The hack attack against Anthem Inc., which the health insurer says may have started with a spear-phishing campaign targeting five of its employees, is a warning sign of the kinds of sophisticated schemes that will be common in the year ahead, says Dave Jevans, co-founder of the Anti-Phishing Working Group.
"The Anthem breach [if a result of phishing] is emblematic of what we see in the evolution of attacks against companies and their employees," Jevans says in an interview with Information Security Media Group.
A growing number of cyber-attacks, including the breach of JPMorgan Chase, have originated with spear-phishing campaigns that target a small number of employees who have access to data systems and services housing sensitive customer information, Jevans says.
"It's highlighting a fundamental change we're seeing in the phishing landscape," Jevans says. "There's a big decrease, almost 25 percent, in phishing against just broad-base consumers. ... The real risk here is an increase in the attacks against [a handful of] employees ... and using that as a jumping-off point to get into the enterprise, break in and then steal data, breach systems, and spread out to vendors that are connected to the enterprise."
He notes that the JPMorgan Chase breach started with spear phishing that "targeted one employee in the IT department, who was tricked into giving out their password to a vulnerable machine inside the network. The hackers jumped in from there and compromised records. The most sophisticated attacks are waged against very small numbers of employees - we find, typically, less than six." By targeting only a handful of employees, the attackers decrease the odds that their scheme will be detected, Jevans says.
A Shift to Mobile
As spear-phishing campaigns become more common this year as a way to open the door to major cyber-attacks, the attackers will start to focus on targeting employees through their mobile devices, which have less sophisticated detection systems, Jevans predicts. For example, they may use text messages that ask employees to update a virtual private network profile.
"Today, detection methods are not in place [for SMS/text], so you can't tell when someone's been phished on their mobile phone," Jevans adds. "We will see in 2015, with many major breaches, that the forensic evidence is going to come back to the use of mobile devices involved in that initial kill chain of attack inside the company."
Stronger, multifactor authentication for employee access to sensitive data, systems and servers should be in place to thwart the impact of an employee's credentials that are compromised, Jevans stresses. But he says organizations should focus more attention on preventing phishing attacks from being successful.
"In my view, there is no credible reason why anybody internal to the company should receive e-mails claiming to be from the company with 'from' addresses that were sent from an external server," he says. "The use of SPF [sender policy framework] ... on your e-mail server, so that all outgoing e-mail is authenticated and also all inbound e-mail is authenticated and checked, particularly from your own domain, should be in place."
Also discussed during this interview:
- Why top-level domain names, such as .bank, are likely to fuel more phishing campaigns rather than curb them;
- How DMARC (Domain-based Message Authentication, Reporting & Conformance) is helping businesses block suspicious e-mails through enhanced e-mail authentication, before they ever hit inboxes; and
- Why employee education related to phishing must be ongoing and consistent.
Jevans, who serves as chairman of the Anti-Phishing Working Group, is also founder and chief technology officer of mobile security firm Marble Security. His career in Internet security spans more than 20 years, having held senior management positions at Tumbleweed Communications, Valicert, Teros, Differential and Iron Key. Serving on the CEO's technology council at Apple Computer, Jevans helped to develop the company's Internet strategy.