Cyber criminals are targeting increasingly sophisticated phishing attacks at the personal assistants of senior executives and at public relations staff in their attempts to infiltrate corporate IT systems, according to a new report.
The latest Symantec Internet Security Threat Report singles out personal assistants, people working in the media and senior managers as most at risk of being targeted by a spear-phishing campaign, based on observations in 2013.
Spear-phishing attacks generally consist of an email with an attachment that the unwitting target is likely to open because it purports to be a relevant file such as an invoice, payment advice, document or voicemail message. More than 50 per cent of email attachments used in spear-phishing attacks contained executable files.
Peter Sparkes, Symantec’s director of managed security services in Asia Pacific and Japan, said the findings contradicted a widespread belief that top-level executives were the main targets.
“A lot of people think that these targeted attacks are directed at the CEO or the VP, or other people at that level. In fact our report shows that the personal assistant or PR people are the entry points that criminals are using to get into organisations, because these people are designed to filter information and designed to be quite accessible to the public at large. So it is very important to educate these people.”
He added that such attacks were becoming more sophisticated. “We are seeing a rise in multiple element campaigns, such as the ‘Francophoned’ attack in France. People will get a spear-phishing email followed by a telephone call on the same theme, but just because you receive a telephone call does not mean that the email is real.”
In the Francophoned attack the administrative assistant to a vice-president at a French-based multinational company received a phone call purporting to be from another company vice-president instructing her to process an invoice she had received a few minutes earlier.
However the caller was an imposter and the ‘invoice’ was a remote access trojan (RAT) configured to contact a command-and-control server in Ukraine.
“Using the RAT, the attackers immediately took control of the administrative assistant’s infected computer. They logged keystrokes, viewed the desktop, and browsed and exfiltrated files,” Symantec said.
James Turner, an advisor at IBRS, said organisations should be well aware of the use of indirect channels to gain access to corporate targets.
“[US telco] Verizon a couple of years ago were talking in their data breach report about the appeal of law firms, accounting firms and HR outsourcing firms as inroads to the most senior levels of an organisation.”
Turner said the wide availability of information about senior executives worked in attackers’ favour.
“You can go on to LinkedIn and you can get names and job titles and it is not hard to work out who reports to who.”
Symantec found the sector most targeted for spear-phishing attacks globally was public administration (16 per cent of total). Services, both professional and non-traditional, came in second and third accounting for 15 per cent and 14 per cent of attacks respectively. The professional category includes engineering, accounting, legal and heath-related services. The non-traditional category includes business, amusement and repair-related services.
In Australia the figures were rather different: professional services accounted for 41 per cent of spear-phishing attacks, followed by non-traditional services at 17.9 per cent. Public administration received only 3.7 per cent of such attacks.