The Wall Street Journal reports on a recent hack that shows spear phishing can hit anyone, even the most tech savvy Bitcoin companies. We'll look at how this attack stole tens of thousands from one tech company, but first, let's go over the basic facts about spear phishing.
What Is a Spear Phishing Attack?
A phishing email contains a link (or attachment) that tricks a user into downloading malware, takes control of their email, or extracts passwords / logins. A spear phishing email is a more advanced version of this attack.
Spear phishing emails are usually designed to look like legitimate business correspondence. Cyber criminals glean data off a professional's LinkedIn account, social media, and company website. Then, they customize an email to make it look it comes from one of the recipient's associates or someone they might know.
Here, Phishy, Phishy! How Spear Phishers Snagged 100 Bitcoins
As we look at this recent Bitcoin spear phishing attack, you should notice two things:
- Spear phishing attacks are growing more sophisticated.
- It's extremely hard to tell a malicious email from legitimate business correspondence.
So how did hackers hit the Bitcoin crowd? These cyber criminals sent out a mass email to a group of Bitcoiners. The email claimed to be from BitFilm Production, a film studio that was making a documentary about cryptocurrency and looking for experts to interview after the Silk Road drug bust.
The email asked for any interested parties to reply – who could turn down the opportunity to be in a movie? After a few users replied, they were sent an email that claimed to contain a link for a Google Doc with questions they would use for the interview. However, when users clicked the link, they gave hackers access to their email and inadvertently compromised their network security.
Hackers used this access to send an email to these users' employees, asking them to transfer 100 Bitcoins to a specific location. When the employees got the email, it looked like it came from their bosses. Sure enough, someone fell for it and transferred 100 Bitcoins into the hands of hackers. How much is 100 Bitcoins? It's worth over $50,000.
How Spear Phishing Attacks Can Trick You
The spear phishing campaign launched against Bitcoiners was sophisticated and successful. How sophisticated? The company "BitFilm Production" is a real film production studio. Cyber criminals simply used their name for the scheme. If recipients Googled "BitFilm Production," they would find the real company's website. Everything would look legit.
This attack provides an excellent example of the kinds of attacks your clients could experience. Other spear phishing campaigns have sent emails that appeared to be from the company's payroll firm. Cyber criminals build campaigns that seem plausible, using real company names and credible reasons for emailing.
How Spear Phishing Campaigns Target Small Businesses
Spear phishing attacks have grown more sophisticated, but let's look at what this means for small businesses. Over the last two years, the percentage of attacks targeting small businesses has increased from 18 to 30 percent (for more on spear phishing trends, see "Re: Your Recent Spear Phishing Attack"). That's an overall increase of 60 percent. In fact, experts expect 1 in 5 small businesses to be targeted by a spear phishing attack.
With the rise of online banking, SaaS, and digital record keeping, small-businesses owners are just a click away from exposing their companies’ data. Spear phishing attacks are so successful because it only takes one employee clicking on the wrong email to expose information.
As an IT consultant or contractor, you can be liable for your clients’ data security. If you install network and security software that doesn't stop a spear phishing or malware attack, your business can be sued for failing in its professional obligations.
However, Professional Liability Insurance can cover the cost of a data breach or spear phishing lawsuit. This IT insurance pays for lawsuits over security breaches as well as more traditional failures in IT (such as missed deadlines and software defects).
For a free cost estimate on IT insurance, submit an online insurance application.
