing information or compromising the recipient’s system.  Recent examples of successful spearphishing attacks include Epsilon (the email marketing company), U.S. defense contractors, the French Finance Ministry, the IMF, EMC’s RSA Security division and government agencies around the world.

The Reuters article states that the success of social engineering hacks is because employees are poorly trained.  While there are no doubt cases where social engineering schemes could be overcome with training, the successful spearphishing campaign is driven by the guile of the perpetrator, not the training deficiencies of the victim.

Training people to avoid suspicious emails is essentially impossible because, as Lt. Col.  Gregory Conti,  IT professor at West Point observed in the New York Times,

“What’s ‘wrong’ with these e-mails is very, very subtle,” he said, adding: “They’ll come in error-free, often using the appropriate jargon or acronyms for a given office or organization.”

The tools to improve the criminals’ craft are becoming more robust every day.   A little internet research yields substantial personal information that can be used to deceive the recipient.  Email is the ideal medium for deception because the attacker has at his command all of the human factors needed to deceive the recipient.  Given the ability of criminals to craft and deliver deceiving emails, email recipients are essentially unarmed in this battle of wits with spearphishers.

Social engineering deceives the users into becoming the agents of the criminals.  What can be done to defend the enterprise against spear-phishing?  The enterprise can adopt a tool that identifies trusted email so that the target of the spear-phishing attack can distinguish real email from fake email.  That tool is SP Guard from Iconix.

SP Guard provides the recipient with three confirmations that a message is real:

1. List View. There is an integrity indicator in the list view of the email client.
2. Message. The open message has a further indicator of authenticity.
3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard is available now from Iconix. For further information, contact us at 408-727-6342, ext 3 or use our online form.