This incident reminds us how easy it is as an organization, even as secure and well funded like the White House, to get infected since antivirus is so porous. Lucky for the White House, their team of security specialists were able to find the compromised entity, but it is not trivial and usually happens very late, if ever.
While "phishing" is a technique which by hackers mimic sites such as IRS , or your Bank etc, in order to lure you to submit your credentials. “spear phishing” is the targeted technique of identifying an individual in an organization that the hacker wishes to compromise,and uses different techniques in order to lure that individual to activate malware on his/her computer. Effectively, creating the compromised insider.
As you can see below, finding an individual to target is fairly easy in todays social networking world. All a hacker has to do is look for “White House” as the current position and select which is pertinent:
There are several known as infection methods, the three most common include:
- Email attachment of either executable in an EXE form ( less common now ) or a PDF with malicious code in it
- Link distribution of an infected site, that once you go into you get infected. Can come via email or any form.
- A gift. Something as simple as a USB given at a convention that contains malware
We would encourage you to read our “The Quantum Mechanics of Spear Phishing” blog to get yourself more familiarized with how it works.
As we said before, here is what you can do to protect yourself as a company or an individual :
- Assume you've been compromised. For more, read this.
- Treat Social Network messages like you do with your Emails. Check who is it from and understand context before you choose to reply.
- Make sure that in your social networks profiles, you are not sharing your contact information, unless you explicitly approve them.
- As an organization, have the tools to protect your employees from such scams, and a policy in place.
- Education: train employees and raise the levels of awareness.
(NOTE: An old Sunday School teacher taught, "repetition is the art of learning." Let's hope that applies for spear phishing).