July 16, 2020
Featured / IT Philosophy

Targeted Spear Phishing

Written by Zach Sherf

Bitcoin Billionaires

What’s one thing that Bill Gates, Barack Obama, & Kim Kardashian have in common? They all want to give you free bitcoin on Twitter! Jokes aside, we can all agree that they are high profile names with large teams behind them. If you haven’t yet seen it on the news cycle, The Twitter accounts of major companies and individuals have been compromised in one of the most widespread and confounding hacks the platform has ever seen.

It may seem obvious that these individuals’ platforms were targets for malicious behavior. They have public recognition, massive reach, and in come cases a cult like following (I’m looking at you Elon). However, the actual target of this attack may have been someone without a blue check for verification or several million followers.

With the opaque nature of big tech disclosing the root cause of breaches, it’s difficult to know with certainty where the point of failure existed, and how it was exploited. With that being said, this is a huge opportunity to explore how this could happen and why small and medium sized businesses are just as, if not more, vulnerable than Twitter itself.

The angle of attack

So what happened? Several large publications have theorized that a Twitter staff member was the target of an organized attack to gain access to the Twitter internal systems. Why an anonymous staff member? Because they may have more access and less scrutiny than you would think.

Let’s say you are using Twitter and you get locked out of your account and need to contact support. It’s a reasonable assumption that someone on the Twitter support team, working at a help-desk role, has a “Control Panel” of sorts. Different tiers may have different levels of access, but in many companies the “principle of least privilege”, the idea that teams only have the level of access they absolutely need to do their job, is used more as a guideline than as law.

Now let’s step into the shoes of the attacker. You, the attacker, want access to that “control panel” and you’ve identified a target who has access. Now let’s say that you, the attacker, find out this support team member’s email, knowing what level of access he has, and specifically target him with a customized email that lures him to give his credentials and enough other information that allows you to gain access to one of his other, maybe even personal, systems or workstations. With some background knowledge, technology skill, and a little bit of faith in the fallibility of human nature, you gain access to that control panel. You have identified, baited, and speared your target, and that is a spear phishing attack.

When “Good Enough” security isn’t enough

If the story above sounds even remotely plausible, you may be asking why and could it happen to me, or more likely, someone on my team? Why didn’t a spam or general phishing filter protect from this attack?

Though the scenario I laid out above is an oversimplification to help communicate the concept of spear phishing attacks, in some cases they are that simple and generally configured spam and phishing attacks are based on “definitions” or templates of what spam looks like. Since many spear phishing attacks are directly targeted, using more organizational insight than that of a generalized phishing attempt, the method of attack may slip past the filters because it looks to both the computers and to us and a legitimate request.

You simply cannot rely on a single system to protect you from a modern threat vector. This is where IT security comes into play. Security isn’t a one-size-fits-all thing, It’s a methodology and a strategy that holistically weighs risks, productivity, and user experience then implements procedures, policies, and tools to mitigate risk.

Applying these lessons to your business

How can you be sure that you are properly mitigating risk? In the scenario above applying an SSO such as OneLogin with Identity access management, 2-Factor enforcement that excludes SMS and intelligent spear phishing prevention such as IronScales.

Seem overwhelming? We can help make it simple for you – Interlaced has been partnering with small businesses who have a cloud-first approach for over a decade. Reach out to us to get a conversation started: sales@interlaced.io

Zach Sherf

Zach Sherf

Zach is a data privacy evangelist and Apple fanatic. As Director of Cybersecurity, he works with both internal and external teams to drive the dialog around the ever-evolving relationship between people, security, and technology.