Interesting times we live in. The world is going digital, and its cyberspace is getting populous. With so much digital engagement involved in today’s communication climate, one needs to be very careful in how they communicate with others and be aware of whom they are communicating with.
No digital body is immune to cyber-attacks, there is normally always something that is left behind for the attacker to exploit, and sometimes it’s the user themselves that are being attacked and becomes the means for the exploitation of the system.
Most people when they think of cyber-attacks think of some kind of technical break-ins within a system by exploiting some machine vulnerability. What a lot of people ignore when it comes to cyber-attacks is that the user is as much a part of the machine as any other component and hence can be exploited as well.
The type of attacks that are based on user exploitation comes under the social engineering umbrella. Spear Phishing is a special type of phishing attack where the target is selected after a hefty amount of research regarding their position within the organization the attacker wants to exploit. Phishing attacks are very sophisticated and in many ways, they rely more on exploiting the phycology of the victim via establishing the communication than anything else.
A documentary named “The Great Hack”, looked into how valuable user data is and more importantly how it can be used to push a certain agenda. The documentary pointed out and rightfully so that it did, data of any sort should remain confidential. A lot of times, we think the only confidential data we own is our usernames, passwords, credit card numbers, photos, and maybe our personal phone numbers. This is the type of data we protect and this is the type of data that most personal anti-malware tools will also protect. However, Spear phishing attacks do not rely on such data to exploit you, because if executed correctly this data would be provided by you to the attacker.
As I previously mentioned, this is an attack on the victim’s phycology. The attacker when researching about a particular target focuses on mundane data. Such as likes on a particular photo of a friend, the type of candy the victim likes, their travel trips, the company they work for, what position they hold, who is in their social circle, what is it that makes them angry, what is their political views, any social activities they are fond of and the list goes on the point being the data you and I throw away into the public sphere thinking that it’s of no value can be the bane of our downfall.
One of the biggest examples of a sophisticated spare phishing attack in recent times was the Twitter crypto attack. A member of the company was compromised by a phone-based spear-phishing attack. The attacker was so well versed in the matters of communication being conducted within the company premises that he was able to get the credentials of the system and caused one of the most talked-about crypto scams this year.
Spear phishing attacks are often overlooked because they aren’t “technical” enough, many cybersecurity professionals can’t put this type of attack in a box which they can then sort out by applying either malware analysis or putting up a firewall. Because the attacker is provided the required key to get into the system and because no suspicious activity is conducted within the system, even detection prevention tools do not suspect it. The only tried and tested solution available at the moment is user policy and user training. The hiring organization should put in place a monthly or quarterly training of its users to teach them how to protect their data and what type of data regarding the company they can put out in the public. These policies and training do not eradicate the attack but it has shown a great decrease in the attack.
A good company should always invest in its employees because they are the asset that can either make the company blossom or become a liability that can bury it in the ground.
