Spear-Phishing Issues - Report Example

Spear phishing Introduction Phishing attacks have recently become a common phenomenon in computing. Phishing refers to exploratory attacks that are carried out by criminals with the aim of obtaining personal and sensitive data of a computer user. The attacks take the form of disguised emails, impersonation in phone calls, or even impersonated websites. The criminals normally seek the user’s network access credentials in order to retrieve personally identifiable of the users in the network (FireEye Inc., 2012). This information is used to carry out fraud and paralyse the operations of businesses, state institutions or corporations. In most cases, phishing attacks target information related to banking. For instance, criminals may send an email impersonating the user’s bank, asking the user to provide personal information. Alternatively, the email may direct the user to a fake website purportedly belonging to the bank, where the spoofed website will access the user’s keystrokes and obtain personal information. The criminals are not connected to the institution (bank) in any way and thus they use the information to commit frauds. This report discusses spear phishing as a form of phishing, the security goals and vulnerabilities of OCENIA, how the vulnerabilities can be exploited and the goals that will be compromised if the aforementioned vulnerabilities are exploited. OCENIA’s background information OCENIA is a large multinational and it is a major player in the global shipping industry. OCENIA’s main source of revenue is payments passengers and cargo. Recently, OCENIA launched its online platform for bookings and payments. This platform enables customers to book the ship in advance if they intend to travel with OCENIA ships. Similarly, customers with cargo are able to book space for their cargo in advance and make payments to the company using their credit cards. OCENIA also has a customer relations interactive section on its website that is designed to help the company in solving customer issues like cancellation of tickets, refunds, company news and so forth. Spear phishing Spear phishing is a more specific form of phishing. It “is a more targeted version of phishing attacks that combines tactics such as victim segmentation, email personalization, sender impersonation, and other techniques to bypass email filters and trick targets into clicking a link or opening an attachment” (FireEye Inc., 2012, p. 4). A general phishing attack utilises all email addresses in the database, while a spear phishing attack will only target a certain organization or even certain individuals in the organization. Another common form of spear phishing attacks is the phishing attacks that target people who have a common characteristic (Rouse, 2011). For instance, millionaires transacting with the same bank may be targeted in a bid to access their financial information and secret banking information. Additionally, the spoofed emails appear to have originated from people or institutions they normally communicate with, making them more deceptive (Federal Bureau of Investigations, 2009). Clearly, spear phishing is different from traditional phishing. “If traditional phishing is the act of casting a wide net in hopes of catching something, spear phishing is the act of carefully targeting a specific individual or organization and tailoring thee attack to them personally” (Hoffman, 2013, p. 1). Unlike in the case of traditional phishing, spear phishing criminals ensure that their scam is seemingly real by using personal information. For instance, a spoofed email could contain the name of the recipient and the name of the purported sender – a person known to the recipient. The requests for clicking on a link or downloading attachments on spoofed emails therefore look like authentic requests (Hoffman, 2013). Spear attacks are likely to be carried out on OCENIA by fraudsters intending to fleece the company, competitors intending to steal operational information or steal customers from the company or criminals intending to steal money from the company’s customers. To avoid being affected by spear phishing, users should always be vigilant not to open suspicious links and emails (Rubenking, 2011). Users should also ensure that they scrutinize urls before transacting online. It is even advisable to get urls for the websites of banks from the banks themselves and typing them on the browser instead of searching using search engines. Users can also make sure they have phishing protection by buying internet security software (Rubenking, 2011). OCENIA’s security goals and vulnerabilities Due to the security risks associated with transacting business on the internet, the company has employed skilled information security professionals to ensure that none of their customers will ever lose funds to fraudsters impersonating the company. The company also intends have impenetrable customer communication channels in order to ensure that it cannot be sabotaged by competitors and malicious hackers. For this reason, the company website has been adequately secured. Despite the security measures that OCENIA has put in place to protect itself and its customers from cybercriminals, the company can still face a cyber attack. This is because phishing criminals mostly rely on social engineering in order to perpetrate their attacks. Some of the ways in which the company can face phishing issues is by having its customers duped by cybercriminals to believe that a spoofed website created by the criminals is the company’s website. This way, the criminals can obtain the personal details of the customers and collect the company’s funds from its debtors. The criminals can also use the spoofed website to obtain credit card information, which they can subsequently use to steal from the company’s customers. In addition to this, hackers can take control of the customer care section of the company’s website after infiltrating the company’s network, and impersonate the company’s personnel to post messages that can cost the company millions of dollars. Among the weakest links in the company’s security chain is the company’s customers and their personal information. This is because most phishers use email spamming in order to gain access to organizational networks. Spear phishers normally target a certain organization, OCENIA in this case, and then they figure out how to get the email addresses of the customers. After this, they send spoofed email messages to the customers, which they use to get the customers’ personal information (Wilson, 2013). Such information includes login details, credit card information and so forth. They use this information to access the network of the organization, which gives them access to both the company and the customers. In addition to the aforementioned vulnerabilities, phishers target OCENIA’s employees who are not sufficiently keen on their online security. This will make the phishers to gain access to OCENIA’s network, thereby exposing all stakeholders; customers, employees and the company. How OCENIA’s vulnerabilities can be exploited As evidenced in the discussion above, phishers can take advantage of the fact that customers weaken the security chain and find email addresses of these customers from social media and other sources. This will culminate in the phishers gaining access to OCENIA’s network. After gaining access to the network, the criminals will impersonate the customers, despite the fact that identity theft is a crime according to the Australian Information Security Standards (Department of Defence, 2012). The impersonation may lead to fraud because the criminals may be able to collect refunds meant for the customers. This will make the company fail to realize its goal of protecting its customers from losing funds to cybercriminals. The criminals may also decide to impersonate OCENIA’s staff and steal money from the company. For instance, the criminals may impersonate the employee responsible for making payments and send funds to their debit cards. This will make the company lose funds. In addition to the aforementioned exploits that can be carried out by cybercriminals, the criminals can also steal personal information from customers and impersonate them to collect cargo. This will make the customers incur losses and therefore they will lose trust in the company. Consequently, the company will lose its customers and therefore its revenue is likely to reduce. Criminals can also exploit their ability to access the company’s network to post messages defaming the company. This exploit can also be used by OCENIA’s competitors in a bid to get OCENIA’s customers. The company will eventually lose customers, making it less profitable. The latter exploit will lead to non-realization of the company’s goal to make its customer communication channels impenetrable. Even before the widespread use of phishing in cyber attacks, it was not a common phenomenon for financial institutions and other companies to ask for personal information (Ray, 2004). Computer users should therefore be on the lookout to ensure that their sensitive information is secure. Reference List Department of Defence: Intelligence and Security. (2012). Australian Government Information Security Manual. Retrieved from http://www.dsd.gov.au/publications/Information_Security_Manual_2012_Principles.pdf Federal Bureau of Investigations. (2009). Spear Phishers: Angling to Steal Your Financial Info. Retrieved from http://www.fbi.gov/news/stories/2009/april/spearphishing_040109 FireEye Inc. (2012). Spear Phishing Attacks – Why They are Successful and How to Stop Them. Retrieved from http://www.computerworld.com.au/whitepaper/370771/spear-phishing-attacks-why-they-are-successful-and-how-to-stop-them/download/ Hoffman, C. (2013). HTG Explains: What Spear Phishing Attacks Are and Why They’re Taking Down Big Corporations. Retrieved from http://www.howtogeek.com/142635/htg-explains-what-spear-phishing-attacks-are-and-why-theyre-taking-down-big-corporations/ Ray, R. (2004). QuickStudy: Phishing. Retrieved from http://www.computerworld.com/s/article/89096/Phishing Rouse, M. (2011). Spear Phishing. Retrieved from http://searchsecurity.techtarget.com/definition/spear-phishing Rubenking, N. (2011). How to Avoid Spear Phishing Attacks. Retrieved from http://www.pcmag.com/article2/0,2817,2384601,00.asp Wilson, T. (2013). How Phishing Works. Retrieved from http://www.howstuffworks.com/phishing.htm Read More