Today's Washington Post includes a front page article that should serve as a warning to any employer about increasingly sophisticated social engineering attacks that exploit one key vulnerability that is essentially immune to technical solutions: their employees. Social engineering attacks work by exploiting the natural human tendency to trust and thereby tricks the recipient into believing the contents of the communication is safe. Using bogus emails and phony websites, hackers can install programs to steal information, spy on the organization, or even disrupt operations. This is the fourth story in the Post's ongoing cybersecurity series, Zero Day: The Threat in Cyberspace.
The backdrop for the article is a series of recent spear phishing attacks that have targeted specific employees of intelligence contractors, utility executives, and industrial-control security specialists. For many of the attacks, seemingly innocuous email messages that appeared to originate from trusted contacts were, in fact, cyberweapons that were part of a sophisticated and large-scale social engineering attack intended to trick the recipient into circumventing the organization's security controls.
In a typical spear phishing attack, hackers employ email messages and similar communication methods that appear to come from a colleague or friend but which actually contain malicious code buried in a phony web site link or email attachment. Once the recipient clicks on the link or opens the attachment, the malicious code (often a remote access tool or "RAT") is delivered and buries itself within the targeted network. Such malware often will reach out to the hacker, typically through an encrypted message or cloaked in what appears to be run-of-the-mill internet browsing, who then uses this secret back-door to install other malicious software to take control of the target company's computers. These attacks can persist for months or even years in some instances, and allow the hacker to steal customer financial information, take sensitive corporate data, or even hijack industrial control systems.
Two main characteristics really distinguish this new wave of spear phishing attacks. First, hackers are starting to target specific...