Spear Phishing: How to Fight Back

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.bankinfosecurity.com/small-banks-are-prime-phishing-targets-a-6094/op-1

Spear-phishing attacks aimed at bank employees are on the rise, and experts
say community banks and credit unions are a favorite target for fraudsters.

When banking institution employees are targeted with phishing e-mails, the
goal is to obtain their credentials for accessing accounts or internal
networks and systems, paving the way for fraud. Hitting employees is more
fruitful than targeting consumers because compromising employee credentials
can provide access to numerous accounts.

Targeted phishing attacks aimed at bank employees have been steadily
increasing, and this is why more attention needs to be paid to employee
education and phishing awareness training, experts advise. Stronger
authentication is not enough, they warn.

Banks More Targeted

Some 44 percent of financial institutions say targeted attacks aimed
against employees increased in the past year, according to Information
Security Media Group's 2013 Faces of Fraud Survey. A majority of the 200
survey respondents were from community and regional institutions.

According to the Anti-Phishing Working Group, 720 banking institutions
globally were targeted by phishing attacks during the first half of this
year; up almost 20 percent from the second half of 2012, says Rod
Rasmussen, co-author of a new phishing study from APWG. He's president and
chief technology officer of security firm Internet Identity.

Attacks waged against financial institutions and their brands still account
for 75 percent of phishers' targets, Rasmussen says.

"The attackers go where there is the least friction, and that's why they go
after community banks," says Jens Hinrichsen, vice president of business
development for Versafe, an online fraud protection provider. "Secondarily,
so many of these community banks have personal connection with their
communities, so they're easier targets. On their websites, they share more
information about the people who work at the bank. They have their e-mail
addresses readily available to the community, and they generally make
themselves more available."

A combination of limited fraud-detection resources and a lack of education
about phishing attacks aimed at banking executives and frontline staff has
made smaller institutions vulnerable, he says.

Stronger e-mail authentication efforts, such as DMARC - Domain-based
Message Authentication, Reporting and Conformance - can help mitigate
phishing risks by making it more difficult for fraudsters to craft phishing
e-mails that look legitimate, Rasmussen says.

But education about what to look for in a spear-phishing attack, such as
e-mails that request an employee open a malicious attachment, is perhaps
the best way to mitigate the risks, Rasmussen says.

"When these attacks target employees, they are usually trying to get people
to open an attachment, rather than click a link in the e-mail," he says.
"This type of attack is definitely on the rise."

Still, Hinrichsen says the financial industry continues to rely too much on
authentication and not enough on detection of malware and network
intrusions to combat phishing. When an employee's credentials are
compromised through a spear-phishing attack, the banking institution needs
to have technology in place that can differentiate a genuine user from a
fraudster, he says.

"If the credentials have been seized, then you still need to have a system
to determine whether this is the right person," Hinrichsen says. "If you
assume every employee is probably infected, you need to be able to
identify, at the application layer, whether this is a fraudulent attempt to
access."

Lack of Awareness

Community institutions often are less aware of the risks associated with
targeted phishing campaigns than larger banking institutions, Hinrichsen
says.

"The layers of defense for spam filtering are lower for community banks,
but it's more than just a technology issue," he says. "Within the
organization, especially if it's a small bank, some element of basic
phishing awareness would benefit everyone."

But Sam Vallandingham, president and CEO of First State Bank, a $305
million institution in Barboursville, W.V., argues that community banks are
no more susceptible to spear phishing than larger institutions.

"All banks are getting targeted," he says. "It's not just a community bank
problem, but we do recognize the need for education."

First State Bank wages simulated phishing attacks against employees twice a
year as a training exercise, Vallandingham says.

"We usually always have one or two employees who click on the link or open
an attachment," Vallandingham says. "This is why we run these tests
regularly, to constantly remind our staff of what these attacks might look
like."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.