Organized crime is zeroing in on medium to large sized enterprises using a well honed attack that can penetrate most enterprises defenses. Called "spear phishing" it involves targeting one or two individuals within the enterprise and then sending them well crafted email with links or document attachments which then download malware into the enterprise. The number of attacks is rising dramatically.
In March, MessageLabs Ltd. said it had intercepted 716 messages from 249 attacks last month aimed at 216 customers. MessageLabs says that this compares to two a day on average last year and two attacks per week two years ago.
The method of attack usually uses MS Office documents but can also involve links to fake websites that look real. One attack focussed on the new executive of a large enterprise for whom a press release had been written.
The executive received an email supposedly from the enterprise's travel agency requesting him to click on a link and log on to the agency's website where it would provide him with his personal profile for approval. The executive clicked on the link and found the website containing all sorts of personal information about him (which had been gleaned off of the internet). The executive then clicked a button to sync up his Outlook mail calendar with the travel agency. Little did the executive know that this was a website run by criminals and that he had just downloaded malware into his enterprise.
Other attacks use realistic MS Office document attachments which when opened then quietly load malware into the enterprise or, the computer crashes and when rebooted the malware slips into the enterprise.
What can enterprises do to protect their executives and themselves from this form of attack? Use heuristic intrusion detection systems and train your executives.
Enterprises must use new software that does not rely upon malware signatures for verification. This is how most common anti-virus products work. They have a list of the "bad guys" for whom code is recognized as malware. The incoming code is then mapped against the list. If it's not there, then the code is passed. This does not work anymore.
Criminals now change their code so rapidly that there can be thousands of variations on malware produced daily. Therefore, heuristic technology has come into play that looks at the effects the malware is trying to do on the enterprise systems. Still in its infancy, this is the future for malware detection. But it does work all the time.
The challenge with only relying upon intrusion detection systems is that the malware can often escape their notice. Criminals are developing new malware daily that is designed to slip under the intrusion detection radar screen. Some types of rootkit and other attacks are not picked up by this technology. So while enterprises must use this as the first line of defense, they shouldn't rely upon it 100%.
That's where training comes in. 77% of malware attacks begin with the user clicking on a link or opening up a document attachment in unexpected messages. By educating your executives to not click on links in unexpected documents or opening up email attachments, even if the email looks like it is arriving from a fellow executive, then the enterprise risk can be mitigated.
A new free 3 minute malware security awareness training program, "Training in a Flash", offers this. It's playable on over 90% of the world's browsers by using Adobe Flash. In just 3 minutes, users can be quickly educated to avoid phishing and pharming attacks.
Bottom line for enterprises:
1. Make sure that you use an up to date intrusion detection system using heuristics.
2. Train your executives to "think before you click on it".
If you don't then you may end up on the pointy end of a successful spear phishing attack.