In the course of supporting our wide range of Google for Work customers we have witnessed an increase in reports of an attack known as spearphishing.

This advice is to help inform and advise our clients about this problem.

What is spearphishing?

Spearphishing is a development of phishing which targets individuals in an attempt to fool the recipient of an email that it has been sent from a known or trusted sender.

Phishing

Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.

wikipedia.org/wiki/Phishing

Spearphishing combines a couple of attack techniques

Social Engineering

By researching a company (departments, key staff & executives) an attacker can target specific individuals and roles such as the finance department.

Email Spoofing

By forging the headers of emails the attacker attempts to fool the recipient into believing that the email was actually sent by a known and trusted source (e.g. the Finance Director or MD).

Counter Measures

Social Engineering: Vigilance, Training & Process
People in positions of authority within organisations need to be vigilant and aware of threats and attacks.
Email is just one vector for such attacks alongside other communications channels including postal letters, FAXes and phone calls.

Suggestions:

  • Internal communications ensuring staff, especially those most exposed to the risk (e.g. executives and management, finance staff) are made aware of the threat and risks.
  • Training: Specialist training organisations offer courses to help educate staff about the threats and risks faced.
  • Internal company policies and workflows should also protect the company from losses due to an individual member of staff being compromised (e.g. dual sign-off).

Technical: Password Alert Chrome Extension (Chrome Web Store link)

The Password Alert Chrome Extension is provided by Google and can be added to a user’s Chrome Browser.
It warns and stops users if they visit a fake Google Sign-in web page.
Such pages are created by criminals to trick Google users into entering their login credentials (username/password) into a faked page where they are harvested and then can be used to gain unauthorised access to the user’s Google account.

Technical: 2-Step Verification (Set up 2-Step Verification)
2-Step Verification adds an extra layer of security to your users’ Google Apps accounts by requiring them to enter a verification code in addition to their username and password when signing in to their account.
The verification code can be generated by a number of methods, including SMS TXT, Authenticator App, FIDO keys (USB “key”).

Technical: Email Authentication

The email industry and standards bodies continually innovate in an attempt to secure against new threats.
The practice of Email Authentication has evolved to develop specific counter measures in reaction to the threat of Email Spoofing.

Suggestions:

Businesses can utilise best practices and methods to protect themselves from attacks such as spearphishing by adopting Email Authentication comprising:

  • SPF – Sender Policy Framework (www.openspf.org)
    • an open standard specifying a technical method to prevent sender address forgery
  • DKIM – DomainKeys Identified Mail (dkim.org)
    • DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication
  • DMARC – Domain-based Message Authentication, Reporting & Conformance (dmarc.org)
    • builds on the widely deployed SPF and DKIM protocols, adding a reporting function that allows senders and receivers to improve and monitor protection of the domain from fraudulent email

Adopting Email Authentication

To adopt the Email Authentication methods requires changes to be made to the DNS (Domain Name Service) records for the domain(s) to be protected.

Adoption requires careful planning and execution as mistakes or omissions can lead to the disruption of email flow.

Steps Required:

      1. Identify all sources of email within the organisation
        • Needs to include all sources
        • Needs to understand how the email source sends email (which SMTP service used)
      2. Create an SPF DNS record including all sources
      3. Create a DKIM DNS record for each sending source and enable DKIM service
      4. Check and verify SPF & DKIM records and function
      5. Plan the DMARC rollout and policies (report, quarantine, reject)
      6. Create a DMARC DNS record
      7. Monitor the DMARC reports (ongoing)

Need help or advice?

We realise that this is a complex technical subject and that many of our clients will require help to understand this and to adopt Email Authentication methods.

Refractiv provides a range of support and consultancy services in this area. 
For further assistance, please contact helpdesk@refractiv.co.uk.