Latest spearphishing campaign goes hard against social media

If hackers just want any old data they can get their hands on, they’ll rely on brute-force attacks. But if they really want your company or customer info, they’re willing to work a little harder – and smarter – to get it, as evidenced by a recent spearphishing campaign. 

The Newscaster attack, possibly originating in Iran, was a spearphishing campaign that went after high-ranking officials in government and corporate organizations. These attacks were highly coordinated and well-planned.

The attacks involved:

  • creating social media profiles that looked like they belonged to legitimate journalists, government officials and contractors on sites like Facebook, LinkedIn, Googe+, etc.
  • setting up a legitimate-looking news website (which actually just plagiarized content from other news sites) for which the journalists supposedly wrote
  • using the fake profiles to “friend” or contact their targets, and
  • ultimately tricking the contacts into logging into false pages that captured credential information.

It isn’t known how many  successful attacks were carried out, but there appear to have been over 2,000 targets since 2011.

What it means for you

One reason this attack may have gone unnoticed is that it essentially took place out of IT’s purview.

Most IT departments won’t get involved with users’ social networking use (nor should they, in many cases). But no matter the vector they use, if hackers can access executives’ information, it can pay off.

The best bet is to preach vigilance on social media. Make sure users:

  • know they should never share information or follow links from people they don’t know
  • don’t use social networks to discuss work matters, and
  • only transfer data using safe means.

Beating spearphishing attempts

While all users are at risk of some attacks, spearphishing attacks always go after the highest-profile targets.

Executives can be some of the hardest users to spread the security message to. They’re usually busy, work both on and off-site and aren’t always the most receptive to being told what to do.

Some keys to get the message across:

  • Let them know they’re important. Explain that due to their high-profile and success, they’re going to draw attention from hackers. Offering protection based on their accomplishments will make them feel more receptive to the message.
  • Connect the dots. Explain that as users with access to sensitive information, C-level users are closely tied to the company’s future and finances. Protecting themselves and protecting the company are one and the same.
  • Make it exclusive. Offer a special training course strictly for managers and executives to appeal to this group’s special place in the organization and allows you to filter out anything that may be too basic for their needs.