20 April 2016
By 2017 business emails will reach 139.4 billion per day

Dubai, United Arab Emirates - Globally 74% of all targeted attack attempts use email vectors, even as business emails are estimated to reach 139.4 billion per day by 2017. Trend Micro on average blocks 50 billion email spam-sending IP addresses.

Spear phishing is commonly being used by attackers to gain access to a company networks to facilitate a targeted attack, through malicious emails. Attackers gather intel on an individual in the targeted company and using the gathered information an email with malicious attachment or link is then sent to the target. Once the target opens the email, the attachment or link leads the target to a malicious website hosting malware, thus infecting the targets machine, giving the attackers access to the network.

"Attackers disguise these emails to make it look like its coming from a legitimate source, a colleague, a new updated from the HR team or something work related. The attackers will have done their homework, so the target is not suspicious of the incoming email, a few clicks and the criminals have been successful in infiltration the system. Email is the most common form of business communication, and one of the easiest way for attackers to get into a company's network," commented Ihab Moawad, VP Mediterranean, Mid. East, Africa, Russia & CIS at Trend Micro.

How do attackers/cybercriminals gain unauthorised access to company networks and manage to steal personal information, financial data? While some people may know a little about corporate data breaches, few know how it's actually done, or the methods cybercriminals use to execute an attack.

In a targeted attack, attackers have a certain level of expertise and have sufficient resources to execute their schemes over a long period of time. In cases where the breach indeed resulted from a targeted attack, it is important to know that attackers can adapt, adjust, and improve their attacks to counter their victim's defences.

Attackers utilize various social engineering techniques that leverage recent events, work-related issues, and other areas of interest pertaining to the intended target. Techniques like the use of backdoors, zero-day or software exploits, watering hole, and spear phishing are the most common methods used to gain information.

While phishing and spear phishing share similar techniques, they are not to be confused. Phishing is a generally exploratory attack that targets a broader audience, while spear phishing is a targeted version of phishing. They are different in the sense that phishing is a more straightforward attack--once information such as bank credentials, is stolen, the attackers have pretty much what they intended to get. In spear phishing, the successful theft of credentials or personal information is often only the beginning of the attack, because it's only used to gain access to the target network--a move that ultimately leads to a targeted attack.

What is Spear Phishing?

As mentioned above, spear phishing is a targeted form of phishing in which fraudulent emails target specific organizations in an effort to gain access to confidential information. Its tactics include impersonation, enticement and access-control bypass techniques like email filters and antivirus. The objective of spear phishing and phishing are ultimately the same--to trick a target into opening an attachment or click on a malicious embedded link.

How does Spear Phishing work?

Spear phishing focuses on specific individuals or employees within an organization and social media accounts such as Twitter, Facebook, and LinkedIn to specifically customize accurate and compelling emails. These emails contain infected attachments and links. Once the link is opened, it executes malware that leads the target to a specific website. The attackers can then establish their networks and move forward with the targeted attack.

Defending Against Spear Phishing

Any form of phishing can ultimately lead to the compromise of sensitive data. If neglected, a company could succumb to a targeted attack, which could result in data breaches, as seen in notable incidents like the ones that affected JP Morgan, Home Depot, and Target--all of which were attributed to spear phishing. Consequently, these companies lost millions of dollars along with stolen customer records.

Similar to these recent data breach incidents, globally many small to mid-size businesses are being targeted along with larger enterprises, as attackers see them as a backdoor gateway into larger corporations. Also, due to the relatively smaller IT staff in small companies, it easier for attackers to target them as they're likely to have less security infrastructure in place.

Because email is the most common entry point of targeted attacks, it is important to secure this area against likely spear phishing attacks. Employee education is highly critical to combat different phishing techniques. Training employees to spot misspellings, odd vocabulary, and other indicators of suspicious mails could prevent a successful spear phishing attack. Additionally, enterprises need an expanded and layered security solution that provides network administrators the visibility, insight, and control needed to reduce the risk of targeted attacks regardless of vector of choice.

-Ends-

About Trend Micro
Trend Micro Incorporated, a global leader in security software, strives to make the world safe for exchanging digital information. Built on 27 years of experience, our solutions for consumers, businesses and governments provide layered data security to protect information on mobile devices, endpoints, gateways, servers and the cloud. Trend Micro enables the smart protection of information, with innovative security technology that is simple to deploy and manage, and fits an evolving ecosystem. All of our solutions are powered by cloud-based global threat intelligence, the Trend Micro™ Smart Protection Network™ infrastructure, and are supported by more than 1,200 threat experts around the globe.  For more information, visit TrendMicro.com.

© Press Release 2016