Email on the dark side – Spear Phishing

The need for spear phishing awareness training is demonstrated by the events at US Office of Personnel & Kapersky 

 I think we need to come clean about the purpose of this weeks blog on the subject of Spear Phishing and come right out and admit that it has been written with the intention of gaining your attention and trust, with the ultimate aim of (shock horror) selling you our spear phishing awareness training and other services.

Why do I feel the need to say this, before we get into the main topic of this weeks blog.  Well it’s because the stories we want to draw your attention to this month all probably began with a carefully crafted message.

At this point I will point out that our “carefully crafted” message has been produced with the intention of increasing your awareness of the risks that cyber crime poses both to the individual and business. We know that any effort at tackling Cyber security begins with awareness of the issues. Not in a scary technical way. Just the basics of why, what and how.


There have been two major stories this month, one hacking and the other a combination of hacking and the use of advanced spyware known as Ducu 2.0.

Both Kapersky the Russian security software specialist and the American Government have suffered major breaches. In the case of the American Government the breach resulted in millions of employee records being stolen, these records are now being sold on the dark Internet presumably for the purposes of identity theft.

The Kapersky breach was in all probability espionage as the tools used in the breach were state of the art and probably the product of a spy agency, fingers are being pointed at Israeli Intelligence but who knows. (I will be publishing blogs covering both breaches in more detail next week).

The thing that both breaches have in common is they probably came about as the result of what is known as a Spear Phishing attack, where email carrying a carefully crafted and targeted message (yes probably even better than this one) are directed at an individual or individuals in an organisation.

Because the email comes from someone or an organisation (possibly posing as internal mail) they trust and contains information on a subject that is of current interest and because the criminals have already been researching the victim to find out what they are interested in.

Because the victim believes in the validity of the sender and the message they make a single simple mistake. Almost certainly in each case the carefully crafted (Spear Phishing) email was received by the carefully targeted victim and they opened it and possibly followed a link. Unfortunately from that point on they have unleashed a series of events that eventually will lead to a full- fledged breach.

So what can I as a business owner do to protect myself against these threats?

The first thing we would recommend is that you look at the way you are dealing with SPAM; Probably you haven’t thought much about it and have gone for the default position which is to use the filtering built in to Microsoft Outlook or whichever mail client you presently use. You may even be using something slightly more sophisticated that came with your Antivirus software and if you are lucky this will result in at least some Spam being automatically removed.
Most likely you have never put any real thought into it.

Well luckily for you, we have. Our conclusion is that the best option in almost all cases, is to deal with Spam before it even reaches your desktop. Using highly sophisticated cloud technology that results in most of the Spam around 98% being removed before it ever reaches you. Even the dangerous stuff.

So now you have more time to deal with the messages you need to deal with and less time deleting the dross.

Consider spear phishing awareness training for your staff.
Spear Phishing is something we all need to be aware of, when someone of the sophistication of Kapersky fall victim it is an indicator that we all need to be on our guard.

Protecting your customers data and your companies own assets is vital, as it is central to what you do.

This is why you need IT Security to be part of the responsibility of every employee. Basics of IT Security & Spear Phishing awareness training need to become intrinsic to your company operations.

Gary Johnston
IT Security Product Director
Tamite Secure.IT

Speak Your Mind